mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libfreerdp-core: replace usage of Stream_GetPointer() by Stream_GetPosition() in potentially unsafe places

This commit is contained in:
Marc-André Moreau 2013-05-15 14:42:37 -04:00
parent 5c37356506
commit fc592a1750
5 changed files with 89 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
libfreerdp/core/capabilities.c
View File

@ -124,27 +124,27 @@ void rdp_write_capability_set_header(wStream* s, UINT16 length, UINT16 type)
Stream_Write_UINT16(s, length); /* lengthCapability */
}
BYTE* rdp_capability_set_start(wStream* s)
int rdp_capability_set_start(wStream* s)
{
BYTE* header;
int header;
Stream_GetPointer(s, header);
header = Stream_GetPosition(s);
Stream_Zero(s, CAPSET_HEADER_LENGTH);
return header;
}
void rdp_capability_set_finish(wStream* s, BYTE* header, UINT16 type)
void rdp_capability_set_finish(wStream* s, int header, UINT16 type)
{
int footer;
UINT16 length;
BYTE* footer;
footer = s->pointer;
footer = Stream_GetPosition(s);
length = footer - header;
Stream_SetPointer(s, header);
Stream_SetPosition(s, header);
rdp_write_capability_set_header(s, length, type);
Stream_SetPointer(s, footer);
Stream_SetPosition(s, footer);
}
/**
@ -206,7 +206,7 @@ BOOL rdp_read_general_capability_set(wStream* s, UINT16 length, rdpSettings* set
void rdp_write_general_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 extraFlags;
header = rdp_capability_set_start(s);
@ -344,7 +344,7 @@ BOOL rdp_read_bitmap_capability_set(wStream* s, UINT16 length, rdpSettings* sett
void rdp_write_bitmap_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
BYTE drawingFlags = 0;
UINT16 desktopResizeFlag;
UINT16 preferredBitsPerPixel;
@ -484,7 +484,7 @@ BOOL rdp_read_order_capability_set(wStream* s, UINT16 length, rdpSettings* setti
void rdp_write_order_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 orderFlags;
UINT16 orderSupportExFlags;
UINT16 textANSICodePage;
@ -666,8 +666,8 @@ BOOL rdp_read_bitmap_cache_capability_set(wStream* s, UINT16 length, rdpSettings
void rdp_write_bitmap_cache_capability_set(wStream* s, rdpSettings* settings)
{
int bpp;
int header;
UINT16 size;
BYTE* header;
header = rdp_capability_set_start(s);
@ -770,7 +770,7 @@ BOOL rdp_read_control_capability_set(wStream* s, UINT16 length, rdpSettings* set
void rdp_write_control_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -837,7 +837,7 @@ BOOL rdp_read_window_activation_capability_set(wStream* s, UINT16 length, rdpSet
void rdp_write_window_activation_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -914,7 +914,7 @@ BOOL rdp_read_pointer_capability_set(wStream* s, UINT16 length, rdpSettings* set
void rdp_write_pointer_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 colorPointerFlag;
header = rdp_capability_set_start(s);
@ -982,7 +982,7 @@ BOOL rdp_read_share_capability_set(wStream* s, UINT16 length, rdpSettings* setti
void rdp_write_share_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 nodeId;
header = rdp_capability_set_start(s);
@ -1042,7 +1042,7 @@ BOOL rdp_read_color_cache_capability_set(wStream* s, UINT16 length, rdpSettings*
void rdp_write_color_cache_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -1103,7 +1103,7 @@ BOOL rdp_read_sound_capability_set(wStream* s, UINT16 length, rdpSettings* setti
void rdp_write_sound_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 soundFlags;
header = rdp_capability_set_start(s);
@ -1198,7 +1198,7 @@ BOOL rdp_read_input_capability_set(wStream* s, UINT16 length, rdpSettings* setti
void rdp_write_input_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 inputFlags;
header = rdp_capability_set_start(s);
@ -1282,7 +1282,7 @@ BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settin
