From d61f83160d025d6165a861b93a929004ac5d3c0e Mon Sep 17 00:00:00 2001
From: zuoan <531186548@bupt.edu.cn>
Date: Fri, 3 Mar 2023 19:41:51 +0800
Subject: [PATCH] =?UTF-8?q?CVE-2022-39319=20=E5=AE=89=E5=85=A8=E6=9B=B4?=
 =?UTF-8?q?=E6=96=B0:=20FreeRDP=E5=AD=98=E5=9C=A8=E7=BC=93=E5=86=B2?=
 =?UTF-8?q?=E5=8C=BA=E9=94=99=E8=AF=AF=E6=BC=8F=E6=B4=9E=EF=BC=8C=E8=AF=A5?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E6=BA=90=E4=BA=8E=E2=80=9Curbdrc=E2=80=9D?=
 =?UTF-8?q?=E9=80=9A=E9=81=93=E4=B8=AD=E7=BC=BA=E5=B0=91=E8=BE=93=E5=85=A5?=
 =?UTF-8?q?=E9=95=BF=E5=BA=A6=E9=AA=8C=E8=AF=81=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 channels/urbdrc/client/data_transfer.c | 24 ++++++++++++++++++++++++
 debian/changelog                       |  6 ++++++
 2 files changed, 30 insertions(+)

diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
index 6987961..61df03f 100644
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@@ -241,6 +241,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
 
 	Stream_Read_UINT32(s, OutputBufferSize);
 	Stream_Read_UINT32(s, RequestId);
+
+	if (OutputBufferSize > UINT32_MAX - 4)
+		return ERROR_INVALID_DATA;
+
 	InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
 	out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize + 4);
 
@@ -673,7 +677,11 @@ static UINT urb_control_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callba
 	buffer = Stream_Pointer(out);
 
 	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+			return ERROR_INVALID_DATA;
 		Stream_Copy(s, out, OutputBufferSize);
+	}
 
 	/**  process TS_URB_CONTROL_TRANSFER */
 	if (!pdev->control_transfer(pdev, RequestId, EndpointAddress, TransferFlags, bmRequestType,
@@ -720,6 +728,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
 	Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
 	Stream_Read_UINT32(s, OutputBufferSize);
 	EndpointAddress = (PipeHandle & 0x000000ff);
+
+	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+		{
+			return ERROR_INVALID_DATA;
+		}
+	}
+
 	/**  process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
 	return pdev->bulk_or_interrupt_transfer(
 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck,
@@ -804,6 +821,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
 	packetDescriptorData = Stream_Pointer(s);
 	Stream_Seek(s, NumberOfPackets * 12);
 	Stream_Read_UINT32(s, OutputBufferSize);
+
+	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+			return ERROR_INVALID_DATA;
+	}
+
 	return pdev->isoch_transfer(
 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
 	    ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
diff --git a/debian/changelog b/debian/changelog
index e50a406..2a4ff8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+freerdp2 (2.8.1-ok4) yangtze; urgency=medium
+
+  * wenlaoan CVE-2022-39319 安全更新: FreeRDP存在缓冲区错误漏洞，该漏洞源于“urbdrc”通道中缺少输入长度验证。
+
+ -- zuoan <531186548@bupt.edu.cn>  Fri, 03 Mar 2023 19:40:55 +0800
+
 freerdp2 (2.8.1-ok3) yangtze; urgency=medium
 
   * kimjuncotton_y CVE-2022-39318 安全更新:FreeRDP存在安全漏洞，该漏洞源于“urbdrc”通道中缺少输入验证.
-- 
Gitee