Added missing bounds check.

(cherry picked from commit 2e6069d95b997d0dc7d2cc118255570d22f0ae0c)

diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index f31c2d4..8588a9e 100644 (file)
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -508,7 +508,7 @@ static INLINE BOOL writeLine(BYTE** ppRgba, UINT32 DstFormat, UINT32 width, cons
 static INLINE BOOL planar_decompress_planes_raw(const BYTE* pSrcData[4], BYTE* pDstData,
                                                 UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst,
                                                 UINT32 nYDst, UINT32 nWidth, UINT32 nHeight,
-                                                BOOL vFlip)
+                                                BOOL vFlip, UINT32 totalHeight)
 {
        INT32 y;
        INT32 beg, end, inc;
@@ -516,6 +516,7 @@ static INLINE BOOL planar_decompress_planes_raw(const BYTE* pSrcData[4], BYTE* p
        const BYTE* pG = pSrcData[1];
        const BYTE* pB = pSrcData[2];
        const BYTE* pA = pSrcData[3];
+       const UINT32 bpp = GetBytesPerPixel(DstFormat);
 
        if (vFlip)
        {
@@ -530,9 +531,20 @@ static INLINE BOOL planar_decompress_planes_raw(const BYTE* pSrcData[4], BYTE* p
                inc = 1;
        }
 
+       if (nYDst + nHeight > totalHeight)
+               return FALSE;
+
+       if ((nXDst + nWidth) * bpp > nDstStep)
+               return FALSE;
+
        for (y = beg; y != end; y += inc)
        {
-               BYTE* pRGB = &pDstData[((nYDst + y) * nDstStep) + (nXDst * GetBytesPerPixel(DstFormat))];
+               BYTE* pRGB;
+
+               if (y > (INT64)nHeight)
+                       return FALSE;
+
+               pRGB = &pDstData[((nYDst + y) * nDstStep) + (nXDst * bpp)];
 
                if (!writeLine(&pRGB, DstFormat, nWidth, &pR, &pG, &pB, &pA))
                        return FALSE;
@@ -739,6 +751,7 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
                UINT32 TempFormat;
                BYTE* pTempData = pDstData;
                UINT32 nTempStep = nDstStep;
+               UINT32 nTotalHeight = nYDst + nDstHeight;
 
                if (useAlpha)
                        TempFormat = PIXEL_FORMAT_BGRA32;
@@ -749,12 +762,13 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
                {
                        pTempData = planar->pTempData;
                        nTempStep = planar->nTempStep;
+                       nTotalHeight = planar->maxHeight;
                }
 
                if (!rle) /* RAW */
                {
                        if (!planar_decompress_planes_raw(planes, pTempData, TempFormat, nTempStep, nXDst,
-                                                         nYDst, nSrcWidth, nSrcHeight, vFlip))
+                                                         nYDst, nSrcWidth, nSrcHeight, vFlip, nTotalHeight))
                                return FALSE;
 
                        if (alpha)
@@ -819,6 +833,7 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
                UINT32 TempFormat;
                BYTE* pTempData = planar->pTempData;
                UINT32 nTempStep = planar->nTempStep;
+               UINT32 nTotalHeight = planar->maxHeight;
 
                if (useAlpha)
                        TempFormat = PIXEL_FORMAT_BGRA32;
@@ -901,7 +916,7 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
                        }
 
                        if (!planar_decompress_planes_raw(planes, pTempData, TempFormat, nTempStep, nXDst,
-                                                         nYDst, nSrcWidth, nSrcHeight, vFlip))
+                                                         nYDst, nSrcWidth, nSrcHeight, vFlip, nTotalHeight))
                                return FALSE;
 
                        if (alpha)