void rdp_write_font_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -1338,7 +1338,7 @@ BOOL rdp_read_brush_capability_set(wStream* s, UINT16 length, rdpSettings* setti
void rdp_write_brush_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -1419,7 +1419,7 @@ BOOL rdp_read_glyph_cache_capability_set(wStream* s, UINT16 length, rdpSettings*
void rdp_write_glyph_cache_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -1522,7 +1522,7 @@ BOOL rdp_read_offscreen_bitmap_cache_capability_set(wStream* s, UINT16 length, r
void rdp_write_offscreen_bitmap_cache_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 offscreenSupportLevel = FALSE;
header = rdp_capability_set_start(s);
@ -1593,7 +1593,7 @@ BOOL rdp_read_bitmap_cache_host_support_capability_set(wStream* s, UINT16 length
void rdp_write_bitmap_cache_host_support_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -1689,7 +1689,7 @@ BOOL rdp_read_bitmap_cache_v2_capability_set(wStream* s, UINT16 length, rdpSetti
void rdp_write_bitmap_cache_v2_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 cacheFlags;
header = rdp_capability_set_start(s);
@ -1784,7 +1784,7 @@ BOOL rdp_read_virtual_channel_capability_set(wStream* s, UINT16 length, rdpSetti
void rdp_write_virtual_channel_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 flags;
header = rdp_capability_set_start(s);
@ -1855,7 +1855,7 @@ BOOL rdp_read_draw_nine_grid_cache_capability_set(wStream* s, UINT16 length, rdp
void rdp_write_draw_nine_grid_cache_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 drawNineGridSupportLevel;
header = rdp_capability_set_start(s);
@ -1952,7 +1952,7 @@ BOOL rdp_read_draw_gdiplus_cache_capability_set(wStream* s, UINT16 length, rdpSe
void rdp_write_draw_gdiplus_cache_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 drawGDIPlusSupportLevel;
UINT32 drawGdiplusCacheLevel;
@ -2029,7 +2029,7 @@ BOOL rdp_read_remote_programs_capability_set(wStream* s, UINT16 length, rdpSetti
void rdp_write_remote_programs_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 railSupportLevel;
header = rdp_capability_set_start(s);
@ -2089,7 +2089,7 @@ BOOL rdp_read_window_list_capability_set(wStream* s, UINT16 length, rdpSettings*
void rdp_write_window_list_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 wndSupportLevel;
header = rdp_capability_set_start(s);
@ -2152,7 +2152,7 @@ BOOL rdp_read_desktop_composition_capability_set(wStream* s, UINT16 length, rdpS
void rdp_write_desktop_composition_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 compDeskSupportLevel;
header = rdp_capability_set_start(s);
@ -2209,7 +2209,7 @@ BOOL rdp_read_multifragment_update_capability_set(wStream* s, UINT16 length, rdp
void rdp_write_multifragment_update_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
@ -2261,7 +2261,7 @@ BOOL rdp_read_large_pointer_capability_set(wStream* s, UINT16 length, rdpSetting
void rdp_write_large_pointer_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT16 largePointerSupportFlags;
header = rdp_capability_set_start(s);
@ -2319,7 +2319,7 @@ BOOL rdp_read_surface_commands_capability_set(wStream* s, UINT16 length, rdpSett
void rdp_write_surface_commands_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 cmdFlags;
header = rdp_capability_set_start(s);
@ -2618,7 +2618,7 @@ void rdp_write_nsc_server_capability_container(wStream* s, rdpSettings* settings
void rdp_write_bitmap_codecs_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
BYTE bitmapCodecCount;
header = rdp_capability_set_start(s);
@ -2786,7 +2786,7 @@ BOOL rdp_read_frame_acknowledge_capability_set(wStream* s, UINT16 length, rdpSet
void rdp_write_frame_acknowledge_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
UINT32 frame_acknowledge;
header = rdp_capability_set_start(s);
