From c7337f4b6bef30c93c53838d9934a580263e772e Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Thu, 28 Nov 2019 08:08:30 +0100 Subject: [PATCH] Added data length check for RDP_CODEC_ID_NONE --- client/X11/xf_gdi.c | 9 ++++++++- libfreerdp/gdi/gdi.c | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/client/X11/xf_gdi.c b/client/X11/xf_gdi.c index 218e1c9d4..6346313bf 100644 --- a/client/X11/xf_gdi.c +++ b/client/X11/xf_gdi.c @@ -1026,6 +1026,7 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* BOOL ret = FALSE; DWORD format; rdpGdi* gdi; + size_t size; REGION16 region; RECTANGLE_16 cmdRect; @@ -1065,6 +1066,13 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* case RDP_CODEC_ID_NONE: pSrcData = cmd->bmp.bitmapData; format = gdi_get_pixel_format(cmd->bmp.bpp); + size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format); + if (size > cmd->bmp.bitmapDataLength) + { + WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz, + cmd->bmp.bitmapDataLength, size); + goto fail; + } if (!freerdp_image_copy(gdi->primary_buffer, gdi->dstFormat, gdi->stride, cmd->destLeft, cmd->destTop, cmd->bmp.width, cmd->bmp.height, pSrcData, format, @@ -1076,7 +1084,6 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* default: WLog_ERR(TAG, "Unsupported codecID %" PRIu16 "", cmd->bmp.codecID); - ret = TRUE; goto fail; } diff --git a/libfreerdp/gdi/gdi.c b/libfreerdp/gdi/gdi.c index bcb2eee08..d2dd7ef8e 100644 --- a/libfreerdp/gdi/gdi.c +++ b/libfreerdp/gdi/gdi.c @@ -1001,6 +1001,7 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm BOOL result = FALSE; DWORD format; rdpGdi* gdi; + size_t size; REGION16 region; RECTANGLE_16 cmdRect; UINT32 i, nbRects; @@ -1055,7 +1056,13 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm case RDP_CODEC_ID_NONE: format = gdi_get_pixel_format(cmd->bmp.bpp); - + size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format); + if (size > cmd->bmp.bitmapDataLength) + { + WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz, + cmd->bmp.bitmapDataLength, size); + goto out; + } if (!freerdp_image_copy(gdi->primary_buffer, gdi->dstFormat, gdi->stride, cmd->destLeft, cmd->destTop, cmd->bmp.width, cmd->bmp.height, cmd->bmp.bitmapData, format, 0, 0, 0, &gdi->palette,