Check that bpp has reasonable value
As bpp is often used for malloc computations, let's check that it has a reasonable value.
This commit is contained in:
parent
61a58532db
commit
07e0eba7db
@ -914,7 +914,7 @@ static void xf_cliprdr_process_unicodetext(clipboardContext* cb, BYTE* data, int
|
|||||||
crlf2lf(cb->data, &cb->data_length);
|
crlf2lf(cb->data, &cb->data_length);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void xf_cliprdr_process_dib(clipboardContext* cb, BYTE* data, int size)
|
static BOOL xf_cliprdr_process_dib(clipboardContext* cb, BYTE* data, int size)
|
||||||
{
|
{
|
||||||
wStream* s;
|
wStream* s;
|
||||||
UINT16 bpp;
|
UINT16 bpp;
|
||||||
@ -926,12 +926,18 @@ static void xf_cliprdr_process_dib(clipboardContext* cb, BYTE* data, int size)
|
|||||||
if (size < 40)
|
if (size < 40)
|
||||||
{
|
{
|
||||||
DEBUG_X11_CLIPRDR("dib size %d too short", size);
|
DEBUG_X11_CLIPRDR("dib size %d too short", size);
|
||||||
return;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
s = Stream_New(data, size);
|
s = Stream_New(data, size);
|
||||||
Stream_Seek(s, 14);
|
Stream_Seek(s, 14);
|
||||||
Stream_Read_UINT16(s, bpp);
|
Stream_Read_UINT16(s, bpp);
|
||||||
|
if ((bpp < 1) || (bpp > 32))
|
||||||
|
{
|
||||||
|
fprintf(stderr, "%s: invalid bpp value %d", __FUNCTION__, bpp);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
Stream_Read_UINT32(s, ncolors);
|
Stream_Read_UINT32(s, ncolors);
|
||||||
offset = 14 + 40 + (bpp <= 8 ? (ncolors == 0 ? (1 << bpp) : ncolors) * 4 : 0);
|
offset = 14 + 40 + (bpp <= 8 ? (ncolors == 0 ? (1 << bpp) : ncolors) * 4 : 0);
|
||||||
Stream_Free(s, FALSE);
|
Stream_Free(s, FALSE);
|
||||||
@ -949,6 +955,7 @@ static void xf_cliprdr_process_dib(clipboardContext* cb, BYTE* data, int size)
|
|||||||
cb->data = Stream_Buffer(s);
|
cb->data = Stream_Buffer(s);
|
||||||
cb->data_length = Stream_GetPosition(s);
|
cb->data_length = Stream_GetPosition(s);
|
||||||
Stream_Free(s, FALSE);
|
Stream_Free(s, FALSE);
|
||||||
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void xf_cliprdr_process_html(clipboardContext* cb, BYTE* data, int size)
|
static void xf_cliprdr_process_html(clipboardContext* cb, BYTE* data, int size)
|
||||||
|
@ -1840,6 +1840,11 @@ BOOL update_read_cache_bitmap_order(wStream* s, CACHE_BITMAP_ORDER* cache_bitmap
|
|||||||
Stream_Read_UINT8(s, cache_bitmap->bitmapWidth); /* bitmapWidth (1 byte) */
|
Stream_Read_UINT8(s, cache_bitmap->bitmapWidth); /* bitmapWidth (1 byte) */
|
||||||
Stream_Read_UINT8(s, cache_bitmap->bitmapHeight); /* bitmapHeight (1 byte) */
|
Stream_Read_UINT8(s, cache_bitmap->bitmapHeight); /* bitmapHeight (1 byte) */
|
||||||
Stream_Read_UINT8(s, cache_bitmap->bitmapBpp); /* bitmapBpp (1 byte) */
|
Stream_Read_UINT8(s, cache_bitmap->bitmapBpp); /* bitmapBpp (1 byte) */
|
||||||
|
if ((cache_bitmap->bitmapBpp < 1) || (cache_bitmap->bitmapBpp > 32))
|
||||||
|
{
|
||||||
|
fprintf(stderr, "%s: invalid bitmap bpp %d\n", __FUNCTION__, cache_bitmap->bitmapBpp);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
Stream_Read_UINT16(s, cache_bitmap->bitmapLength); /* bitmapLength (2 bytes) */
|
Stream_Read_UINT16(s, cache_bitmap->bitmapLength); /* bitmapLength (2 bytes) */
|
||||||
Stream_Read_UINT16(s, cache_bitmap->cacheIndex); /* cacheIndex (2 bytes) */
|
Stream_Read_UINT16(s, cache_bitmap->cacheIndex); /* cacheIndex (2 bytes) */