@ -2827,10 +2827,11 @@ BOOL rdp_read_bitmap_cache_v3_codec_id_capability_set(wStream* s, UINT16 length,
void rdp_write_bitmap_cache_v3_codec_id_capability_set(wStream* s, rdpSettings* settings)
{
BYTE* header;
int header;
header = rdp_capability_set_start(s);
Stream_Write_UINT8(s, settings->BitmapCacheV3CodecId);
rdp_capability_set_finish(s, header, CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID);
}
@ -3328,18 +3329,18 @@ BOOL rdp_recv_demand_active(rdpRdp* rdp, wStream* s)
void rdp_write_demand_active(wStream* s, rdpSettings* settings)
{
BYTE *bm, *em, *lm;
int bm, em, lm;
UINT16 numberCapabilities;
UINT16 lengthCombinedCapabilities;
Stream_Write_UINT32(s, settings->ShareId); /* shareId (4 bytes) */
Stream_Write_UINT16(s, 4); /* lengthSourceDescriptor (2 bytes) */
Stream_GetPointer(s, lm);
lm = Stream_GetPosition(s);
Stream_Seek_UINT16(s); /* lengthCombinedCapabilities (2 bytes) */
Stream_Write(s, "RDP", 4); /* sourceDescriptor */
Stream_GetPointer(s, bm);
bm = Stream_GetPosition(s);
Stream_Seek_UINT16(s); /* numberCapabilities (2 bytes) */
Stream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */
@ -3365,23 +3366,23 @@ void rdp_write_demand_active(wStream* s, rdpSettings* settings)
rdp_write_bitmap_cache_host_support_capability_set(s, settings);
}
Stream_GetPointer(s, em);
em = Stream_GetPosition(s);
Stream_SetPointer(s, lm); /* go back to lengthCombinedCapabilities */
Stream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */
lengthCombinedCapabilities = (em - bm);
Stream_Write_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */
Stream_SetPointer(s, bm); /* go back to numberCapabilities */
Stream_SetPosition(s, bm); /* go back to numberCapabilities */
Stream_Write_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */
#ifdef WITH_DEBUG_CAPABILITIES
Stream_Seek_UINT16(s);
rdp_print_capability_sets(s, numberCapabilities, FALSE);
Stream_SetPointer(s, bm);
Stream_SetPosition(s, bm);
Stream_Seek_UINT16(s);
#endif
Stream_SetPointer(s, em);
Stream_SetPosition(s, em);
Stream_Write_UINT32(s, 0); /* sessionId */
}
@ -3440,7 +3441,7 @@ BOOL rdp_recv_confirm_active(rdpRdp* rdp, wStream* s)
void rdp_write_confirm_active(wStream* s, rdpSettings* settings)
{
BYTE *bm, *em, *lm;
int bm, em, lm;
UINT16 numberCapabilities;
UINT16 lengthSourceDescriptor;
UINT16 lengthCombinedCapabilities;
@ -3451,11 +3452,11 @@ void rdp_write_confirm_active(wStream* s, rdpSettings* settings)
Stream_Write_UINT16(s, 0x03EA); /* originatorId (2 bytes) */
Stream_Write_UINT16(s, lengthSourceDescriptor);/* lengthSourceDescriptor (2 bytes) */
Stream_GetPointer(s, lm);
lm = Stream_GetPosition(s);
Stream_Seek_UINT16(s); /* lengthCombinedCapabilities (2 bytes) */
Stream_Write(s, SOURCE_DESCRIPTOR, lengthSourceDescriptor); /* sourceDescriptor */
Stream_GetPointer(s, bm);
bm = Stream_GetPosition(s);
Stream_Seek_UINT16(s); /* numberCapabilities (2 bytes) */
Stream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */
@ -3550,23 +3551,23 @@ void rdp_write_confirm_active(wStream* s, rdpSettings* settings)
}
}
Stream_GetPointer(s, em);
em = Stream_GetPosition(s);
Stream_SetPointer(s, lm); /* go back to lengthCombinedCapabilities */
Stream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */
lengthCombinedCapabilities = (em - bm);
Stream_Write_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */
Stream_SetPointer(s, bm); /* go back to numberCapabilities */
Stream_SetPosition(s, bm); /* go back to numberCapabilities */
Stream_Write_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */
#ifdef WITH_DEBUG_CAPABILITIES
Stream_Seek_UINT16(s);
rdp_print_capability_sets(s, numberCapabilities, FALSE);
Stream_SetPointer(s, bm);
Stream_SetPosition(s, bm);
Stream_Seek_UINT16(s);
#endif
Stream_SetPointer(s, em);
Stream_SetPosition(s, em);
}
BOOL rdp_send_confirm_active(rdpRdp* rdp)

