From 5f8d0e700857a40117bd7fb7ce70a9172db8ac5d Mon Sep 17 00:00:00 2001
From: yanggao <yang_gao@bupt.edu.cn>
Date: Fri, 24 Feb 2023 12:29:52 +0800
Subject: [PATCH] =?UTF-8?q?CVE-2022-39316=E3=80=81CVE-2022-39317=20?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=9B=B4=E6=96=B0=EF=BC=9AFreeRDP=20?=
 =?UTF-8?q?=E7=BC=93=E5=86=B2=E5=8C=BA=E9=94=99=E8=AF=AF=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 debian/changelog        |  6 ++++++
 libfreerdp/codec/zgfx.c | 11 +++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 850379e..e866805 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+freerdp2 (2.8.1-ok2) yangtze; urgency=medium
+
+  * kimjuncotton_y CVE-2022-39316、CVE-2022-39317 安全更新：FreeRDP 缓冲区错误漏洞.
+
+ -- yanggao <yang_gao@bupt.edu.cn>  Fri, 24 Feb 2023 12:28:51 +0800
+
 freerdp2 (2.8.1-ok1) yangtze; urgency=medium
 
   * Build for openKylin.
diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
index 20fbd35..e260aa6 100644
--- a/libfreerdp/codec/zgfx.c
+++ b/libfreerdp/codec/zgfx.c
@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
 	BYTE* pbSegment;
 	size_t cbSegment;
 
-	if (!zgfx || !stream)
+	if (!zgfx || !stream || (segmentSize < 2))
 		return FALSE;
 
 	cbSegment = segmentSize - 1;
 
-	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
-	    (segmentSize > UINT32_MAX))
+	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
 		return FALSE;
 
 	Stream_Read_UINT8(stream, flags); /* header (1 byte) */
 	zgfx->OutputCount = 0;
 	pbSegment = Stream_Pointer(stream);
-	Stream_Seek(stream, cbSegment);
+	if (!Stream_SafeSeek(stream, cbSegment))
+		return FALSE;
 
 	if (!(flags & PACKET_COMPRESSED))
 	{
@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
 						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
 							return FALSE;
 
+						if (count > zgfx->cBitsRemaining / 8)
+							return FALSE;
+
 						CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
 						           count);
 						zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);