Merge pull request #6210 from akallabeth/github_sec_cve_and_behaviour

GitHub sec cve and behaviour

CMakeLists.txt

@@ -936,10 +936,6 @@ if(MBEDTLS_FOUND)
 	add_definitions("-DWITH_MBEDTLS")
 endif()
 
-if (TARGET_ARCH MATCHES "sparc")
-	set(HAVE_ALIGNED_REQUIRED 1)
-endif()
-
 if (WITH_X264 OR WITH_OPENH264 OR WITH_MEDIA_FOUNDATION OR WITH_FFMPEG)
 	set(WITH_GFX_H264 ON)
 else()

channels/cliprdr/cliprdr_common.c

@@ -395,7 +395,6 @@ UINT cliprdr_read_file_contents_response(wStream* s, CLIPRDR_FILE_CONTENTS_RESPO
 UINT cliprdr_read_format_list(wStream* s, CLIPRDR_FORMAT_LIST* formatList, BOOL useLongFormatNames)
 {
 	UINT32 index;
-	size_t position;
 	BOOL asciiNames;
 	int formatNameLength;
 	char* szFormatName;

channels/drdynvc/client/drdynvc_main.c

@@ -347,6 +347,7 @@ static void dvcman_channel_free(void* arg)
 		if (channel->channel_callback)
 		{
 			IFCALL(channel->channel_callback->OnClose, channel->channel_callback);
+			channel->channel_callback = NULL;
 		}
 
 		if (channel->status == CHANNEL_RC_OK)
@@ -380,10 +381,24 @@ static void dvcman_channel_free(void* arg)
 	free(channel);
 }
 
+static void dvcman_clear(drdynvcPlugin* drdynvc, IWTSVirtualChannelManager* pChannelMgr)
+{
+	DVCMAN* dvcman = (DVCMAN*)pChannelMgr;
+
+	WINPR_UNUSED(drdynvc);
+
+	ArrayList_Clear(dvcman->plugins);
+	ArrayList_Clear(dvcman->channels);
+	ArrayList_Clear(dvcman->plugin_names);
+	ArrayList_Clear(dvcman->listeners);
+}
+
 static void dvcman_free(drdynvcPlugin* drdynvc, IWTSVirtualChannelManager* pChannelMgr)
 {
 	DVCMAN* dvcman = (DVCMAN*)pChannelMgr;
 
+	WINPR_UNUSED(drdynvc);
+
 	ArrayList_Free(dvcman->plugins);
 	ArrayList_Free(dvcman->channels);
 	ArrayList_Free(dvcman->plugin_names);
@@ -472,7 +487,6 @@ static UINT dvcman_create_channel(drdynvcPlugin* drdynvc, IWTSVirtualChannelMana
 	BOOL bAccept;
 	DVCMAN_CHANNEL* channel;
 	DrdynvcClientContext* context;
-	IWTSVirtualChannelCallback* pCallback;
 	DVCMAN* dvcman = (DVCMAN*)pChannelMgr;
 	UINT error;
 
@@ -493,10 +507,10 @@ static UINT dvcman_create_channel(drdynvcPlugin* drdynvc, IWTSVirtualChannelMana
 
 		if (strcmp(listener->channel_name, ChannelName) == 0)
 		{
+			IWTSVirtualChannelCallback* pCallback = NULL;
 			channel->iface.Write = dvcman_write_channel;
 			channel->iface.Close = dvcman_close_channel_iface;
 			bAccept = TRUE;
-			pCallback = NULL;
 
 			if ((error = listener->listener_callback->OnNewChannelConnection(
 			         listener->listener_callback, &channel->iface, NULL, &bAccept, &pCallback)) ==
@@ -1546,6 +1560,8 @@ static UINT drdynvc_virtual_channel_event_disconnected(drdynvcPlugin* drdynvc)
 		           WTSErrorToString(status), status);
 	}
 
