mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed oob read in parallel_process_irp_write

Browse Source
This commit is contained in:
akallabeth 2020-04-15 17:05:10 +02:00
parent 8241ab42fd
commit 917daa8b56
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
channels/parallel/client/parallel_main.c
View File

@ -201,14 +201,22 @@ static UINT parallel_process_irp_write(PARALLEL_DEVICE* parallel, IRP* irp)
UINT32 Length;
UINT64 Offset;
ssize_t status;
void* ptr;
if (Stream_GetRemainingLength(irp->input) > 12)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, Length);
Stream_Read_UINT64(irp->input, Offset);
Stream_Seek(irp->input, 20); /* Padding */
if (!Stream_SafeSeek(irp->input, 20)) /* Padding */
return ERROR_INVALID_DATA;
ptr = Stream_Pointer(irp->input);
if (!Stream_SafeSeek(irp->input, Length))
return ERROR_INVALID_DATA;
len = Length;
while (len > 0)
{
status = write(parallel->file, Stream_Pointer(irp->input), len);
status = write(parallel->file, ptr, len);
if (status < 0)
{