Before asking for element from the PRIMARY_DRAWING_ORDER_FIELD_BYTES[] array, check if the array is big enough.

This commit is contained in:
Pawel Jakub Dawidek 2012-02-11 14:30:09 +01:00
parent cb4668ca68
commit 3aa804f176
7 changed files with 68 additions and 31 deletions

View File

@ -120,7 +120,7 @@ uint16 fastpath_read_header_rdp(rdpFastPath* fastpath, STREAM* s)
return length - stream_get_length(s);
}
static void fastpath_recv_orders(rdpFastPath* fastpath, STREAM* s)
static boolean fastpath_recv_orders(rdpFastPath* fastpath, STREAM* s)
{
rdpUpdate* update = fastpath->rdp->update;
uint16 numberOrders;
@ -129,9 +129,12 @@ static void fastpath_recv_orders(rdpFastPath* fastpath, STREAM* s)
while (numberOrders > 0)
{
update_recv_order(update, s);
if (!update_recv_order(update, s))
return false;
numberOrders--;
}
return true;
}
static void fastpath_recv_update_common(rdpFastPath* fastpath, STREAM* s)
@ -161,7 +164,7 @@ static void fastpath_recv_update_synchronize(rdpFastPath* fastpath, STREAM* s)
stream_seek_uint16(s); /* size (2 bytes), must be set to zero */
}
static void fastpath_recv_update(rdpFastPath* fastpath, uint8 updateCode, uint32 size, STREAM* s)
static boolean fastpath_recv_update(rdpFastPath* fastpath, uint8 updateCode, uint32 size, STREAM* s)
{
rdpUpdate* update = fastpath->rdp->update;
rdpContext* context = fastpath->rdp->update->context;
@ -170,7 +173,8 @@ static void fastpath_recv_update(rdpFastPath* fastpath, uint8 updateCode, uint32
switch (updateCode)
{
case FASTPATH_UPDATETYPE_ORDERS:
fastpath_recv_orders(fastpath, s);
if (!fastpath_recv_orders(fastpath, s))
return false;
break;
case FASTPATH_UPDATETYPE_BITMAP:
@ -221,9 +225,11 @@ static void fastpath_recv_update(rdpFastPath* fastpath, uint8 updateCode, uint32
DEBUG_WARN("unknown updateCode 0x%X", updateCode);
break;
}
return true;
}
static void fastpath_recv_update_data(rdpFastPath* fastpath, STREAM* s)
static boolean fastpath_recv_update_data(rdpFastPath* fastpath, STREAM* s)
{
uint16 size;
int next_pos;
@ -291,12 +297,17 @@ static void fastpath_recv_update_data(rdpFastPath* fastpath, STREAM* s)
}
if (update_stream)
fastpath_recv_update(fastpath, updateCode, totalSize, update_stream);
{
if (!fastpath_recv_update(fastpath, updateCode, totalSize, update_stream))
return false;
}
stream_set_pos(s, next_pos);
if (comp_stream != s)
xfree(comp_stream);
return true;
}
boolean fastpath_recv_updates(rdpFastPath* fastpath, STREAM* s)
@ -307,7 +318,11 @@ boolean fastpath_recv_updates(rdpFastPath* fastpath, STREAM* s)
while (stream_get_left(s) >= 3)
{
fastpath_recv_update_data(fastpath, s);
if (!fastpath_recv_update_data(fastpath, s))
{
/* XXX: Do we need to call EndPaint? */
return false;
}
}
IFCALL(update->EndPaint, update->context);

