When a server sends an update where the bitmap data is insufficient to

author Aaron Small <aaron.small@shadnet.shad.ca>

Sun, 4 Mar 2012 21:59:15 +0000 (16:59 -0500)

committer Aaron Small <aaron.small@shadnet.shad.ca>

Sun, 4 Mar 2012 21:59:15 +0000 (16:59 -0500)
author Aaron Small <aaron.small@shadnet.shad.ca>
Sun, 4 Mar 2012 21:59:15 +0000 (16:59 -0500)
committer Aaron Small <aaron.small@shadnet.shad.ca>
Sun, 4 Mar 2012 21:59:15 +0000 (16:59 -0500)
diff --git a/client/X11/xf_gdi.c b/client/X11/xf_gdi.c

index 2438db3..bf13951 100644 (file)
--- a/client/X11/xf_gdi.c
+++ b/client/X11/xf_gdi.c
@@ -966,31 +966,37 @@ void xf_gdi_surface_bits(rdpContext* context, SURFACE_BITS_COMMAND* surface_bits
                 XSetFunction(xfi->display, xfi->gc, GXcopy);
                 XSetFillStyle(xfi->display, xfi->gc, FillSolid);
  
-               xfi->bmp_codec_none = (uint8*) xrealloc(xfi->bmp_codec_none,
-                               surface_bits_command->width * surface_bits_command->height * 4);
+               /* Validate that the data received is large enough */
+               if( surface_bits_command->width * surface_bits_command->height * surface_bits_command->bpp / 8 <= surface_bits_command->bitmapDataLength )
+               {
+                       xfi->bmp_codec_none = (uint8*) xrealloc(xfi->bmp_codec_none,
+                                       surface_bits_command->width * surface_bits_command->height * 4);
  
-               freerdp_image_flip(surface_bits_command->bitmapData, xfi->bmp_codec_none,
-                               surface_bits_command->width, surface_bits_command->height, 32);
+                       freerdp_image_flip(surface_bits_command->bitmapData, xfi->bmp_codec_none,
+                                       surface_bits_command->width, surface_bits_command->height, 32);
  
-               image = XCreateImage(xfi->display, xfi->visual, 24, ZPixmap, 0,
-                       (char*) xfi->bmp_codec_none, surface_bits_command->width, surface_bits_command->height, 32, 0);
+                       image = XCreateImage(xfi->display, xfi->visual, 24, ZPixmap, 0,
+                               (char*) xfi->bmp_codec_none, surface_bits_command->width, surface_bits_command->height, 32, 0);
  
-               XPutImage(xfi->display, xfi->primary, xfi->gc, image, 0, 0,
-                               surface_bits_command->destLeft, surface_bits_command->destTop,
-                               surface_bits_command->width, surface_bits_command->height);
+                       XPutImage(xfi->display, xfi->primary, xfi->gc, image, 0, 0,
+                                       surface_bits_command->destLeft, surface_bits_command->destTop,
+                                       surface_bits_command->width, surface_bits_command->height);
  
-               if (xfi->remote_app != true)
-               {
-                       XCopyArea(xfi->display, xfi->primary, xfi->window->handle, xfi->gc,
-                               surface_bits_command->destLeft, surface_bits_command->destTop,
-                               surface_bits_command->width, surface_bits_command->height,
-                               surface_bits_command->destLeft, surface_bits_command->destTop);
-               }
+                       if (xfi->remote_app != true)
+                       {
+                               XCopyArea(xfi->display, xfi->primary, xfi->window->handle, xfi->gc,
+                                       surface_bits_command->destLeft, surface_bits_command->destTop,
+                                       surface_bits_command->width, surface_bits_command->height,
+                                       surface_bits_command->destLeft, surface_bits_command->destTop);
+                       }
  
-               gdi_InvalidateRegion(xfi->hdc, surface_bits_command->destLeft, surface_bits_command->destTop,
-                               surface_bits_command->width, surface_bits_command->height);
+                       gdi_InvalidateRegion(xfi->hdc, surface_bits_command->destLeft, surface_bits_command->destTop,
+                                       surface_bits_command->width, surface_bits_command->height);
  
-               XSetClipMask(xfi->display, xfi->gc, None);
+                       XSetClipMask(xfi->display, xfi->gc, None);
+               } else {
+                       printf("Invalid bitmap size - data is %d bytes for %dx%d\n update", surface_bits_command->bitmapDataLength, surface_bits_command->width, surface_bits_command->height);
+               }
         }
         else
         {
author	Aaron Small <aaron.small@shadnet.shad.ca>
	Sun, 4 Mar 2012 21:59:15 +0000 (16:59 -0500)
committer	Aaron Small <aaron.small@shadnet.shad.ca>
	Sun, 4 Mar 2012 21:59:15 +0000 (16:59 -0500)