+	dvcman_clear(drdynvc, drdynvc->channel_mgr);
+	MessageQueue_Clear(drdynvc->queue);
 	drdynvc->OpenHandle = 0;
 
 	if (drdynvc->data_in)

channels/rail/client/rail_orders.c

@@ -49,8 +49,7 @@ UINT rail_send_pdu(railPlugin* rail, wStream* s, UINT16 orderType)
 	rail_write_pdu_header(s, orderType, orderLength);
 	Stream_SetPosition(s, orderLength);
 	WLog_Print(rail->log, WLOG_DEBUG, "Sending %s PDU, length: %" PRIu16 "",
-	           RAIL_ORDER_TYPE_STRINGS[((orderType & 0xF0) >> 3) + (orderType & 0x0F)],
-	           orderLength);
+	           rail_get_order_type_string(orderType), orderLength);
 	return rail_send_channel_data(rail, s);
 }
 
@@ -926,8 +925,7 @@ UINT rail_order_recv(railPlugin* rail, wStream* s)
 	}
 
 	WLog_Print(rail->log, WLOG_DEBUG, "Received %s PDU, length:%" PRIu16 "",
-	           RAIL_ORDER_TYPE_STRINGS[((orderType & 0xF0) >> 3) + (orderType & 0x0F)],
-	           orderLength);
+	           rail_get_order_type_string(orderType), orderLength);
 
 	switch (orderType)
 	{

channels/rail/rail_common.c

@@ -27,29 +27,34 @@
 
 #define TAG CHANNELS_TAG("rail.common")
 
-const char* const RAIL_ORDER_TYPE_STRINGS[] = { "",
-	                                            "Execute",
-	                                            "Activate",
-	                                            "System Parameters Update",
-	                                            "System Command",
-	                                            "Handshake",
-	                                            "Notify Event",
-	                                            "",
-	                                            "Window Move",
-	                                            "Local Move/Size",
-	                                            "Min Max Info",
-	                                            "Client Status",
-	                                            "System Menu",
-	                                            "Language Bar Info",
-	                                            "Get Application ID Request",
-	                                            "Get Application ID Response",
-	                                            "Execute Result",
-	                                            "",
-	                                            "",
-	                                            "",
-	                                            "",
-	                                            "",
-	                                            "" };
+static const char* const RAIL_ORDER_TYPE_STRINGS[] = { "",
+	                                                   "Execute",
+	                                                   "Activate",
+	                                                   "System Parameters Update",
+	                                                   "System Command",
+	                                                   "Handshake",
+	                                                   "Notify Event",
+	                                                   "",
+	                                                   "Window Move",
+	                                                   "Local Move/Size",
+	                                                   "Min Max Info",
+	                                                   "Client Status",
+	                                                   "System Menu",
+	                                                   "Language Bar Info",
+	                                                   "Get Application ID Request",
+	                                                   "Get Application ID Response",
+	                                                   "Execute Result",
+	                                                   "",
+	                                                   "",
+	                                                   "",
+	                                                   "",
+	                                                   "",
+	                                                   "" };
+
+const char* rail_get_order_type_string(BYTE orderType)
+{
+	return RAIL_ORDER_TYPE_STRINGS[((orderType & 0xF0) >> 3) + (orderType & 0x0F)];
+}
 
 /**
  * Function description

channels/rail/rail_common.h

@@ -26,7 +26,7 @@
 
 #include <freerdp/rail.h>
 
-extern const char* const RAIL_ORDER_TYPE_STRINGS[];
+const char* rail_get_order_type_string(BYTE orderType);
 
 #define RAIL_PDU_HEADER_LENGTH 4
 

channels/rail/server/rail_main.c

@@ -71,8 +71,8 @@ UINT rail_send_pdu(RailServerContext* context, wStream* s, UINT16 orderType)
 	Stream_SetPosition(s, 0);
 	rail_write_pdu_header(s, orderType, orderLength);
 	Stream_SetPosition(s, orderLength);
-	WLog_DBG(TAG, "Sending %s PDU, length: %" PRIu16 "",
-	         RAIL_ORDER_TYPE_STRINGS[((orderType & 0xF0) >> 3) + (orderType & 0x0F)], orderLength);
+	WLog_DBG(TAG, "Sending %s PDU, length: %" PRIu16 "", rail_get_order_type_string(orderType),
+	         orderLength);
 	return rail_send(context, s, orderLength);
 }
 
@@ -1573,8 +1573,8 @@ UINT rail_server_handle_messages(RailServerContext* context)
 		return ERROR_INTERNAL_ERROR;
 	}
 
