mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed possible int overflow.

Browse Source
This commit is contained in:
akallabeth 2020-04-15 17:49:41 +02:00
parent 09d0124418
commit 13dac0ee2a
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
libfreerdp/codec/progressive.c
View File

@ -1920,7 +1920,7 @@ static INLINE INT32 progressive_wb_read_region_header(PROGRESSIVE_CONTEXT* progr
UINT16 blockType, UINT32 blockLen, UINT16 blockType, UINT32 blockLen,
PROGRESSIVE_BLOCK_REGION* region) PROGRESSIVE_BLOCK_REGION* region)
{ {
size_t offset, len; size_t len;
memset(region, 0, sizeof(PROGRESSIVE_BLOCK_REGION)); memset(region, 0, sizeof(PROGRESSIVE_BLOCK_REGION));
if (Stream_GetRemainingLength(s) < 12) if (Stream_GetRemainingLength(s) < 12)
@ -1965,35 +1965,37 @@ static INLINE INT32 progressive_wb_read_region_header(PROGRESSIVE_CONTEXT* progr
} }
len = Stream_GetRemainingLength(s); len = Stream_GetRemainingLength(s);
offset = (region->numRects * 8); if (len / 8 < region->numRects)
if (len < offset)
{ {
WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion data short for region->rects"); WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion data short for region->rects");
return -1015; return -1015;
} }
len -= region->numRects * 8ULL;
offset += (region->numQuant * 5); if (len / 5 < region->numQuant)
if (len < offset)
{ {
WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion data short for region->cQuant"); WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion data short for region->cQuant");
return -1018; return -1018;
} }
len -= region->numQuant * 5ULL;
offset += (region->numProgQuant * 16); if (len / 16 < region->numProgQuant)
if (len < offset)
{ {
WLog_Print(progressive->log, WLOG_ERROR, WLog_Print(progressive->log, WLOG_ERROR,
"ProgressiveRegion data short for region->cProgQuant"); "ProgressiveRegion data short for region->cProgQuant");
return -1021; return -1021;
} }
len -= region->numProgQuant * 16ULL;
offset += region->tileDataSize; if (len < region->tileDataSize)
if (len < offset)
{ {
WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion data short for region->tiles"); WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion data short for region->tiles");
return -1024; return -1024;
} }
len -= region->tileDataSize;
if (len > 0)
WLog_Print(progressive->log, WLOG_DEBUG,
"Unused byes detected, %" PRIuz " bytes not processed", len);
return 0; return 0;
} }