The length check and field sizes in _update_read_pointer_large
were off, corrected according to [MS-RDPBCGR] 2.2.9.1.2.1.11
Fast-Path Large Pointer Update (TS_FP_LARGEPOINTERATTRIBUTE)
if (!pointer)
goto fail;
- if (Stream_GetRemainingLength(s) < 14)
+ if (Stream_GetRemainingLength(s) < 20)
goto fail;
Stream_Read_UINT16(s, pointer->xorBpp);
if ((pointer->width > 384) || (pointer->height > 384))
goto fail;
- Stream_Read_UINT16(s, pointer->lengthAndMask); /* lengthAndMask (2 bytes) */
- Stream_Read_UINT16(s, pointer->lengthXorMask); /* lengthXorMask (2 bytes) */
+ Stream_Read_UINT32(s, pointer->lengthAndMask); /* lengthAndMask (4 bytes) */
+ Stream_Read_UINT32(s, pointer->lengthXorMask); /* lengthXorMask (4 bytes) */
if (pointer->hotSpotX >= pointer->width)
pointer->hotSpotX = 0;