rail: stream size checks and rail_read_sysparam_order fixes

2019-12-04 15:25:08 +01:00 · 2019-12-04 15:25:08 +01:00 · 5565b366b0
parent 2d3d882de9
commit 5565b366b0
2 changed files with 76 additions and 26 deletions
--- a/channels/rail/rail_common.c
+++ b/channels/rail/rail_common.c
@ -186,8 +186,12 @@ static UINT rail_read_high_contrast(wStream* s, RAIL_HIGH_CONTRAST* highContrast
 	if (!s || !highContrast)
 		return ERROR_INVALID_PARAMETER;

-	Stream_Read_UINT32(s, highContrast->flags);                   /* flags (4 bytes) */
-	Stream_Read_UINT32(s, highContrast->colorSchemeLength);       /* colorSchemeLength (4 bytes) */
+	if (Stream_GetRemainingLength(s) < 8)
+		return ERROR_INVALID_DATA;
+
+	Stream_Read_UINT32(s, highContrast->flags);             /* flags (4 bytes) */
+	Stream_Read_UINT32(s, highContrast->colorSchemeLength); /* colorSchemeLength (4 bytes) */
+
 	if (!rail_read_unicode_string(s, &highContrast->colorScheme)) /* colorScheme */
 		return ERROR_INTERNAL_ERROR;
 	return CHANNEL_RC_OK;
@ -214,6 +218,27 @@ static UINT rail_write_high_contrast(wStream* s, const RAIL_HIGH_CONTRAST* highC
 	return rail_write_unicode_string(s, &highContrast->colorScheme); /* colorScheme */
 }

+/**
+ * Function description
+ *
+ * @return 0 on success, otherwise a Win32 error code
+ */
+static UINT rail_read_filterkeys(wStream* s, TS_FILTERKEYS* filterKeys)
+{
+	if (!s || !filterKeys)
+		return ERROR_INVALID_PARAMETER;
+
+	if (Stream_GetRemainingLength(s) < 20)
+		return ERROR_INVALID_DATA;
+
+	Stream_Read_UINT32(s, filterKeys->Flags);
+	Stream_Read_UINT32(s, filterKeys->WaitTime);
+	Stream_Read_UINT32(s, filterKeys->DelayTime);
+	Stream_Read_UINT32(s, filterKeys->RepeatTime);
+	Stream_Read_UINT32(s, filterKeys->BounceTime);
+	return CHANNEL_RC_OK;
+}
+
 /**
 * Function description
 *
@ -256,30 +281,38 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex

 	Stream_Read_UINT32(s, sysparam->param); /* systemParam (4 bytes) */

+	sysparam->params = 0; /* bitflags of received params */
+
 	switch (sysparam->param)
 	{
 		/* Client sysparams */
 		case SPI_SET_DRAG_FULL_WINDOWS:
+			sysparam->params |= SPI_MASK_SET_DRAG_FULL_WINDOWS;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->dragFullWindows = body != 0;
 			break;

 		case SPI_SET_KEYBOARD_CUES:
+			sysparam->params |= SPI_MASK_SET_KEYBOARD_CUES;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->keyboardCues = body != 0;
 			break;

 		case SPI_SET_KEYBOARD_PREF:
+			sysparam->params |= SPI_MASK_SET_KEYBOARD_PREF;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->keyboardPref = body != 0;
 			break;

 		case SPI_SET_MOUSE_BUTTON_SWAP:
+			sysparam->params |= SPI_MASK_SET_MOUSE_BUTTON_SWAP;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->mouseButtonSwap = body != 0;
 			break;

 		case SPI_SET_WORK_AREA:
+			sysparam->params |= SPI_MASK_SET_WORK_AREA;
+
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@ -293,6 +326,8 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;

 		case SPI_DISPLAY_CHANGE:
+			sysparam->params |= SPI_MASK_DISPLAY_CHANGE;
+
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@ -306,6 +341,8 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;

 		case SPI_TASKBAR_POS:
+			sysparam->params |= SPI_MASK_TASKBAR_POS;
+
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@ -319,6 +356,7 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;

 		case SPI_SET_HIGH_CONTRAST:
+			sysparam->params |= SPI_MASK_SET_HIGH_CONTRAST;
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@ -329,7 +367,9 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;

 		case SPI_SETCARETWIDTH:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_CARET_WIDTH;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;

 			if (Stream_GetRemainingLength(s) < 4)
@ -346,7 +386,9 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;

 		case SPI_SETSTICKYKEYS:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_STICKY_KEYS;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;

 			if (Stream_GetRemainingLength(s) < 4)
@ -355,11 +397,13 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 				return ERROR_INVALID_DATA;
 			}

