From 232c7f478318b969aef0979df6a08dc2424d0eb3 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 6 Apr 2020 15:08:25 +0200
Subject: [PATCH] Abort order read on invalid element count.

---
 libfreerdp/core/orders.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index febef2f25..4bf362899 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -1444,6 +1444,9 @@ static BOOL update_read_polyline_order(wStream* s, const ORDER_INFO* orderInfo,
 	{
 		DELTA_POINT* new_points;
 
+		if (new_num == 0)
+			return FALSE;
+
 		if (Stream_GetRemainingLength(s) < 1)
 		{
 			WLog_ERR(TAG, "Stream_GetRemainingLength(s) < 1");
@@ -1739,7 +1742,7 @@ static BOOL update_read_fast_glyph_order(wStream* s, const ORDER_INFO* orderInfo
 			if (fastGlyph->cbData < new_cb)
 				return FALSE;
 
-			if (new_cb)
+			if (new_cb > 0)
 			{
 				BYTE* new_aj;
 				new_aj = (BYTE*)realloc(glyph->aj, new_cb);
@@ -1772,6 +1775,9 @@ static BOOL update_read_polygon_sc_order(wStream* s, const ORDER_INFO* orderInfo
 	{
 		DELTA_POINT* newpoints;
 
+		if (num == 0)
+			return FALSE;
+
 		if (Stream_GetRemainingLength(s) < 1)
 			return FALSE;
 
@@ -1809,6 +1815,9 @@ static BOOL update_read_polygon_cb_order(wStream* s, const ORDER_INFO* orderInfo
 	{
 		DELTA_POINT* newpoints;
 
+		if (num == 0)
+			return FALSE;
+
 		if (Stream_GetRemainingLength(s) < 1)
 			return FALSE;