mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed int overflow in PresentationContext_new

Browse Source 
Thanks to hac425 CVE-2020-11038
This commit is contained in:
akallabeth 2020-04-29 15:48:43 +02:00
parent dffd893dc5
commit 06c32f1700
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
channels/video/client/video_main.c
View File

@ -220,8 +220,14 @@ error_frames:
static PresentationContext* PresentationContext_new(VideoClientContext* video, BYTE PresentationId, static PresentationContext* PresentationContext_new(VideoClientContext* video, BYTE PresentationId,
UINT32 x, UINT32 y, UINT32 width, UINT32 height) UINT32 x, UINT32 y, UINT32 width, UINT32 height)
{ {
size_t s;
VideoClientContextPriv* priv = video->priv; VideoClientContextPriv* priv = video->priv;
PresentationContext* ret = calloc(1, sizeof(*ret)); PresentationContext* ret;
s = width * height * 4ULL;
if (s > INT32_MAX)
return NULL;
ret = calloc(1, sizeof(*ret));
if (!ret) if (!ret)
return NULL; return NULL;
@ -243,7 +249,7 @@ static PresentationContext* PresentationContext_new(VideoClientContext* video, B
goto error_currentSample; goto error_currentSample;
} }
ret->surfaceData = BufferPool_Take(priv->surfacePool, width * height * 4); ret->surfaceData = BufferPool_Take(priv->surfacePool, s);
if (!ret->surfaceData) if (!ret->surfaceData)
{ {
WLog_ERR(TAG, "unable to allocate surfaceData"); WLog_ERR(TAG, "unable to allocate surfaceData");