channels/cliprdr: avoid possible integer overflow

If the server sends us garbage (or the client provides it) then it is possible for the multiplication to overflow (as it is performed on unsigned 32-bit values) which will result in a false positive failure of the sanity check. Avoid it by rearranging arithmetics a little. Keep the multiplication in the error message because we are interested in the number of bytes in the stream and how it compares to the number we have expected based on the presumed file count.
2017-06-01 16:05:07 +03:00 · 2017-06-01 16:05:07 +03:00 · 75fa3ad2a0
commit 75fa3ad2a0
parent 987d7dd886
1 changed files with 3 additions and 3 deletions
--- a/channels/cliprdr/client/cliprdr_format.c
+++ b/channels/cliprdr/client/cliprdr_format.c
@ -393,10 +393,10 @@ UINT cliprdr_parse_file_list(const BYTE* format_data, UINT32 format_data_length,

 	Stream_Read_UINT32(s, count); /* cItems (4 bytes) */

-	if (Stream_GetRemainingLength(s) < count * CLIPRDR_FILEDESCRIPTOR_SIZE)
+	if (Stream_GetRemainingLength(s) / CLIPRDR_FILEDESCRIPTOR_SIZE < count)
 	{
-		WLog_ERR(TAG, "packed file list is too short: expected %"PRIu32", have %"PRIuz,
-			count * CLIPRDR_FILEDESCRIPTOR_SIZE,
+		WLog_ERR(TAG, "packed file list is too short: expected %"PRIuz", have %"PRIuz,
+			((size_t) count) * CLIPRDR_FILEDESCRIPTOR_SIZE,
 			Stream_GetRemainingLength(s));

 		result = ERROR_INCORRECT_SIZE;