From 32a1f2cc66dcedfbeaf9aa52adf09c2415586ca1 Mon Sep 17 00:00:00 2001
From: Richard Markiewicz <rmarkiewicz@devolutions.net>
Date: Wed, 16 Mar 2022 12:23:46 -0700
Subject: [PATCH] freerdp: fix buffer overflow in MRDPView

---
 client/Mac/MRDPView.m | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/client/Mac/MRDPView.m b/client/Mac/MRDPView.m
index fef7bd345..fa95cdcf2 100644
--- a/client/Mac/MRDPView.m
+++ b/client/Mac/MRDPView.m
@@ -660,12 +660,13 @@ DWORD fixKeyCode(DWORD keyCode, unichar keyChar, enum APPLE_KEYBOARD_TYPE type)
 
 - (void)onPasteboardTimerFired:(NSTimer *)timer
 {
-	const BYTE *data;
+	const void *data;
 	UINT32 size;
 	UINT32 formatId;
 	BOOL formatMatch;
 	int changeCount;
 	NSData *formatData;
+	NSString *formatString;
 	const char *formatType;
 	NSPasteboardItem *item;
 	changeCount = (int)[pasteboard_rd changeCount];
@@ -693,12 +694,22 @@ DWORD fixKeyCode(DWORD keyCode, unichar keyChar, enum APPLE_KEYBOARD_TYPE type)
 		if (strcmp(formatType, "public.utf8-plain-text") == 0)
 		{
 			formatData = [item dataForType:type];
+
+			if (formatData == nil)
+			{
+				break;
+			}
+
+			formatString = [[NSString alloc] initWithData:formatData encoding:NSUTF8StringEncoding];
+
+			size = strlen([formatString UTF8String]) + 1;
+			data = [formatString UTF8String];
 			formatId = ClipboardRegisterFormat(mfc->clipboard, "UTF8_STRING");
-			size = (UINT32)[formatData length];
-			data = [formatData bytes];
-			/* size is the string length without the terminating NULL terminator */
-			ClipboardSetData(mfc->clipboard, formatId, data, size + 1);
+			ClipboardSetData(mfc->clipboard, formatId, data, size);
+			[formatString release];
+
 			formatMatch = TRUE;
+
 			break;
 		}
 	}