-	WLog_DBG(TAG, "Received %s PDU, length:%" PRIu16 "",
-	         RAIL_ORDER_TYPE_STRINGS[((orderType & 0xF0) >> 3) + (orderType & 0x0F)], orderLength);
+	WLog_DBG(TAG, "Received %s PDU, length:%" PRIu16 "", rail_get_order_type_string(orderType),
+	         orderLength);
 
 	switch (orderType)
 	{

channels/rdpgfx/client/rdpgfx_main.c

@@ -1826,12 +1826,6 @@ static UINT rdpgfx_on_close(IWTSVirtualChannelCallback* pChannelCallback)
 	free_surfaces(context, gfx->SurfaceTable);
 	evict_cache_slots(context, gfx->MaxCacheSlots, gfx->CacheSlots);
 
-	if (gfx->listener_callback)
-	{
-		free(gfx->listener_callback);
-		gfx->listener_callback = NULL;
-	}
-
 	free(callback);
 	gfx->UnacknowledgedFrames = 0;
 	gfx->TotalDecodedFrames = 0;

client/common/file.c

@@ -203,6 +203,7 @@ struct rdp_file
 	DWORD flags;
 };
 
+static void freerdp_client_file_string_check_free(LPSTR str);
 /*
  * Set an integer in a rdpFile
  *
@@ -841,15 +842,16 @@ BOOL freerdp_client_parse_rdp_file_ex(rdpFile* file, const char* name, rdp_file_
 	return status;
 }
 
-#define FILE_POPULATE_STRING(_target, _setting) \
-	do                                          \
-	{                                           \
-		if (_setting)                           \
-		{                                       \
-			_target = _strdup(_setting);        \
-			if (!_target)                       \
-				return FALSE;                   \
-		}                                       \
+#define FILE_POPULATE_STRING(_target, _setting)             \
+	do                                                      \
+	{                                                       \
+		if (_setting)                                       \
+		{                                                   \
+			freerdp_client_file_string_check_free(_target); \
+			_target = _strdup(_setting);                    \
+			if (!_target)                                   \
+				return FALSE;                               \
+		}                                                   \
 	} while (0)
 
 BOOL freerdp_client_populate_rdp_file_from_settings(rdpFile* file, const rdpSettings* settings)

config.h.in

@@ -26,7 +26,6 @@
 #cmakedefine HAVE_EXECINFO_H
 
 /* Features */
-#cmakedefine HAVE_ALIGNED_REQUIRED
 #cmakedefine SWRESAMPLE_FOUND
 #cmakedefine AVRESAMPLE_FOUND
 

libfreerdp/codec/clear.c

@@ -783,7 +783,7 @@ static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32
 			if (vBarUpdate)
 			{
 				UINT32 x;
-				BYTE* pSrcPixel;
+				BYTE* pSrcPixel = NULL;
 				BYTE* dstBuffer;
 
 				if (clear->VBarStorageCursor >= CLEARCODEC_VBAR_SIZE)
@@ -826,8 +826,9 @@ static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32
 				if ((y + count) > vBarPixelCount)
 					count = (vBarPixelCount > y) ? (vBarPixelCount - y) : 0;
 
-				pSrcPixel =
-				    &vBarShortEntry->pixels[(y - vBarYOn) * GetBytesPerPixel(clear->format)];
+				if (count > 0)
+					pSrcPixel =
+					    &vBarShortEntry->pixels[(y - vBarYOn) * GetBytesPerPixel(clear->format)];
 
 				for (x = 0; x < count; x++)
 				{

libfreerdp/codec/interleaved.c

@@ -272,11 +272,7 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix)
 #define WHITE_PIXEL 0xFFFF
 #define DESTWRITEPIXEL(_buf, _pix) write_pixel_16(_buf, _pix)
 #define DESTREADPIXEL(_pix, _buf) _pix = ((UINT16*)(_buf))[0]
-#ifdef HAVE_ALIGNED_REQUIRED
 #define SRCREADPIXEL(_pix, _buf) _pix = (_buf)[0] | ((_buf)[1] << 8)
-#else
-#define SRCREADPIXEL(_pix, _buf) _pix = ((UINT16*)(_buf))[0]
-#endif
 #define DESTNEXTPIXEL(_buf) _buf += 2
 #define SRCNEXTPIXEL(_buf) _buf += 2
 #define WRITEFGBGIMAGE WriteFgBgImage16to16

