From 64e2291274063578f3f406dd0b7d1a0aa40cbc4e Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Tue, 10 Sep 2013 11:28:30 -0700 Subject: [PATCH] VUL: check bytes remaining in xrdp_rdp_process_data_input --- libxrdp/xrdp_rdp.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index bd075a59..a1a330c2 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -1237,11 +1237,19 @@ xrdp_rdp_process_data_input(struct xrdp_rdp* self, struct stream* s) int param2; int time; + if (!s_check_rem(s, 4)) + { + return 1; + } in_uint16_le(s, num_events); in_uint8s(s, 2); /* pad */ DEBUG(("in xrdp_rdp_process_data_input %d events", num_events)); for (index = 0; index < num_events; index++) { + if (!s_check_rem(s, 12)) + { + return 1; + } in_uint32_le(s, time); in_uint16_le(s, msg_type); in_uint16_le(s, device_flags);