mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #5756 from akallabeth/nocodec_length_check

Browse Source 
Added data length check for RDP_CODEC_ID_NONE
This commit is contained in:
David Fort 2019-11-28 10:17:25 +01:00 committed by GitHub
commit 34326d74ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
client/X11/xf_gdi.c
View File

@ -1026,6 +1026,7 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND*
BOOL ret = FALSE;
DWORD format;
rdpGdi* gdi;
size_t size;
REGION16 region;
RECTANGLE_16 cmdRect;
@ -1065,6 +1066,13 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND*
case RDP_CODEC_ID_NONE:
pSrcData = cmd->bmp.bitmapData;
format = gdi_get_pixel_format(cmd->bmp.bpp);
size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format);
if (size > cmd->bmp.bitmapDataLength)
{
WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz,
cmd->bmp.bitmapDataLength, size);
goto fail;
}
if (!freerdp_image_copy(gdi->primary_buffer, gdi->dstFormat, gdi->stride, cmd->destLeft,
cmd->destTop, cmd->bmp.width, cmd->bmp.height, pSrcData, format,
@ -1076,7 +1084,6 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND*
default:
WLog_ERR(TAG, "Unsupported codecID %" PRIu16 "", cmd->bmp.codecID);
ret = TRUE;
goto fail;
}

9
libfreerdp/gdi/gdi.c
View File

@ -1001,6 +1001,7 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm
BOOL result = FALSE;
DWORD format;
rdpGdi* gdi;
size_t size;
REGION16 region;
RECTANGLE_16 cmdRect;
UINT32 i, nbRects;
@ -1055,7 +1056,13 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm
case RDP_CODEC_ID_NONE:
format = gdi_get_pixel_format(cmd->bmp.bpp);
size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format);
if (size > cmd->bmp.bitmapDataLength)
{
WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz,
cmd->bmp.bitmapDataLength, size);
goto out;
}
if (!freerdp_image_copy(gdi->primary_buffer, gdi->dstFormat, gdi->stride, cmd->destLeft,
cmd->destTop, cmd->bmp.width, cmd->bmp.height,
cmd->bmp.bitmapData, format, 0, 0, 0, &gdi->palette,