mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed out of bound read in RLEDECOMPRESS

Browse Source 
CVE-2020-4033 thanks to @antonio-morales for finding this.
This commit is contained in:
akallabeth 2020-06-02 08:45:09 +02:00 committed by Armin Novak
parent e7bffa64ef
commit 0a98c450c5
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libfreerdp/codec/include/bitmap.c
View File

@ -201,6 +201,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
if (code == LITE_SET_FG_FG_RUN || code == MEGA_MEGA_SET_FG_RUN) if (code == LITE_SET_FG_FG_RUN || code == MEGA_MEGA_SET_FG_RUN)
{ {
if (pbSrc >= pbEnd)
return FALSE;
SRCREADPIXEL(fgPel, pbSrc); SRCREADPIXEL(fgPel, pbSrc);
SRCNEXTPIXEL(pbSrc); SRCNEXTPIXEL(pbSrc);
} }
@ -231,8 +233,12 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
case MEGA_MEGA_DITHERED_RUN: case MEGA_MEGA_DITHERED_RUN:
runLength = ExtractRunLength(code, pbSrc, &advance); runLength = ExtractRunLength(code, pbSrc, &advance);
pbSrc = pbSrc + advance; pbSrc = pbSrc + advance;
if (pbSrc >= pbEnd)
return FALSE;
SRCREADPIXEL(pixelA, pbSrc); SRCREADPIXEL(pixelA, pbSrc);
SRCNEXTPIXEL(pbSrc); SRCNEXTPIXEL(pbSrc);
if (pbSrc >= pbEnd)
return FALSE;
SRCREADPIXEL(pixelB, pbSrc); SRCREADPIXEL(pixelB, pbSrc);
SRCNEXTPIXEL(pbSrc); SRCNEXTPIXEL(pbSrc);
@ -252,6 +258,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
case MEGA_MEGA_COLOR_RUN: case MEGA_MEGA_COLOR_RUN:
runLength = ExtractRunLength(code, pbSrc, &advance); runLength = ExtractRunLength(code, pbSrc, &advance);
pbSrc = pbSrc + advance; pbSrc = pbSrc + advance;
if (pbSrc >= pbEnd)
return FALSE;
SRCREADPIXEL(pixelA, pbSrc); SRCREADPIXEL(pixelA, pbSrc);
SRCNEXTPIXEL(pbSrc); SRCNEXTPIXEL(pbSrc);
@ -272,6 +280,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
runLength = ExtractRunLength(code, pbSrc, &advance); runLength = ExtractRunLength(code, pbSrc, &advance);
pbSrc = pbSrc + advance; pbSrc = pbSrc + advance;
if (pbSrc >= pbEnd)
return FALSE;
if (code == LITE_SET_FG_FGBG_IMAGE || code == MEGA_MEGA_SET_FGBG_IMAGE) if (code == LITE_SET_FG_FGBG_IMAGE || code == MEGA_MEGA_SET_FGBG_IMAGE)
{ {
SRCREADPIXEL(fgPel, pbSrc); SRCREADPIXEL(fgPel, pbSrc);
@ -338,6 +348,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
return FALSE; return FALSE;
UNROLL(runLength, { UNROLL(runLength, {
if (pbSrc >= pbEnd)
return FALSE;
SRCREADPIXEL(temp, pbSrc); SRCREADPIXEL(temp, pbSrc);
SRCNEXTPIXEL(pbSrc); SRCNEXTPIXEL(pbSrc);
DESTWRITEPIXEL(pbDest, temp); DESTWRITEPIXEL(pbDest, temp);