View File

@ -55,8 +55,6 @@ static const char* const PRIMARY_DRAWING_ORDER_STRINGS[] =
"GlyphIndex"
};
#define PRIMARY_DRAWING_ORDER_COUNT (sizeof(PRIMARY_DRAWING_ORDER_STRINGS) / sizeof(PRIMARY_DRAWING_ORDER_STRINGS[0]))
static const char* const SECONDARY_DRAWING_ORDER_STRINGS[] =
{
"Cache Bitmap",
@ -123,6 +121,8 @@ static const uint8 PRIMARY_DRAWING_ORDER_FIELD_BYTES[] =
GLYPH_INDEX_ORDER_FIELD_BYTES
};
#define PRIMARY_DRAWING_ORDER_COUNT (sizeof(PRIMARY_DRAWING_ORDER_FIELD_BYTES) / sizeof(PRIMARY_DRAWING_ORDER_FIELD_BYTES[0]))
static const uint8 CBR2_BPP[] =
{
0, 0, 0, 8, 16, 24, 32
@ -1683,7 +1683,7 @@ void update_read_bounds(STREAM* s, rdpBounds* bounds)
update_read_coord(s, &bounds->bottom, true);
}
void update_recv_primary_order(rdpUpdate* update, STREAM* s, uint8 flags)
boolean update_recv_primary_order(rdpUpdate* update, STREAM* s, uint8 flags)
{
ORDER_INFO* orderInfo;
rdpContext* context = update->context;
@ -1694,6 +1694,12 @@ void update_recv_primary_order(rdpUpdate* update, STREAM* s, uint8 flags)
if (flags & ORDER_TYPE_CHANGE)
stream_read_uint8(s, orderInfo->orderType); /* orderType (1 byte) */
if (orderInfo->orderType >= PRIMARY_DRAWING_ORDER_COUNT)
{
printf("Invalid Primary Drawing Order (0x%02X)\n", orderInfo->orderType);
return false;
}
update_read_field_flags(s, &(orderInfo->fieldFlags), flags,
PRIMARY_DRAWING_ORDER_FIELD_BYTES[orderInfo->orderType]);
@ -1708,10 +1714,7 @@ void update_recv_primary_order(rdpUpdate* update, STREAM* s, uint8 flags)
orderInfo->deltaCoordinates = (flags & ORDER_DELTA_COORDINATES) ? true : false;
#ifdef WITH_DEBUG_ORDERS
if (orderInfo->orderType < PRIMARY_DRAWING_ORDER_COUNT)
printf("%s Primary Drawing Order (0x%02X)\n", PRIMARY_DRAWING_ORDER_STRINGS[orderInfo->orderType], orderInfo->orderType);
else
printf("Unknown Primary Drawing Order (0x%02X)\n", orderInfo->orderType);
printf("%s Primary Drawing Order (0x%02X)\n", PRIMARY_DRAWING_ORDER_STRINGS[orderInfo->orderType], orderInfo->orderType);
#endif
switch (orderInfo->orderType)
@ -1834,6 +1837,8 @@ void update_recv_primary_order(rdpUpdate* update, STREAM* s, uint8 flags)
{
IFCALL(update->SetBounds, context, NULL);
}
return true;
}
void update_recv_secondary_order(rdpUpdate* update, STREAM* s, uint8 flags)
@ -2004,7 +2009,7 @@ void update_recv_altsec_order(rdpUpdate* update, STREAM* s, uint8 flags)
}
}
void update_recv_order(rdpUpdate* update, STREAM* s)
boolean update_recv_order(rdpUpdate* update, STREAM* s)
{
uint8 controlFlags;
@ -2015,6 +2020,10 @@ void update_recv_order(rdpUpdate* update, STREAM* s)
else if (controlFlags & ORDER_SECONDARY)
update_recv_secondary_order(update, s, controlFlags);
else
update_recv_primary_order(update, s, controlFlags);
}
{
if (!update_recv_primary_order(update, s, controlFlags))
return false;
}
return true;
}

View File

@ -184,7 +184,7 @@
#define CG_GLYPH_UNICODE_PRESENT 0x0010
void update_recv_order(rdpUpdate* update, STREAM* s);
boolean update_recv_order(rdpUpdate* update, STREAM* s);
void update_read_dstblt_order(STREAM* s, ORDER_INFO* orderInfo, DSTBLT_ORDER* dstblt);
void update_read_patblt_order(STREAM* s, ORDER_INFO* orderInfo, PATBLT_ORDER* patblt);