20
libfreerdp/core/mcs.c
View File

@ -457,7 +457,7 @@ BOOL mcs_send_connect_initial(rdpMcs* mcs)
int status;
int length;
wStream* s;
BYTE *bm, *em;
int bm, em;
wStream* gcc_CCrq;
wStream* client_data;
@ -470,17 +470,17 @@ BOOL mcs_send_connect_initial(rdpMcs* mcs)
s = Stream_New(NULL, 1024 + length);
Stream_GetPointer(s, bm);
bm = Stream_GetPosition(s);
Stream_Seek(s, 7);
mcs_write_connect_initial(s, mcs, gcc_CCrq);
Stream_GetPointer(s, em);
em = Stream_GetPosition(s);
length = (em - bm);
Stream_SetPointer(s, bm);
Stream_SetPosition(s, bm);
tpkt_write_header(s, length);
tpdu_write_data(s);
Stream_SetPointer(s, em);
Stream_SetPosition(s, em);
Stream_SealLength(s);
status = transport_write(mcs->transport, s);
@ -539,7 +539,7 @@ BOOL mcs_send_connect_response(rdpMcs* mcs)
int length;
int status;
wStream* s;
BYTE *bm, *em;
int bm, em;
wStream* gcc_CCrsp;
wStream* server_data;
@ -552,17 +552,17 @@ BOOL mcs_send_connect_response(rdpMcs* mcs)
s = Stream_New(NULL, length + 1024);
Stream_GetPointer(s, bm);
bm = Stream_GetPosition(s);
Stream_Seek(s, 7);
mcs_write_connect_response(s, mcs, gcc_CCrsp);
Stream_GetPointer(s, em);
em = Stream_GetPosition(s);
length = (em - bm);
Stream_SetPointer(s, bm);
Stream_SetPosition(s, bm);
tpkt_write_header(s, length);
tpdu_write_data(s);
Stream_SetPointer(s, em);
Stream_SetPosition(s, em);
Stream_SealLength(s);
status = transport_write(mcs->transport, s);

