Version in base suite: 2.0.0~git20190204.1.2693389a+dfsg1-1

Base version: freerdp2_2.0.0~git20190204.1.2693389a+dfsg1-1
Target version: freerdp2_2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/freerdp2/freerdp2_2.0.0~git20190204.1.2693389a+dfsg1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/freerdp2/freerdp2_2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1.dsc

 changelog                         |    8 +
 patches/0001_CVE-2019-17177.patch |  171 ++++++++++++++++++++++++++++++++++++++
 patches/series                    |    1 
 3 files changed, 180 insertions(+)

diff -Nru freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog
--- freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog	2019-02-04 09:04:45.000000000 +0000
+++ freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog	2019-12-16 10:36:02.000000000 +0000
@@ -1,3 +1,11 @@
+freerdp2 (2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1) buster; urgency=medium
+
+  * debian/patches:
+    + Add 0001_CVE-2019-17177.patch. Fix realloc return handling.
+      (CVE-2019-17177).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Mon, 16 Dec 2019 11:36:02 +0100
+
 freerdp2 (2.0.0~git20190204.1.2693389a+dfsg1-1) unstable; urgency=medium
 
   * Import Git snapshot for 2.0.0-2693389a (post ~rc4) from upstream:
diff -Nru freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch
--- freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch	1970-01-01 00:00:00.000000000 +0000
+++ freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch	2019-12-16 10:35:50.000000000 +0000
@@ -0,0 +1,171 @@
+From fc80ab45621bd966f70594c0b7393ec005a94007 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Fri, 4 Oct 2019 14:49:30 +0200
+Subject: [PATCH] Fixed #5645: realloc return handling
+
+---
+ client/X11/generate_argument_docbook.c | 33 +++++++++++++++++++++-----
+ libfreerdp/codec/region.c              | 20 ++++++++++++----
+ winpr/libwinpr/utils/lodepng/lodepng.c |  6 ++++-
+ 3 files changed, 48 insertions(+), 11 deletions(-)
+
+--- a/client/X11/generate_argument_docbook.c
++++ b/client/X11/generate_argument_docbook.c
+@@ -9,6 +9,7 @@
+ LPSTR tr_esc_str(LPCSTR arg, bool format)
+ {
+ 	LPSTR tmp = NULL;
++	LPSTR tmp2 = NULL;
+ 	size_t cs = 0, x, ds, len;
+ 	size_t s;
+ 
+@@ -25,7 +26,12 @@
+ 	ds = s + 1;
+ 
+ 	if (s)
+-		tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++	{
++		tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++		if (!tmp2)
++			free(tmp);
++		tmp = tmp2;
++	}
+ 
+ 	if (NULL == tmp)
+ 	{
+@@ -43,7 +49,10 @@
+ 			case '<':
+ 				len = format ? 13 : 4;
+ 				ds += len - 1;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+ 
+ 				if (NULL == tmp)
+ 				{
+@@ -64,7 +73,10 @@
+ 			case '>':
+ 				len = format ? 14 : 4;
+ 				ds += len - 1;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+ 
+ 				if (NULL == tmp)
+ 				{
+@@ -84,7 +96,10 @@
+ 
+ 			case '\'':
+ 				ds += 5;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+ 
+ 				if (NULL == tmp)
+ 				{
+@@ -102,7 +117,10 @@
+ 
+ 			case '"':
+ 				ds += 5;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+ 
+ 				if (NULL == tmp)
+ 				{
+@@ -120,7 +138,10 @@
+ 
+ 			case '&':
+ 				ds += 4;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+ 
+ 				if (NULL == tmp)
+ 				{
+--- a/libfreerdp/codec/region.c
++++ b/libfreerdp/codec/region.c
+@@ -469,8 +469,12 @@
+ 
+ 	if (finalNbRects != nbRects)
+ 	{
+-		int allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
+-		region->data = realloc(region->data, allocSize);
++		REGION16_DATA* data;
++		size_t allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
++		data = realloc(region->data, allocSize);
++		if (!data)
++			free(region->data);
++		region->data = data;
+ 
+ 		if (!region->data)
+ 		{
+@@ -487,6 +491,7 @@
+ 
+ BOOL region16_union_rect(REGION16* dst, const REGION16* src, const RECTANGLE_16* rect)
+ {
++	REGION16_DATA* data;
+ 	const RECTANGLE_16* srcExtents;
+ 	RECTANGLE_16* dstExtents;
+ 	const RECTANGLE_16* currentBand, *endSrcRect, *nextBand;
+@@ -675,7 +680,10 @@
+ 	dstExtents->bottom = MAX(rect->bottom, srcExtents->bottom);
+ 	dstExtents->right = MAX(rect->right, srcExtents->right);
+ 	newItems->size = sizeof(REGION16_DATA) + (usedRects * sizeof(RECTANGLE_16));
+-	dst->data = realloc(newItems, newItems->size);
++	data = realloc(newItems, newItems->size);
++	if (!data)
++		free(dst->data);
++	dst->data = data;
+ 
+ 	if (!dst->data)
+ 	{
+@@ -719,6 +727,7 @@
+ 
+ BOOL region16_intersect_rect(REGION16* dst, const REGION16* src, const RECTANGLE_16* rect)
+ {
++	REGION16_DATA* data;
+ 	REGION16_DATA* newItems;
+ 	const RECTANGLE_16* srcPtr, *endPtr, *srcExtents;
+ 	RECTANGLE_16* dstPtr;
+@@ -791,7 +800,10 @@
+ 	if (dst->data->size)
+ 		free(dst->data);
+ 
+-	dst->data = realloc(newItems, newItems->size);
++	data = realloc(newItems, newItems->size);
++	if (!data)
++		free(dst->data);
++	dst->data = data;
+ 
+ 	if (!dst->data)
+ 	{
+--- a/winpr/libwinpr/utils/lodepng/lodepng.c
++++ b/winpr/libwinpr/utils/lodepng/lodepng.c
+@@ -840,11 +840,15 @@
+ static unsigned HuffmanTree_makeFromFrequencies(HuffmanTree* tree, const unsigned* frequencies,
+                                                 size_t mincodes, size_t numcodes, unsigned maxbitlen)
+ {
++	unsigned* lengths;
+   unsigned error = 0;
+   while(!frequencies[numcodes - 1] && numcodes > mincodes) numcodes--; /*trim zeroes*/
+   tree->maxbitlen = maxbitlen;
+   tree->numcodes = (unsigned)numcodes; /*number of symbols*/
+-  tree->lengths = (unsigned*)realloc(tree->lengths, numcodes * sizeof(unsigned));
++  lengths = (unsigned*)realloc(tree->lengths, numcodes * sizeof(unsigned));
++	if (!lengths)
++		free(tree->lengths);
++	tree->lengths = lengths;
+   if(!tree->lengths) return 83; /*alloc fail*/
+   /*initialize all lengths to 0*/
+   memset(tree->lengths, 0, numcodes * sizeof(unsigned));
diff -Nru freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series
--- freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series	2019-02-04 09:04:45.000000000 +0000
+++ freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series	2019-12-16 10:35:50.000000000 +0000
@@ -1 +1,2 @@
 1001_spelling-fixes.patch
+0001_CVE-2019-17177.patch