}
Stream_Read_UINT16(s, pdu.capsSetCount); /* capsSetCount (2 bytes) */
-
- if (Stream_GetRemainingLength(s) < (pdu.capsSetCount * (RDPGFX_CAPSET_BASE_SIZE + 4)))
- {
- WLog_ERR(TAG, "not enough data!");
- return ERROR_INVALID_DATA;
- }
-
capsSets = calloc(pdu.capsSetCount, (RDPGFX_CAPSET_BASE_SIZE + 4));
if (!capsSets)
for (index = 0; index < pdu.capsSetCount; index++)
{
RDPGFX_CAPSET* capsSet = &(pdu.capsSets[index]);
+
+ if (Stream_GetRemainingLength(s) < 8)
+ {
+ WLog_ERR(TAG, "not enough data!");
+ return ERROR_INVALID_DATA;
+ }
+
Stream_Read_UINT32(s, capsSet->version); /* version (4 bytes) */
Stream_Read_UINT32(s, capsSet->length); /* capsDataLength (4 bytes) */
if (capsSet->length >= 4)
+ {
+ if (Stream_GetRemainingLength(s) < 4)
+ return ERROR_INVALID_DATA;
+
Stream_Peek_UINT32(s, capsSet->flags); /* capsData (4 bytes) */
+ }
- Stream_Seek(s, capsSet->length);
+ if (!Stream_SafeSeek(s, capsSet->length))
+ return ERROR_INVALID_DATA;
}
if (context)