From 640b90139622c9a8ac8a959066ef9d0c09936876 Mon Sep 17 00:00:00 2001 From: Hardening Date: Thu, 29 May 2014 00:12:48 +0200 Subject: [PATCH] Set checks to be strict and also check xorBpp field This patch: * renames bpp to xorBpp ; * changes checks to strict ; * adds checks on the xorBpp field --- libfreerdp/core/update.c | 13 +++++++++---- libfreerdp/core/update.h | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libfreerdp/core/update.c b/libfreerdp/core/update.c index 462ef7046..f4149a24c 100644 --- a/libfreerdp/core/update.c +++ b/libfreerdp/core/update.c @@ -286,7 +286,7 @@ BOOL update_read_pointer_system(wStream* s, POINTER_SYSTEM_UPDATE* pointer_syste return TRUE; } -BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int bpp) +BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int xorBpp) { BYTE *newMask; int scanlineSize; @@ -342,9 +342,9 @@ BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, if (Stream_GetRemainingLength(s) < pointer_color->lengthXorMask) return FALSE; - scanlineSize = (7 + bpp * pointer_color->width) / 8; + scanlineSize = (7 + xorBpp * pointer_color->width) / 8; scanlineSize = ((scanlineSize + 1) / 2) * 2; - if (scanlineSize * pointer_color->height > pointer_color->lengthXorMask) + if (scanlineSize * pointer_color->height != pointer_color->lengthXorMask) { fprintf(stderr, "%s: invalid lengthXorMask: width=%d height=%d, %d instead of %d\n", __FUNCTION__, pointer_color->width, pointer_color->height, @@ -375,7 +375,7 @@ BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, scanlineSize = ((7 + pointer_color->width) / 8); scanlineSize = ((1 + scanlineSize) / 2) * 2; - if (scanlineSize * pointer_color->height > pointer_color->lengthAndMask) + if (scanlineSize * pointer_color->height != pointer_color->lengthAndMask) { fprintf(stderr, "%s: invalid lengthAndMask: %d instead of %d\n", __FUNCTION__, pointer_color->lengthAndMask, scanlineSize * pointer_color->height); @@ -403,6 +403,11 @@ BOOL update_read_pointer_new(wStream* s, POINTER_NEW_UPDATE* pointer_new) return FALSE; Stream_Read_UINT16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */ + if ((pointer_new->xorBpp < 0) || (pointer_new->xorBpp > 32)) + { + fprintf(stderr, "%s: invalid xorBpp %d\n", __FUNCTION__, pointer_new->xorBpp); + return FALSE; + } return update_read_pointer_color(s, &pointer_new->colorPtrAttr, pointer_new->xorBpp); /* colorPtrAttr */ } diff --git a/libfreerdp/core/update.h b/libfreerdp/core/update.h index 8969f78ce..c67d04fc3 100644 --- a/libfreerdp/core/update.h +++ b/libfreerdp/core/update.h @@ -53,7 +53,7 @@ BOOL update_recv(rdpUpdate* update, wStream* s); BOOL update_read_pointer_position(wStream* s, POINTER_POSITION_UPDATE* pointer_position); BOOL update_read_pointer_system(wStream* s, POINTER_SYSTEM_UPDATE* pointer_system); -BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int bpp); +BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int xorBpp); BOOL update_read_pointer_new(wStream* s, POINTER_NEW_UPDATE* pointer_new); BOOL update_read_pointer_cached(wStream* s, POINTER_CACHED_UPDATE* pointer_cached);