From 192856cb59974ee4d7d3e72cbeafa676aa7565cf Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 17:22:34 +0200
Subject: [PATCH] Fixed #6012: CVE-2020-11526: Out of bounds read in
 update_recv_orders

Thanks to @hac425xxx and Sunglin and HuanGMz from Knownsec 404
---
 libfreerdp/core/orders.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index fb8c3776e..275127bb7 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -3485,7 +3485,14 @@ static BOOL update_recv_secondary_order(rdpUpdate* update, wStream* s, BYTE flag
 	Stream_Read_UINT16(s, orderLength); /* orderLength (2 bytes) */
 	Stream_Read_UINT16(s, extraFlags);  /* extraFlags (2 bytes) */
 	Stream_Read_UINT8(s, orderType);    /* orderType (1 byte) */
-	next = Stream_Pointer(s) + ((INT16)orderLength) + 7;
+	if (Stream_GetRemainingLength(s) < orderLength + 7)
+	{
+		WLog_Print(update->log, WLOG_ERROR, "Stream_GetRemainingLength(s) %" PRIuz " < %" PRIu16,
+		           Stream_GetRemainingLength(s), orderLength + 7);
+		return FALSE;
+	}
+
+	next = Stream_Pointer(s) + orderLength + 7;
 	name = secondary_order_string(orderType);
 	WLog_Print(update->log, WLOG_DEBUG, "Secondary Drawing Order %s", name);