From d862b5b4eb33becbbda20310260305f2f4f10de8 Mon Sep 17 00:00:00 2001
From: lch <32248802@qq.com>
Date: Wed, 8 Mar 2023 16:51:46 +0800
Subject: [PATCH] =?UTF-8?q?CVE-2022-39320=20=E5=AE=89=E5=85=A8=E6=9B=B4?=
 =?UTF-8?q?=E6=96=B0:=20FreeRDP=E5=8F=AF=E8=83=BD=E4=BC=9A=E5=9C=A8?=
 =?UTF-8?q?=E5=A4=AA=E7=AA=84=E7=9A=84=E7=B1=BB=E5=9E=8B=E4=B8=8A=E5=B0=9D?=
 =?UTF-8?q?=E8=AF=95=E6=95=B4=E6=95=B0=E5=8A=A0=E6=B3=95=EF=BC=8C=E8=BF=99?=
 =?UTF-8?q?=E4=BC=9A=E5=AF=BC=E8=87=B4=E7=BC=93=E5=86=B2=E5=8C=BA=E7=9A=84?=
 =?UTF-8?q?=E5=88=86=E9=85=8D=E5=A4=AA=E5=B0=8F=EF=BC=8C=E6=97=A0=E6=B3=95?=
 =?UTF-8?q?=E5=AE=B9=E7=BA=B3=E5=86=99=E5=85=A5=E7=9A=84=E6=95=B0=E6=8D=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 channels/urbdrc/client/data_transfer.c |  8 +++-
 debian/changelog                       | 52 ++++++++++++++------------
 2 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
index 61df03f..ed6ccf3 100644
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@@ -97,7 +97,13 @@ static wStream* urb_create_iocompletion(UINT32 InterfaceField, UINT32 MessageId,
                                         UINT32 OutputBufferSize)
 {
 	const UINT32 InterfaceId = (STREAM_ID_PROXY << 30) | (InterfaceField & 0x3FFFFFFF);
-	wStream* out = Stream_New(NULL, OutputBufferSize + 28);
+
+#if UINT32_MAX >= SIZE_MAX
+	if (OutputBufferSize > UINT32_MAX - 28ull)
+		return NULL;
+#endif
+
+	wStream* out = Stream_New(NULL, OutputBufferSize + 28ull);
 
 	if (!out)
 		return NULL;
diff --git a/debian/changelog b/debian/changelog
index 2a4ff8c..521a940 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,23 +1,29 @@
-freerdp2 (2.8.1-ok4) yangtze; urgency=medium
-
-  * wenlaoan CVE-2022-39319 安全更新: FreeRDP存在缓冲区错误漏洞，该漏洞源于“urbdrc”通道中缺少输入长度验证。
-
- -- zuoan <531186548@bupt.edu.cn>  Fri, 03 Mar 2023 19:40:55 +0800
-
-freerdp2 (2.8.1-ok3) yangtze; urgency=medium
-
-  * kimjuncotton_y CVE-2022-39318 安全更新:FreeRDP存在安全漏洞，该漏洞源于“urbdrc”通道中缺少输入验证.
-
- -- yanggao <yang_gao@bupt.edu.cn>  Thu, 02 Mar 2023 15:47:32 +0800
-
-freerdp2 (2.8.1-ok2) yangtze; urgency=medium
-
-  * kimjuncotton_y CVE-2022-39316、CVE-2022-39317 安全更新：FreeRDP 缓冲区错误漏洞.
-
- -- yanggao <yang_gao@bupt.edu.cn>  Fri, 24 Feb 2023 12:28:51 +0800
-
-freerdp2 (2.8.1-ok1) yangtze; urgency=medium
-
-  * Build for openKylin.
-
- -- zhouganqing <zhouganqing@kylinos.cn>  Mon, 21 Nov 2022 14:41:39 +0800
+freerdp2 (2.8.1-ok5) yangtze; urgency=low
+
+  * mcdonaldsburger CVE-2022-39320 安全更新: FreeRDP可能会在太窄的类型上尝试整数加法，这会导致缓冲区的分配太小，无法容纳写入的数据
+
+ -- lch <o_o@bupt.edu.cn>  Wed, 08 Mar 2023 16:46:00 +0800
+
+freerdp2 (2.8.1-ok4) yangtze; urgency=medium
+
+  * wenlaoan CVE-2022-39319 安全更新: FreeRDP存在缓冲区错误漏洞，该漏洞源于“urbdrc”通道中缺少输入长度验证。
+
+ -- zuoan <531186548@bupt.edu.cn>  Fri, 03 Mar 2023 19:40:55 +0800
+
+freerdp2 (2.8.1-ok3) yangtze; urgency=medium
+
+  * kimjuncotton_y CVE-2022-39318 安全更新:FreeRDP存在安全漏洞，该漏洞源于“urbdrc”通道中缺少输入验证.
+
+ -- yanggao <yang_gao@bupt.edu.cn>  Thu, 02 Mar 2023 15:47:32 +0800
+
+freerdp2 (2.8.1-ok2) yangtze; urgency=medium
+
+  * kimjuncotton_y CVE-2022-39316、CVE-2022-39317 安全更新：FreeRDP 缓冲区错误漏洞.
+
+ -- yanggao <yang_gao@bupt.edu.cn>  Fri, 24 Feb 2023 12:28:51 +0800
+
+freerdp2 (2.8.1-ok1) yangtze; urgency=medium
+
+  * Build for openKylin.
+
+ -- zhouganqing <zhouganqing@kylinos.cn>  Mon, 21 Nov 2022 14:41:39 +0800
\ No newline at end of file
-- 
Gitee