From 363d7046dfec4003b91aecf7867e3b05905f3843 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 21 Apr 2020 10:35:17 +0200
Subject: [PATCH] Fixed oob read in clear_decompress_subcode_rlex

Fixed length checks before stream read.
Thanks to hac425 CVE-2020-11040
---
 libfreerdp/codec/clear.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
index 5be6cb12f..118e09b35 100644
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -130,7 +130,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
 	UINT32 i;
 	UINT32 pixelCount;
 	UINT32 bitmapDataOffset;
-	UINT32 pixelIndex;
+	size_t pixelIndex;
 	UINT32 numBits;
 	BYTE startIndex;
 	BYTE stopIndex;
@@ -146,6 +146,8 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
 		return FALSE;
 	}
 
+	if (Stream_GetRemainingLength(s) < 1)
+		return FALSE;
 	Stream_Read_UINT8(s, paletteCount);
 	bitmapDataOffset = 1 + (paletteCount * 3);
 
@@ -155,6 +157,9 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
 		return FALSE;
 	}
 
+	if (Stream_GetRemainingLength(s) < 3ULL * paletteCount)
+		return FALSE;
+
 	for (i = 0; i < paletteCount; i++)
 	{
 		BYTE r, g, b;
@@ -299,7 +304,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
 
 	if (pixelIndex != pixelCount)
 	{
-		WLog_ERR(TAG, "pixelIndex %" PRIu32 " != pixelCount %" PRIu32 "", pixelIndex, pixelCount);
+		WLog_ERR(TAG, "pixelIndex %" PRIdz " != pixelCount %" PRIu32 "", pixelIndex, pixelCount);
 		return FALSE;
 	}