CVE-2022-39316、CVE-2022-39317 安全更新：FreeRDP 缓冲区错误漏洞.

debian/changelog

@@ -1,3 +1,9 @@
+freerdp2 (2.8.1-ok2) yangtze; urgency=medium
+
+  * kimjuncotton_y CVE-2022-39316、CVE-2022-39317 安全更新：FreeRDP 缓冲区错误漏洞.
+
+ -- yanggao <yang_gao@bupt.edu.cn>  Fri, 24 Feb 2023 12:28:51 +0800
+
 freerdp2 (2.8.1-ok1) yangtze; urgency=medium
 
   * Build for openKylin.

libfreerdp/codec/zgfx.c

@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
 	BYTE* pbSegment;
 	size_t cbSegment;
 
-	if (!zgfx || !stream)
+	if (!zgfx || !stream || (segmentSize < 2))
 		return FALSE;
 
 	cbSegment = segmentSize - 1;
 
-	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
-	    (segmentSize > UINT32_MAX))
+	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
 		return FALSE;
 
 	Stream_Read_UINT8(stream, flags); /* header (1 byte) */
 	zgfx->OutputCount = 0;
 	pbSegment = Stream_Pointer(stream);
-	Stream_Seek(stream, cbSegment);
+	if (!Stream_SafeSeek(stream, cbSegment))
+		return FALSE;
 
 	if (!(flags & PACKET_COMPRESSED))
 	{
@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
 						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
 							return FALSE;
 
+						if (count > zgfx->cBitsRemaining / 8)
+							return FALSE;
+
 						CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
 						           count);
 						zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);