View File

@ -471,7 +471,7 @@ void rdp_recv_set_error_info_data_pdu(rdpRdp* rdp, STREAM* s)
rdp_print_errinfo(rdp->errorInfo);
}
void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
boolean rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
{
uint8 type;
uint16 length;
@ -489,7 +489,8 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
switch (type)
{
case DATA_PDU_TYPE_UPDATE:
update_recv(rdp->update, s);
if (!update_recv(rdp->update, s))
return false;
break;
case DATA_PDU_TYPE_CONTROL:
@ -571,6 +572,8 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
default:
break;
}
return true;
}
boolean rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, STREAM* s)
@ -583,8 +586,7 @@ boolean rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, STREAM* s)
if (type == PDU_TYPE_DATA)
{
rdp_recv_data_pdu(rdp, s);
return true;
return rdp_recv_data_pdu(rdp, s);
}
else if (type == PDU_TYPE_SERVER_REDIRECTION)
{
@ -719,7 +721,8 @@ static boolean rdp_recv_tpkt_pdu(rdpRdp* rdp, STREAM* s)
switch (pduType)
{
case PDU_TYPE_DATA:
rdp_recv_data_pdu(rdp, s);
if (!rdp_recv_data_pdu(rdp, s))
return false;
break;
case PDU_TYPE_DEACTIVATE_ALL:

View File

@ -179,7 +179,7 @@ boolean rdp_send_pdu(rdpRdp* rdp, STREAM* s, uint16 type, uint16 channel_id);
STREAM* rdp_data_pdu_init(rdpRdp* rdp);
boolean rdp_send_data_pdu(rdpRdp* rdp, STREAM* s, uint8 type, uint16 channel_id);
void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s);
boolean rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s);
boolean rdp_send(rdpRdp* rdp, STREAM* s, uint16 channel_id);
void rdp_recv(rdpRdp* rdp);

View File

@ -32,7 +32,7 @@ static const char* const UPDATE_TYPE_STRINGS[] =
};
*/
void update_recv_orders(rdpUpdate* update, STREAM* s)
boolean update_recv_orders(rdpUpdate* update, STREAM* s)
{
uint16 numberOrders;
@ -42,9 +42,12 @@ void update_recv_orders(rdpUpdate* update, STREAM* s)
while (numberOrders > 0)
{
update_recv_order(update, s);
if (!update_recv_order(update, s))
return false;
numberOrders--;
}
return true;
}
void update_read_bitmap_data(STREAM* s, BITMAP_DATA* bitmap_data)
@ -243,7 +246,7 @@ void update_recv_pointer(rdpUpdate* update, STREAM* s)
}
}
void update_recv(rdpUpdate* update, STREAM* s)
boolean update_recv(rdpUpdate* update, STREAM* s)
{
uint16 updateType;
rdpContext* context = update->context;
@ -257,7 +260,11 @@ void update_recv(rdpUpdate* update, STREAM* s)
switch (updateType)
{
case UPDATE_TYPE_ORDERS:
update_recv_orders(update, s);
if (!update_recv_orders(update, s))
{
/* XXX: Do we have to call EndPaint? */
return false;
}
break;
case UPDATE_TYPE_BITMAP:
@ -287,10 +294,13 @@ void update_recv(rdpUpdate* update, STREAM* s)
rdp_read_share_control_header(s, &length, &pduType, &source);
if (pduType != PDU_TYPE_DATA)
return;
return false;
rdp_recv_data_pdu(update->context->rdp, s);
if (!rdp_recv_data_pdu(update->context->rdp, s))
return false;
}
return true;
}
void update_reset_state(rdpUpdate* update)

View File

@ -44,7 +44,7 @@ void update_read_bitmap(rdpUpdate* update, STREAM* s, BITMAP_UPDATE* bitmap_upda
void update_read_palette(rdpUpdate* update, STREAM* s, PALETTE_UPDATE* palette_update);
void update_recv_play_sound(rdpUpdate* update, STREAM* s);
void update_recv_pointer(rdpUpdate* update, STREAM* s);
void update_recv(rdpUpdate* update, STREAM* s);
boolean update_recv(rdpUpdate* update, STREAM* s);
void update_read_pointer_position(STREAM* s, POINTER_POSITION_UPDATE* pointer_position);
void update_read_pointer_system(STREAM* s, POINTER_SYSTEM_UPDATE* pointer_system);