Added data length check for RDP_CODEC_ID_NONE

author Armin Novak <armin.novak@thincast.com>

Thu, 28 Nov 2019 07:08:30 +0000 (08:08 +0100)

committer Armin Novak <armin.novak@thincast.com>

Thu, 28 Nov 2019 07:08:30 +0000 (08:08 +0100)
author Armin Novak <armin.novak@thincast.com>
Thu, 28 Nov 2019 07:08:30 +0000 (08:08 +0100)
committer Armin Novak <armin.novak@thincast.com>
Thu, 28 Nov 2019 07:08:30 +0000 (08:08 +0100)
diff --git a/client/X11/xf_gdi.c b/client/X11/xf_gdi.c

index 218e1c9..6346313 100644 (file)
--- a/client/X11/xf_gdi.c
+++ b/client/X11/xf_gdi.c
@@ -1026,6 +1026,7 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND*
         BOOL ret = FALSE;
         DWORD format;
         rdpGdi* gdi;
+       size_t size;
         REGION16 region;
         RECTANGLE_16 cmdRect;
  
@@ -1065,6 +1066,13 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND*
                 case RDP_CODEC_ID_NONE:
                         pSrcData = cmd->bmp.bitmapData;
                         format = gdi_get_pixel_format(cmd->bmp.bpp);
+                       size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format);
+                       if (size > cmd->bmp.bitmapDataLength)
+                       {
+                               WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz,
+                                        cmd->bmp.bitmapDataLength, size);
+                               goto fail;
+                       }
  
                         if (!freerdp_image_copy(gdi->primary_buffer, gdi->dstFormat, gdi->stride, cmd->destLeft,
                                                 cmd->destTop, cmd->bmp.width, cmd->bmp.height, pSrcData, format,
@@ -1076,7 +1084,6 @@ static BOOL xf_gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND*
  
                 default:
                         WLog_ERR(TAG, "Unsupported codecID %" PRIu16 "", cmd->bmp.codecID);
-                       ret = TRUE;
                         goto fail;
         }
  
diff --git a/libfreerdp/gdi/gdi.c b/libfreerdp/gdi/gdi.c

index bcb2eee..d2dd7ef 100644 (file)
--- a/libfreerdp/gdi/gdi.c
+++ b/libfreerdp/gdi/gdi.c
@@ -1001,6 +1001,7 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm
         BOOL result = FALSE;
         DWORD format;
         rdpGdi* gdi;
+       size_t size;
         REGION16 region;
         RECTANGLE_16 cmdRect;
         UINT32 i, nbRects;
@@ -1055,7 +1056,13 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm
  
                 case RDP_CODEC_ID_NONE:
                         format = gdi_get_pixel_format(cmd->bmp.bpp);
-
+                       size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format);
+                       if (size > cmd->bmp.bitmapDataLength)
+                       {
+                               WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz,
+                                        cmd->bmp.bitmapDataLength, size);
+                               goto out;
+                       }
                         if (!freerdp_image_copy(gdi->primary_buffer, gdi->dstFormat, gdi->stride, cmd->destLeft,
                                                 cmd->destTop, cmd->bmp.width, cmd->bmp.height,
                                                 cmd->bmp.bitmapData, format, 0, 0, 0, &gdi->palette,
author	Armin Novak <armin.novak@thincast.com>
	Thu, 28 Nov 2019 07:08:30 +0000 (08:08 +0100)
committer	Armin Novak <armin.novak@thincast.com>
	Thu, 28 Nov 2019 07:08:30 +0000 (08:08 +0100)
client/X11/xf_gdi.c		patch \| blob \| history
libfreerdp/gdi/gdi.c		patch \| blob \| history