mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed oob read in clear_decompress_subcode_rlex

Browse Source 
Fixed length checks before stream read.
Thanks to hac425 CVE-2020-11040
This commit is contained in:
akallabeth 2020-04-21 10:35:17 +02:00
parent 2215fef975
commit 363d7046df
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libfreerdp/codec/clear.c
View File

@ -130,7 +130,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
UINT32 i; UINT32 i;
UINT32 pixelCount; UINT32 pixelCount;
UINT32 bitmapDataOffset; UINT32 bitmapDataOffset;
UINT32 pixelIndex; size_t pixelIndex;
UINT32 numBits; UINT32 numBits;
BYTE startIndex; BYTE startIndex;
BYTE stopIndex; BYTE stopIndex;
@ -146,6 +146,8 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
return FALSE; return FALSE;
} }
if (Stream_GetRemainingLength(s) < 1)
return FALSE;
Stream_Read_UINT8(s, paletteCount); Stream_Read_UINT8(s, paletteCount);
bitmapDataOffset = 1 + (paletteCount * 3); bitmapDataOffset = 1 + (paletteCount * 3);
@ -155,6 +157,9 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
return FALSE; return FALSE;
} }
if (Stream_GetRemainingLength(s) < 3ULL * paletteCount)
return FALSE;
for (i = 0; i < paletteCount; i++) for (i = 0; i < paletteCount; i++)
{ {
BYTE r, g, b; BYTE r, g, b;
@ -299,7 +304,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
if (pixelIndex != pixelCount) if (pixelIndex != pixelCount)
{ {
WLog_ERR(TAG, "pixelIndex %" PRIu32 " != pixelCount %" PRIu32 "", pixelIndex, pixelCount); WLog_ERR(TAG, "pixelIndex %" PRIdz " != pixelCount %" PRIu32 "", pixelIndex, pixelCount);
return FALSE; return FALSE;
} }