Fixed #6012: CVE-2020-11526: Out of bounds read in update_recv_orders
Thanks to @hac425xxx and Sunglin and HuanGMz from Knownsec 404
This commit is contained in:
parent
0b6b92a25a
commit
192856cb59
@ -3485,7 +3485,14 @@ static BOOL update_recv_secondary_order(rdpUpdate* update, wStream* s, BYTE flag
|
||||
Stream_Read_UINT16(s, orderLength); /* orderLength (2 bytes) */
|
||||
Stream_Read_UINT16(s, extraFlags); /* extraFlags (2 bytes) */
|
||||
Stream_Read_UINT8(s, orderType); /* orderType (1 byte) */
|
||||
next = Stream_Pointer(s) + ((INT16)orderLength) + 7;
|
||||
if (Stream_GetRemainingLength(s) < orderLength + 7)
|
||||
{
|
||||
WLog_Print(update->log, WLOG_ERROR, "Stream_GetRemainingLength(s) %" PRIuz " < %" PRIu16,
|
||||
Stream_GetRemainingLength(s), orderLength + 7);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
next = Stream_Pointer(s) + orderLength + 7;
|
||||
name = secondary_order_string(orderType);
|
||||
WLog_Print(update->log, WLOG_DEBUG, "Secondary Drawing Order %s", name);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user