Fixed #6101: POINTER_LARGE_UPDATE serialization

The length check and field sizes in _update_read_pointer_large
were off, corrected according to [MS-RDPBCGR] 2.2.9.1.2.1.11
Fast-Path Large Pointer Update (TS_FP_LARGEPOINTERATTRIBUTE)

diff --git a/libfreerdp/core/update.c b/libfreerdp/core/update.c
index 0feb2a5..47e2a94 100644 (file)
--- a/libfreerdp/core/update.c
+++ b/libfreerdp/core/update.c
@@ -506,7 +506,7 @@ static BOOL _update_read_pointer_large(wStream* s, POINTER_LARGE_UPDATE* pointer
        if (!pointer)
                goto fail;
 
-       if (Stream_GetRemainingLength(s) < 14)
+       if (Stream_GetRemainingLength(s) < 20)
                goto fail;
 
        Stream_Read_UINT16(s, pointer->xorBpp);
@@ -520,8 +520,8 @@ static BOOL _update_read_pointer_large(wStream* s, POINTER_LARGE_UPDATE* pointer
        if ((pointer->width > 384) || (pointer->height > 384))
                goto fail;
 
-       Stream_Read_UINT16(s, pointer->lengthAndMask); /* lengthAndMask (2 bytes) */
-       Stream_Read_UINT16(s, pointer->lengthXorMask); /* lengthXorMask (2 bytes) */
+       Stream_Read_UINT32(s, pointer->lengthAndMask); /* lengthAndMask (4 bytes) */
+       Stream_Read_UINT32(s, pointer->lengthXorMask); /* lengthXorMask (4 bytes) */
 
        if (pointer->hotSpotX >= pointer->width)
                pointer->hotSpotX = 0;