From f422ea2e56e96cadec4e1e53a9e9185e7dc871f6 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 3 Jun 2024 16:45:39 +0200
Subject: [PATCH] [core,gcc] check for channelMaxCount violations

---
 libfreerdp/core/gcc.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libfreerdp/core/gcc.c b/libfreerdp/core/gcc.c
index 1e3b32632..4bce4e2b6 100644
--- a/libfreerdp/core/gcc.c
+++ b/libfreerdp/core/gcc.c
@@ -1932,6 +1932,13 @@ BOOL gcc_read_server_network_data(wStream* s, rdpMcs* mcs)
 	if (!Stream_CheckAndLogRequiredLengthOfSize(TAG, s, channelCount, 2ull))
 		return FALSE;
 
+	if (mcs->channelMaxCount < parsedChannelCount)
+	{
+		WLog_ERR(TAG, "requested %" PRIu32 " channels > channelMaxCount %" PRIu16,
+		         mcs->channelCount, mcs->channelMaxCount);
+		return FALSE;
+	}
+
 	for (UINT32 i = 0; i < parsedChannelCount; i++)
 	{
 		rdpMcsChannel* channel = &mcs->channels[i];