mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

wlfreerdp: Fix array overrun 

This fixes the following defects reported by covscan tool:
 - client/Wayland/wlf_input.c:251: overrun-local: Overrunning array "contacts" of 10 32-byte elements at element index 10 (byte offset 351) using index "i" (which evaluates to 10).
 - client/Wayland/wlf_input.c:308: overrun-local: Overrunning array "contacts" of 10 32-byte elements at element index 10 (byte offset 351) using index "i" (which evaluates to 10).
 - client/Wayland/wlf_input.c:360: overrun-local: Overrunning array "contacts" of 10 32-byte elements at element index 10 (byte offset 351) using index "i" (which evaluates to 10).
 - client/Wayland/wlf_input.c:251: error[arrayIndexOutOfBounds]: Array 'contacts[10]' accessed at index 10, which is out of bounds.
 - client/Wayland/wlf_input.c:308: error[arrayIndexOutOfBounds]: Array 'contacts[10]' accessed at index 10, which is out of bounds.
 - client/Wayland/wlf_input.c:360: error[arrayIndexOutOfBounds]: Array 'contacts[10]' accessed at index 10, which is out of bounds.
 - client/Wayland/wlf_input.c:246: uninit_use_in_call: Using uninitialized value "y" when calling "wlf_scale_coordinates".
 - client/Wayland/wlf_input.c:246: uninit_use_in_call: Using uninitialized value "x" when calling "wlf_scale_coordinates".

The maximal number of touches can be higher then 10, see:
https://wayland.freedesktop.org/libinput/doc/latest/touchpads.html

Let's increse the MAX_CONTACTS count and add checks to prevent usage of
uninitialized values.
This commit is contained in:
Ondrej Holy 2020-06-03 12:03:44 +02:00 committed by akallabeth
parent 230d83b319
commit ac114d45c7
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
client/Wayland/wlf_input.c
View File

@ -30,7 +30,7 @@
#define TAG CLIENT_TAG("wayland.input")
#define MAX_CONTACTS 10
#define MAX_CONTACTS 20
typedef struct touch_contact
{
@ -241,6 +241,9 @@ BOOL wlf_handle_touch_up(freerdp* instance, const UwacTouchUp* ev)
}
}
if (i == MAX_CONTACTS)
return FALSE;
WLog_DBG(TAG, "%s called | event_id: %u | x: %u / y: %u", __FUNCTION__, touchId, x, y);
if (!wlf_scale_coordinates(instance->context, &x, &y, TRUE))
@ -282,8 +285,6 @@ BOOL wlf_handle_touch_down(freerdp* instance, const UwacTouchDown* ev)
y = ev->y;
touchId = ev->id;
WLog_DBG(TAG, "%s called | event_id: %u | x: %u / y: %u", __FUNCTION__, touchId, x, y);
for (i = 0; i < MAX_CONTACTS; i++)
{
if (contacts[i].id == 0)
@ -296,6 +297,11 @@ BOOL wlf_handle_touch_down(freerdp* instance, const UwacTouchDown* ev)
}
}
if (i == MAX_CONTACTS)
return FALSE;
WLog_DBG(TAG, "%s called | event_id: %u | x: %u / y: %u", __FUNCTION__, touchId, x, y);
if (!wlf_scale_coordinates(instance->context, &x, &y, TRUE))
return FALSE;
@ -350,6 +356,9 @@ BOOL wlf_handle_touch_motion(freerdp* instance, const UwacTouchMotion* ev)
}
}
if (i == MAX_CONTACTS)
return FALSE;
WLog_DBG(TAG, "%s called | event_id: %u | x: %u / y: %u", __FUNCTION__, touchId, x, y);
if (!wlf_scale_coordinates(instance->context, &x, &y, TRUE))