mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[core,capabilities] check TS_BITMAPCACHE_CAPABILITYSET_REV2

Browse Source 
Check value of TS_BITMAPCACHE_CAPABILITYSET_REV2::numCellCaches for out
of range.
This commit is contained in:
akallabeth 2024-04-23 08:39:39 +02:00 committed by akallabeth
parent fed8943447
commit 449e8b82f1
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libfreerdp/core/capabilities.c
View File

@ -2001,13 +2001,27 @@ static BOOL rdp_read_bitmap_cache_v2_capability_set(wStream* s, rdpSettings* set
Stream_Seek_UINT8(s); /* pad2 (1 byte) */ Stream_Seek_UINT8(s); /* pad2 (1 byte) */
Stream_Read_UINT8(s, settings->BitmapCacheV2NumCells); /* numCellCaches (1 byte) */ Stream_Read_UINT8(s, settings->BitmapCacheV2NumCells); /* numCellCaches (1 byte) */
for (size_t x = 0; x < 5; x++) if (settings->BitmapCacheV2NumCells > 5)
{
WLog_ERR(TAG, "Invalid TS_BITMAPCACHE_CAPABILITYSET_REV2::numCellCaches %" PRIu32 " > 5",
settings->BitmapCacheV2NumCells);
return FALSE;
}
for (size_t x = 0; x < settings->BitmapCacheV2NumCells; x++)
{ {
BITMAP_CACHE_V2_CELL_INFO* info = BITMAP_CACHE_V2_CELL_INFO* info =
freerdp_settings_get_pointer_array_writable(settings, FreeRDP_BitmapCacheV2CellInfo, x); freerdp_settings_get_pointer_array_writable(settings, FreeRDP_BitmapCacheV2CellInfo, x);
if (!rdp_read_bitmap_cache_cell_info(s, info)) if (!rdp_read_bitmap_cache_cell_info(s, info))
return FALSE; return FALSE;
} }
/* Input must always have 5 BitmapCacheV2CellInfo values */
for (size_t x = settings->BitmapCacheV2NumCells; x < 5; x++)
{
if (!Stream_SafeSeek(s, 4))
return FALSE;
}
Stream_Seek(s, 12); /* pad3 (12 bytes) */ Stream_Seek(s, 12); /* pad3 (12 bytes) */
return TRUE; return TRUE;
} }