-			Stream_Write_UINT32(s, sysparam->stickyKeys);
+			Stream_Read_UINT32(s, sysparam->stickyKeys);
 			break;

 		case SPI_SETTOGGLEKEYS:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_TOGGLE_KEYS;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;

 			if (Stream_GetRemainingLength(s) < 4)
@ -368,11 +412,13 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 				return ERROR_INVALID_DATA;
 			}

-			Stream_Write_UINT32(s, sysparam->toggleKeys);
+			Stream_Read_UINT32(s, sysparam->toggleKeys);
 			break;

 		case SPI_SETFILTERKEYS:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_FILTER_KEYS;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;

 			if (Stream_GetRemainingLength(s) < 20)
@ -381,16 +427,20 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 				return ERROR_INVALID_DATA;
 			}

-			error = rail_write_filterkeys(s, &sysparam->filterKeys);
+			error = rail_read_filterkeys(s, &sysparam->filterKeys);
 			break;

 		/* Server sysparams */
 		case SPI_SETSCREENSAVEACTIVE:
+			sysparam->params |= SPI_MASK_SET_SCREEN_SAVE_ACTIVE;
+
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->setScreenSaveActive = body != 0;
 			break;

 		case SPI_SETSCREENSAVESECURE:
+			sysparam->params |= SPI_MASK_SET_SET_SCREEN_SAVE_SECURE;
+
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->setScreenSaveSecure = body != 0;
 			break;
--- a/channels/rail/server/rail_main.c
+++ b/channels/rail/server/rail_main.c
@ -105,15 +105,15 @@ static UINT rail_write_min_max_info_order(wStream* s, const RAIL_MINMAXINFO_ORDE
 	if (!s || !minMaxInfo)
 		return ERROR_INVALID_PARAMETER;

-	Stream_Write_UINT32(s, minMaxInfo->windowId);       /* WindowId (4 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxWidth);       /* MaxWidth (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxHeight);      /* MaxHeight (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxPosX);        /* MaxPosX (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxPosY);        /* MaxPosY (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->minTrackWidth);  /* MinTrackWidth (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->minTrackHeight); /* MinTrackHeight (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxTrackWidth);  /* MaxTrackWidth (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxTrackHeight); /* MaxTrackHeight (2 bytes) */
+	Stream_Write_UINT32(s, minMaxInfo->windowId);      /* WindowId (4 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxWidth);       /* MaxWidth (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxHeight);      /* MaxHeight (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxPosX);        /* MaxPosX (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxPosY);        /* MaxPosY (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->minTrackWidth);  /* MinTrackWidth (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->minTrackHeight); /* MinTrackHeight (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxTrackWidth);  /* MaxTrackWidth (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxTrackHeight); /* MaxTrackHeight (2 bytes) */
 	return ERROR_SUCCESS;
 }

@ -796,10 +796,10 @@ static UINT rail_read_window_move_order(wStream* s, RAIL_WINDOW_MOVE_ORDER* wind
 		return ERROR_INVALID_DATA;

 	Stream_Read_UINT32(s, windowMove->windowId); /* WindowId (4 bytes) */
-	Stream_Read_UINT16(s, windowMove->left);     /* Left (2 bytes) */
-	Stream_Read_UINT16(s, windowMove->top);      /* Top (2 bytes) */
-	Stream_Read_UINT16(s, windowMove->right);    /* Right (2 bytes) */
-	Stream_Read_UINT16(s, windowMove->bottom);   /* Bottom (2 bytes) */
+	Stream_Read_INT16(s, windowMove->left);      /* Left (2 bytes) */
+	Stream_Read_INT16(s, windowMove->top);       /* Top (2 bytes) */
+	Stream_Read_INT16(s, windowMove->right);     /* Right (2 bytes) */
+	Stream_Read_INT16(s, windowMove->bottom);    /* Bottom (2 bytes) */
 	return CHANNEL_RC_OK;
 }

@ -814,10 +814,10 @@ static UINT rail_read_snap_arange_order(wStream* s, RAIL_SNAP_ARRANGE* snapArran
 		return ERROR_INVALID_DATA;

 	Stream_Read_UINT32(s, snapArrange->windowId); /* WindowId (4 bytes) */
-	Stream_Read_UINT16(s, snapArrange->left);     /* Left (2 bytes) */
-	Stream_Read_UINT16(s, snapArrange->top);      /* Top (2 bytes) */
-	Stream_Read_UINT16(s, snapArrange->right);    /* Right (2 bytes) */
-	Stream_Read_UINT16(s, snapArrange->bottom);   /* Bottom (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->left);      /* Left (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->top);       /* Top (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->right);     /* Right (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->bottom);    /* Bottom (2 bytes) */
 	return CHANNEL_RC_OK;
 }