23
libfreerdp/core/nego.c
View File

@ -646,13 +646,13 @@ BOOL nego_send_negotiation_request(rdpNego* nego)
{
wStream* s;
int length;
BYTE *bm, *em;
int bm, em;
int cookie_length;
s = Stream_New(NULL, 512);
length = TPDU_CONNECTION_REQUEST_LENGTH;
Stream_GetPointer(s, bm);
bm = Stream_GetPosition(s);
Stream_Seek(s, length);
if (nego->RoutingToken)
@ -688,11 +688,11 @@ BOOL nego_send_negotiation_request(rdpNego* nego)
length += 8;
}
Stream_GetPointer(s, em);
Stream_SetPointer(s, bm);
em = Stream_GetPosition(s);
Stream_SetPosition(s, bm);
tpkt_write_header(s, length);
tpdu_write_connection_request(s, length - 5);
Stream_SetPointer(s, em);
Stream_SetPosition(s, em);
Stream_SealLength(s);
@ -808,11 +808,10 @@ void nego_process_negotiation_failure(rdpNego* nego, wStream* s)
BOOL nego_send_negotiation_response(rdpNego* nego)
{
wStream* s;
BYTE* bm;
BYTE* em;
int length;
int bm, em;
BOOL status;
wStream* s;
rdpSettings* settings;
status = TRUE;
@ -821,7 +820,7 @@ BOOL nego_send_negotiation_response(rdpNego* nego)
s = Stream_New(NULL, 512);
length = TPDU_CONNECTION_CONFIRM_LENGTH;
Stream_GetPointer(s, bm);
bm = Stream_GetPosition(s);
Stream_Seek(s, length);
if (nego->selected_protocol > PROTOCOL_RDP)
@ -848,11 +847,11 @@ BOOL nego_send_negotiation_response(rdpNego* nego)
status = FALSE;
}
Stream_GetPointer(s, em);
Stream_SetPointer(s, bm);
em = Stream_GetPosition(s);
Stream_SetPosition(s, bm);
tpkt_write_header(s, length);
tpdu_write_connection_confirm(s, length - 5);
Stream_SetPointer(s, em);
Stream_SetPosition(s, em);
Stream_SealLength(s);

11
libfreerdp/core/orders.c
View File

@ -662,10 +662,11 @@ static INLINE BOOL update_read_delta_rects(wStream* s, DELTA_RECT* rectangles, i
if (Stream_GetRemainingLength(s) < zeroBitsSize)
return FALSE;
Stream_GetPointer(s, zeroBits);
Stream_Seek(s, zeroBitsSize);
memset(rectangles, 0, sizeof(DELTA_RECT) * (number + 1));
ZeroMemory(rectangles, sizeof(DELTA_RECT) * (number + 1));
for (i = 1; i < number + 1; i++)
{
@ -684,7 +685,9 @@ static INLINE BOOL update_read_delta_rects(wStream* s, DELTA_RECT* rectangles, i
return FALSE;
}
else
{
rectangles[i].width = rectangles[i - 1].width;
}
if (~flags & 0x10)
{
@ -692,13 +695,16 @@ static INLINE BOOL update_read_delta_rects(wStream* s, DELTA_RECT* rectangles, i
return FALSE;
}
else
{
rectangles[i].height = rectangles[i - 1].height;
}
rectangles[i].left = rectangles[i].left + rectangles[i - 1].left;
rectangles[i].top = rectangles[i].top + rectangles[i - 1].top;
flags <<= 4;
}
return TRUE;
}
@ -713,10 +719,11 @@ static INLINE BOOL update_read_delta_points(wStream* s, DELTA_POINT* points, int
if (Stream_GetRemainingLength(s) < zeroBitsSize)
return FALSE;
Stream_GetPointer(s, zeroBits);
Stream_Seek(s, zeroBitsSize);
memset(points, 0, sizeof(DELTA_POINT) * number);
ZeroMemory(points, sizeof(DELTA_POINT) * number);
for (i = 0; i < number; i++)
{

9
libfreerdp/core/rdp.c
View File

@ -772,7 +772,7 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
UINT16 pduSource;
UINT16 channelId;
UINT16 securityFlags;
BYTE* nextp;
int nextPosition;
if (!rdp_read_header(rdp, s, &length, &channelId))
{
@ -815,12 +815,12 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
{
while (Stream_GetRemainingLength(s) > 3)
{
Stream_GetPointer(s, nextp);
nextPosition = Stream_GetPosition(s);
if (!rdp_read_share_control_header(s, &pduLength, &pduType, &pduSource))
return -1;
nextp += pduLength;
nextPosition += pduLength;
rdp->settings->PduSource = pduSource;
@ -848,7 +848,8 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
fprintf(stderr, "incorrect PDU type: 0x%04X\n", pduType);
break;
}
Stream_SetPointer(s, nextp);
Stream_SetPosition(s, nextPosition);
}
}