libfreerdp/codec/mppc.c

@@ -772,11 +772,15 @@ void mppc_context_reset(MPPC_CONTEXT* mppc, BOOL flush)
 	ZeroMemory(&(mppc->MatchBuffer), sizeof(mppc->MatchBuffer));
 
 	if (flush)
+	{
 		mppc->HistoryOffset = mppc->HistoryBufferSize + 1;
+		mppc->HistoryPtr = mppc->HistoryBuffer;
+	}
 	else
+	{
 		mppc->HistoryOffset = 0;
-
 	mppc->HistoryPtr = &(mppc->HistoryBuffer[mppc->HistoryOffset]);
+	}
 }
 
 MPPC_CONTEXT* mppc_context_new(DWORD CompressionLevel, BOOL Compressor)

libfreerdp/codec/ncrush.c

@@ -1926,9 +1926,9 @@ static INLINE UINT16 get_word(const BYTE* data)
 static INLINE UINT32 get_dword(const BYTE* data)
 {
 	UINT32 tmp = *data++;
-	tmp |= *data++ << 8U;
-	tmp |= *data++ << 16U;
-	tmp |= *data++ << 24U;
+	tmp |= (UINT32)*data++ << 8U;
+	tmp |= (UINT32)*data++ << 16U;
+	tmp |= (UINT32)*data++ << 24U;
 	return tmp;
 }
 

libfreerdp/codec/nsc.c

@@ -113,14 +113,12 @@ static BOOL nsc_decode(NSC_CONTEXT* context)
 
 static BOOL nsc_rle_decode(BYTE* in, BYTE* out, UINT32 outSize, UINT32 originalSize)
 {
-	UINT32 len;
-	UINT32 left;
-	BYTE value;
-	left = originalSize;
+	UINT32 left = originalSize;
 
 	while (left > 4)
 	{
-		value = *in++;
+		const BYTE value = *in++;
+		UINT32 len = 0;
 
 		if (left == 5)
 		{
@@ -143,8 +141,10 @@ static BOOL nsc_rle_decode(BYTE* in, BYTE* out, UINT32 outSize, UINT32 originalS
 			else
 			{
 				in++;
-				len = *((UINT32*)in);
-				in += 4;
+				len = ((UINT32)(*in++));
+				len |= ((UINT32)(*in++)) << 8U;
+				len |= ((UINT32)(*in++)) << 16U;
+				len |= ((UINT32)(*in++)) << 24U;
 			}
 
 			if (outSize < len)

libfreerdp/codec/planar.c

@@ -1170,7 +1170,6 @@ BYTE* freerdp_bitmap_planar_delta_encode_plane(const BYTE* inPlane, UINT32 width
                                                BYTE* outPlane)
 {
 	char s2c;
-	INT32 delta;
 	UINT32 y, x;
 	BYTE* outPtr;
 	const BYTE *srcPtr, *prevLinePtr;
@@ -1194,9 +1193,9 @@ BYTE* freerdp_bitmap_planar_delta_encode_plane(const BYTE* inPlane, UINT32 width
 	{
 		for (x = 0; x < width; x++, outPtr++, srcPtr++, prevLinePtr++)
 		{
-			delta = *srcPtr - *prevLinePtr;
+			INT32 delta = *srcPtr - *prevLinePtr;
 			s2c = (delta >= 0) ? (char)delta : (char)(~((BYTE)(-delta)) + 1);
-			s2c = (s2c >= 0) ? (s2c << 1) : (char)(((~((BYTE)s2c) + 1) << 1) - 1);
+			s2c = (s2c >= 0) ? ((UINT32)s2c << 1) : (char)(((UINT32)(~((BYTE)s2c) + 1) << 1) - 1);
 			*outPtr = (BYTE)s2c;
 		}
 	}

libfreerdp/codec/progressive.c

@@ -1183,7 +1183,7 @@ static INLINE int progressive_rfx_upgrade_block(RFX_PROGRESSIVE_UPGRADE_STATE* s
 			sign[index] = input;
 		}
 
-		buffer[index] += (input << shift);
+		buffer[index] += (INT16)((UINT32)input << shift);
 	}
 
 	return 1;