From dd0d0f0bdb61f279ac9b13d6c4d9a7d8757eb4c8 Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Sun, 18 Mar 2012 12:34:08 -0700 Subject: [PATCH] libfreerdp-core: fix for cursor hot spot out of range --- libfreerdp-core/update.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libfreerdp-core/update.c b/libfreerdp-core/update.c index 17122adc8..c828b2214 100644 --- a/libfreerdp-core/update.c +++ b/libfreerdp-core/update.c @@ -175,6 +175,17 @@ void update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color) stream_read_uint16(s, pointer_color->lengthAndMask); /* lengthAndMask (2 bytes) */ stream_read_uint16(s, pointer_color->lengthXorMask); /* lengthXorMask (2 bytes) */ + /** + * There does not seem to be any documentation on why + * xPos / yPos can be larger than width / height + * so it is missing in documentation or a bug in implementation + * 2.2.9.1.1.4.4 Color Pointer Update (TS_COLORPOINTERATTRIBUTE) + */ + if (pointer_color->xPos >= pointer_color->width) + pointer_color->xPos = 0; + if (pointer_color->yPos >= pointer_color->height) + pointer_color->yPos = 0; + if (pointer_color->lengthXorMask > 0) { pointer_color->xorMaskData = (uint8*) xmalloc(pointer_color->lengthXorMask);