From 91ccc81b00c58d7932e14fdacda4e95cec0a9c79 Mon Sep 17 00:00:00 2001
From: liyuxiang <liyuxiang@ncti-gba.cn>
Date: Sat, 19 Nov 2022 02:44:17 +0800
Subject: [PATCH] CVE-2022-39319

(cherry picked from commit 8c1bdb7d4f578fd4cfbe21704e375c2c9c3b232c)
---
 CVE-2022-39319.patch | 55 ++++++++++++++++++++++++++++++++++++++++++++
 freerdp.spec         |  6 ++++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-39319.patch

diff --git a/CVE-2022-39319.patch b/CVE-2022-39319.patch
new file mode 100644
index 0000000..5f20d7b
--- /dev/null
+++ b/CVE-2022-39319.patch
@@ -0,0 +1,55 @@
+From 11555828d2cf289b350baba5ad1f462f10b80b76 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:47:51 +0200
+Subject: [PATCH] Fixed missing input buffer length check in urbdrc
+
+(cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d)
+---
+ channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index d8725c02cf3..aabeef84752 100644
+--- a/channels/urbdrc/client/data_transfer.c
++++ b/channels/urbdrc/client/data_transfer.c
+@@ -247,6 +247,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
+ 
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+ 	Stream_Read_UINT32(s, RequestId);
++
++	if (OutputBufferSize > UINT32_MAX - 4)
++		return ERROR_INVALID_DATA;
++
+ 	InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
+ 	out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize + 4);
+ 
+@@ -726,6 +730,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
+ 	Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+ 	EndpointAddress = (PipeHandle & 0x000000ff);
++
++	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
++	{
++		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
++		{
++			return ERROR_INVALID_DATA;
++		}
++	}
++
+ 	/**  process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
+ 	return pdev->bulk_or_interrupt_transfer(
+ 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck,
+@@ -810,6 +823,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
+ 	packetDescriptorData = Stream_Pointer(s);
+ 	Stream_Seek(s, NumberOfPackets * 12);
+ 	Stream_Read_UINT32(s, OutputBufferSize);
++
++	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
++	{
++		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
++			return ERROR_INVALID_DATA;
++	}
++
+ 	return pdev->isoch_transfer(
+ 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
+ 	    ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
diff --git a/freerdp.spec b/freerdp.spec
index 69b57b8..8a55d77 100644
--- a/freerdp.spec
+++ b/freerdp.spec
@@ -1,6 +1,6 @@
 Name:           freerdp
 Version:        2.8.1
-Release:        1
+Release:        2
 Epoch:          2
 Summary:        A Remote Desktop Protocol Implementation
 License:        Apache-2.0
@@ -8,6 +8,7 @@ URL:            http://www.freerdp.com
 
 Source0:        https://github.com/FreeRDP/FreeRDP/archive/refs/tags/%{version}.tar.gz
 Patch0001:	Fix-freerdp-shadow-cli-exit-codes-for-help-and-version.patch
+Patch0002:	CVE-2022-39319.patch
 
 BuildRequires:  gcc gcc-c++ alsa-lib-devel cmake >= 2.8 cups-devel gsm-devel libXrandr-devel libXv-devel
 BuildRequires:  libjpeg-turbo-devel libjpeg-turbo-devel libX11-devel libXcursor-devel libxkbfile-devel
@@ -137,6 +138,9 @@ echo "%{_libdir}/freerdp2" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_
 %{_mandir}/*/*
 
 %changelog
+* Mon Nov 21 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 2:2.8.1-2
+- Fix CVE-2022-39319
+
 * Thu Oct 20 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 2:2.8.1-1
 - Upgrade to 2.8.1
 - Fix CVE-2022-39282