|
||||||
|
|
||||||
@ -2078,6 +2083,11 @@ BOOL update_read_cache_bitmap_v3_order(wStream* s, CACHE_BITMAP_V3_ORDER* cache_
|
|||||||
bitmapData = &cache_bitmap_v3->bitmapData;
|
bitmapData = &cache_bitmap_v3->bitmapData;
|
||||||
|
|
||||||
Stream_Read_UINT8(s, bitmapData->bpp);
|
Stream_Read_UINT8(s, bitmapData->bpp);
|
||||||
|
if ((bitmapData->bpp < 1) || (bitmapData->bpp > 32))
|
||||||
|
{
|
||||||
|
fprintf(stderr, "%s: invalid bpp value %d", __FUNCTION__, bitmapData->bpp);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
Stream_Seek_UINT8(s); /* reserved1 (1 byte) */
|
Stream_Seek_UINT8(s); /* reserved1 (1 byte) */
|
||||||
Stream_Seek_UINT8(s); /* reserved2 (1 byte) */
|
Stream_Seek_UINT8(s); /* reserved2 (1 byte) */
|
||||||
Stream_Read_UINT8(s, bitmapData->codecID); /* codecID (1 byte) */
|
Stream_Read_UINT8(s, bitmapData->codecID); /* codecID (1 byte) */
|
||||||
@ -2682,6 +2692,11 @@ BOOL update_read_create_nine_grid_bitmap_order(wStream* s, CREATE_NINE_GRID_BITM
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
Stream_Read_UINT8(s, create_nine_grid_bitmap->bitmapBpp); /* bitmapBpp (1 byte) */
|
Stream_Read_UINT8(s, create_nine_grid_bitmap->bitmapBpp); /* bitmapBpp (1 byte) */
|
||||||
|
if ((create_nine_grid_bitmap->bitmapBpp < 1) || (create_nine_grid_bitmap->bitmapBpp > 32))
|
||||||
|
{
|
||||||
|
fprintf(stderr, "%s: invalid bpp value %d", __FUNCTION__, create_nine_grid_bitmap->bitmapBpp);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
Stream_Read_UINT16(s, create_nine_grid_bitmap->bitmapId); /* bitmapId (2 bytes) */
|
Stream_Read_UINT16(s, create_nine_grid_bitmap->bitmapId); /* bitmapId (2 bytes) */
|
||||||
|
|
||||||
nineGridInfo = &(create_nine_grid_bitmap->nineGridInfo);
|
nineGridInfo = &(create_nine_grid_bitmap->nineGridInfo);
|
||||||
@ -2717,6 +2732,12 @@ BOOL update_read_stream_bitmap_first_order(wStream* s, STREAM_BITMAP_FIRST_ORDER
|
|||||||
|
|
||||||
Stream_Read_UINT8(s, stream_bitmap_first->bitmapFlags); /* bitmapFlags (1 byte) */
|
Stream_Read_UINT8(s, stream_bitmap_first->bitmapFlags); /* bitmapFlags (1 byte) */
|
||||||
Stream_Read_UINT8(s, stream_bitmap_first->bitmapBpp); /* bitmapBpp (1 byte) */
|
Stream_Read_UINT8(s, stream_bitmap_first->bitmapBpp); /* bitmapBpp (1 byte) */
|
||||||
|
if ((stream_bitmap_first->bitmapBpp < 1) || (stream_bitmap_first->bitmapBpp > 32))
|
||||||
|
{
|
||||||
|
fprintf(stderr, "%s: invalid bpp value %d", __FUNCTION__, stream_bitmap_first->bitmapBpp);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
Stream_Read_UINT16(s, stream_bitmap_first->bitmapType); /* bitmapType (2 bytes) */
|
Stream_Read_UINT16(s, stream_bitmap_first->bitmapType); /* bitmapType (2 bytes) */
|
||||||
Stream_Read_UINT16(s, stream_bitmap_first->bitmapWidth); /* bitmapWidth (2 bytes) */
|
Stream_Read_UINT16(s, stream_bitmap_first->bitmapWidth); /* bitmapWidth (2 bytes) */
|
||||||
Stream_Read_UINT16(s, stream_bitmap_first->bitmapHeight); /* bitmapHeigth (2 bytes) */
|
Stream_Read_UINT16(s, stream_bitmap_first->bitmapHeight); /* bitmapHeigth (2 bytes) */
|
||||||
|
@ -38,6 +38,12 @@ static int update_recv_surfcmd_surface_bits(rdpUpdate* update, wStream* s, UINT3
|
|||||||
Stream_Read_UINT16(s, cmd->destRight);
|
Stream_Read_UINT16(s, cmd->destRight);
|
||||||
Stream_Read_UINT16(s, cmd->destBottom);
