Set checks to be strict and also check xorBpp field
This patch: * renames bpp to xorBpp ; * changes checks to strict ; * adds checks on the xorBpp field
This commit is contained in:
parent
532c42052a
commit
640b901396
@ -286,7 +286,7 @@ BOOL update_read_pointer_system(wStream* s, POINTER_SYSTEM_UPDATE* pointer_syste
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int bpp)
|
||||
BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int xorBpp)
|
||||
{
|
||||
BYTE *newMask;
|
||||
int scanlineSize;
|
||||
@ -342,9 +342,9 @@ BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color,
|
||||
if (Stream_GetRemainingLength(s) < pointer_color->lengthXorMask)
|
||||
return FALSE;
|
||||
|
||||
scanlineSize = (7 + bpp * pointer_color->width) / 8;
|
||||
scanlineSize = (7 + xorBpp * pointer_color->width) / 8;
|
||||
scanlineSize = ((scanlineSize + 1) / 2) * 2;
|
||||
if (scanlineSize * pointer_color->height > pointer_color->lengthXorMask)
|
||||
if (scanlineSize * pointer_color->height != pointer_color->lengthXorMask)
|
||||
{
|
||||
fprintf(stderr, "%s: invalid lengthXorMask: width=%d height=%d, %d instead of %d\n", __FUNCTION__,
|
||||
pointer_color->width, pointer_color->height,
|
||||
@ -375,7 +375,7 @@ BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color,
|
||||
|
||||
scanlineSize = ((7 + pointer_color->width) / 8);
|
||||
scanlineSize = ((1 + scanlineSize) / 2) * 2;
|
||||
if (scanlineSize * pointer_color->height > pointer_color->lengthAndMask)
|
||||
if (scanlineSize * pointer_color->height != pointer_color->lengthAndMask)
|
||||
{
|
||||
fprintf(stderr, "%s: invalid lengthAndMask: %d instead of %d\n", __FUNCTION__,
|
||||
pointer_color->lengthAndMask, scanlineSize * pointer_color->height);
|
||||
@ -403,6 +403,11 @@ BOOL update_read_pointer_new(wStream* s, POINTER_NEW_UPDATE* pointer_new)
|
||||
return FALSE;
|
||||
|
||||
Stream_Read_UINT16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */
|
||||
if ((pointer_new->xorBpp < 0) || (pointer_new->xorBpp > 32))
|
||||
{
|
||||
fprintf(stderr, "%s: invalid xorBpp %d\n", __FUNCTION__, pointer_new->xorBpp);
|
||||
return FALSE;
|
||||
}
|
||||
return update_read_pointer_color(s, &pointer_new->colorPtrAttr, pointer_new->xorBpp); /* colorPtrAttr */
|
||||
}
|
||||
|
||||
|
@ -53,7 +53,7 @@ BOOL update_recv(rdpUpdate* update, wStream* s);
|
||||
|
||||
BOOL update_read_pointer_position(wStream* s, POINTER_POSITION_UPDATE* pointer_position);
|
||||
BOOL update_read_pointer_system(wStream* s, POINTER_SYSTEM_UPDATE* pointer_system);
|
||||
BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int bpp);
|
||||
BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int xorBpp);
|
||||
BOOL update_read_pointer_new(wStream* s, POINTER_NEW_UPDATE* pointer_new);
|
||||
BOOL update_read_pointer_cached(wStream* s, POINTER_CACHED_UPDATE* pointer_cached);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user