mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Set checks to be strict and also check xorBpp field 

This patch:
* renames bpp to xorBpp ;
* changes checks to strict ;
* adds checks on the xorBpp field
This commit is contained in:
Hardening 2014-05-29 00:12:48 +02:00
parent 532c42052a
commit 640b901396
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
libfreerdp/core/update.c
View File

@ -286,7 +286,7 @@ BOOL update_read_pointer_system(wStream* s, POINTER_SYSTEM_UPDATE* pointer_syste
return TRUE; return TRUE;
} }
BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int bpp) BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int xorBpp)
{ {
BYTE *newMask; BYTE *newMask;
int scanlineSize; int scanlineSize;
@ -342,9 +342,9 @@ BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color,
if (Stream_GetRemainingLength(s) < pointer_color->lengthXorMask) if (Stream_GetRemainingLength(s) < pointer_color->lengthXorMask)
return FALSE; return FALSE;
scanlineSize = (7 + bpp * pointer_color->width) / 8; scanlineSize = (7 + xorBpp * pointer_color->width) / 8;
scanlineSize = ((scanlineSize + 1) / 2) * 2; scanlineSize = ((scanlineSize + 1) / 2) * 2;
if (scanlineSize * pointer_color->height > pointer_color->lengthXorMask) if (scanlineSize * pointer_color->height != pointer_color->lengthXorMask)
{ {
fprintf(stderr, "%s: invalid lengthXorMask: width=%d height=%d, %d instead of %d\n", __FUNCTION__, fprintf(stderr, "%s: invalid lengthXorMask: width=%d height=%d, %d instead of %d\n", __FUNCTION__,
pointer_color->width, pointer_color->height, pointer_color->width, pointer_color->height,
@ -375,7 +375,7 @@ BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color,
scanlineSize = ((7 + pointer_color->width) / 8); scanlineSize = ((7 + pointer_color->width) / 8);
scanlineSize = ((1 + scanlineSize) / 2) * 2; scanlineSize = ((1 + scanlineSize) / 2) * 2;
if (scanlineSize * pointer_color->height > pointer_color->lengthAndMask) if (scanlineSize * pointer_color->height != pointer_color->lengthAndMask)
{ {
fprintf(stderr, "%s: invalid lengthAndMask: %d instead of %d\n", __FUNCTION__, fprintf(stderr, "%s: invalid lengthAndMask: %d instead of %d\n", __FUNCTION__,
pointer_color->lengthAndMask, scanlineSize * pointer_color->height); pointer_color->lengthAndMask, scanlineSize * pointer_color->height);
@ -403,6 +403,11 @@ BOOL update_read_pointer_new(wStream* s, POINTER_NEW_UPDATE* pointer_new)
return FALSE; return FALSE;
Stream_Read_UINT16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */ Stream_Read_UINT16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */
if ((pointer_new->xorBpp < 0) || (pointer_new->xorBpp > 32))
{
fprintf(stderr, "%s: invalid xorBpp %d\n", __FUNCTION__, pointer_new->xorBpp);
return FALSE;
}
return update_read_pointer_color(s, &pointer_new->colorPtrAttr, pointer_new->xorBpp); /* colorPtrAttr */ return update_read_pointer_color(s, &pointer_new->colorPtrAttr, pointer_new->xorBpp); /* colorPtrAttr */
} }

2
libfreerdp/core/update.h
View File

@ -53,7 +53,7 @@ BOOL update_recv(rdpUpdate* update, wStream* s);
BOOL update_read_pointer_position(wStream* s, POINTER_POSITION_UPDATE* pointer_position); BOOL update_read_pointer_position(wStream* s, POINTER_POSITION_UPDATE* pointer_position);
BOOL update_read_pointer_system(wStream* s, POINTER_SYSTEM_UPDATE* pointer_system); BOOL update_read_pointer_system(wStream* s, POINTER_SYSTEM_UPDATE* pointer_system);
BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int bpp); BOOL update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, int xorBpp);
BOOL update_read_pointer_new(wStream* s, POINTER_NEW_UPDATE* pointer_new); BOOL update_read_pointer_new(wStream* s, POINTER_NEW_UPDATE* pointer_new);
BOOL update_read_pointer_cached(wStream* s, POINTER_CACHED_UPDATE* pointer_cached); BOOL update_read_pointer_cached(wStream* s, POINTER_CACHED_UPDATE* pointer_cached);