|
Stream_Read_UINT16(s, cmd->destBottom);
|
||||||
Stream_Read_UINT8(s, cmd->bpp);
|
Stream_Read_UINT8(s, cmd->bpp);
|
||||||
|
if ((cmd->bpp < 1) || (cmd->bpp > 32))
|
||||||
|
{
|
||||||
|
fprintf(stderr, "%s: invalid bpp value %d", __FUNCTION__, cmd->bpp);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
Stream_Seek(s, 2); /* reserved1, reserved2 */
|
Stream_Seek(s, 2); /* reserved1, reserved2 */
|
||||||
Stream_Read_UINT8(s, cmd->codecID);
|
Stream_Read_UINT8(s, cmd->codecID);
|
||||||
Stream_Read_UINT16(s, cmd->width);
|
Stream_Read_UINT16(s, cmd->width);
|
||||||
|
@ -30,12 +30,19 @@
|
|||||||
|
|
||||||
BOOL update_read_icon_info(wStream* s, ICON_INFO* iconInfo)
|
BOOL update_read_icon_info(wStream* s, ICON_INFO* iconInfo)
|
||||||
{
|
{
|
||||||
|
BYTE *newBitMask;
|
||||||
if (Stream_GetRemainingLength(s) < 8)
|
if (Stream_GetRemainingLength(s) < 8)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
Stream_Read_UINT16(s, iconInfo->cacheEntry); /* cacheEntry (2 bytes) */
|
Stream_Read_UINT16(s, iconInfo->cacheEntry); /* cacheEntry (2 bytes) */
|
||||||
Stream_Read_UINT8(s, iconInfo->cacheId); /* cacheId (1 byte) */
|
Stream_Read_UINT8(s, iconInfo->cacheId); /* cacheId (1 byte) */
|
||||||
Stream_Read_UINT8(s, iconInfo->bpp); /* bpp (1 byte) */
|
Stream_Read_UINT8(s, iconInfo->bpp); /* bpp (1 byte) */
|
||||||
|
if ((iconInfo->bpp < 1) || (iconInfo->bpp > 32))
|
||||||
|
{
|
||||||
|
fprintf(stderr, "%s: invalid bpp value %d", __FUNCTION__, iconInfo->bpp);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
Stream_Read_UINT16(s, iconInfo->width); /* width (2 bytes) */
|
Stream_Read_UINT16(s, iconInfo->width); /* width (2 bytes) */
|
||||||
Stream_Read_UINT16(s, iconInfo->height); /* height (2 bytes) */
|
Stream_Read_UINT16(s, iconInfo->height); /* height (2 bytes) */
|
||||||
|
|
||||||
@ -62,10 +69,10 @@ BOOL update_read_icon_info(wStream* s, ICON_INFO* iconInfo)
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
/* bitsMask */
|
/* bitsMask */
|
||||||
if (iconInfo->bitsMask == NULL)
|
newBitMask = (BYTE*) realloc(iconInfo->bitsMask, iconInfo->cbBitsMask);
|
||||||
iconInfo->bitsMask = (BYTE*) malloc(iconInfo->cbBitsMask);
|
if (!newBitMask)
|
||||||
else
|
return FALSE;
|
||||||
iconInfo->bitsMask = (BYTE*) realloc(iconInfo->bitsMask, iconInfo->cbBitsMask);
|
iconInfo->bitsMask = newBitMask;
|
||||||
|
|
||||||
Stream_Read(s, iconInfo->bitsMask, iconInfo->cbBitsMask);
|
Stream_Read(s, iconInfo->bitsMask, iconInfo->cbBitsMask);
|
||||||
|
|
||||||
@ -89,10 +96,10 @@ BOOL update_read_icon_info(wStream* s, ICON_INFO* iconInfo)
|
|||||||
Stream_Read(s, iconInfo->colorTable, iconInfo->cbColorTable);
|
Stream_Read(s, iconInfo->colorTable, iconInfo->cbColorTable);
|
||||||
|
|
||||||
/* bitsColor */
|
/* bitsColor */
|
||||||
if (iconInfo->bitsColor == NULL)
|
newBitMask = (BYTE *)realloc(iconInfo->bitsColor, iconInfo->cbBitsColor);
|
||||||
iconInfo->bitsColor = (BYTE*) malloc(iconInfo->cbBitsColor);
|
if (!newBitMask)
|
||||||
else
|
return FALSE;
|
||||||
iconInfo->bitsColor = (BYTE*) realloc(iconInfo->bitsColor, iconInfo->cbBitsColor);
|
iconInfo->bitsColor = newBitMask;
|
||||||
|
|
||||||
Stream_Read(s, iconInfo->bitsColor, iconInfo->cbBitsColor);
|
Stream_Read(s, iconInfo->bitsColor, iconInfo->cbBitsColor);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user