pdu.capsSet = &capsSet;
+ if (Stream_GetRemainingLength(s) < 12)
+ return -1;
+
Stream_Read_UINT32(s, capsSet.version); /* version (4 bytes) */
Stream_Read_UINT32(s, capsDataLength); /* capsDataLength (4 bytes) */
Stream_Read_UINT32(s, capsSet.flags); /* capsData (4 bytes) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 12)
+ return -1;
+
Stream_Read_UINT32(s, pdu.width); /* width (4 bytes) */
Stream_Read_UINT32(s, pdu.height); /* height (4 bytes) */
Stream_Read_UINT32(s, pdu.monitorCount); /* monitorCount (4 bytes) */
+ if (Stream_GetRemainingLength(s) < (pdu.monitorCount * 20))
+ return -1;
+
pdu.monitorDefArray = (MONITOR_DEF*) calloc(pdu.monitorCount, sizeof(MONITOR_DEF));
if (!pdu.monitorDefArray)
}
pad = 340 - (RDPGFX_HEADER_SIZE + 12 + (pdu.monitorCount * 20));
+
+ if (Stream_GetRemainingLength(s) < pad)
+ return -1;
+
Stream_Seek(s, pad); /* pad (total size is 340 bytes) */
WLog_Print(gfx->log, WLOG_DEBUG, "RecvResetGraphicsPdu: width: %d height: %d count: %d",
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 2)
+ return -1;
+
Stream_Read_UINT16(s, pdu.cacheSlot); /* cacheSlot (2 bytes) */
WLog_Print(gfx->log, WLOG_DEBUG, "RecvEvictCacheEntryPdu: cacheSlot: %d", pdu.cacheSlot);
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 2)
+ return -1;
+
Stream_Read_UINT16(s, pdu.importedEntriesCount); /* cacheSlot (2 bytes) */
+ if (Stream_GetRemainingLength(s) < (pdu.importedEntriesCount * 2))
+ return -1;
+
pdu.cacheSlots = (UINT16*) calloc(pdu.importedEntriesCount, sizeof(UINT16));
if (!pdu.cacheSlots)
context->CacheImportReply(context, &pdu);
}
+ free(pdu.cacheSlots);
+
return 1;
}
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 7)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT16(s, pdu.width); /* width (2 bytes) */
Stream_Read_UINT16(s, pdu.height); /* height (2 bytes) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 2)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
WLog_Print(gfx->log, WLOG_DEBUG, "RecvDeleteSurfacePdu: surfaceId: %d", pdu.surfaceId);
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 8)
+ return -1;
+
Stream_Read_UINT32(s, pdu.timestamp); /* timestamp (4 bytes) */
Stream_Read_UINT32(s, pdu.frameId); /* frameId (4 bytes) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 4)
+ return -1;
+
Stream_Read_UINT32(s, pdu.frameId); /* frameId (4 bytes) */
WLog_Print(gfx->log, WLOG_DEBUG, "RecvEndFramePdu: frameId: %d\n", pdu.frameId);
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 17)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT16(s, pdu.codecId); /* codecId (2 bytes) */
Stream_Read_UINT8(s, pdu.pixelFormat); /* pixelFormat (1 byte) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 13)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT16(s, pdu.codecId); /* codecId (2 bytes) */
Stream_Read_UINT32(s, pdu.codecContextId); /* codecContextId (4 bytes) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 6)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT32(s, pdu.codecContextId); /* codecContextId (4 bytes) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
- Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
+ if (Stream_GetRemainingLength(s) < 8)
+ return -1;
+ Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
rdpgfx_read_color32(s, &(pdu.fillPixel)); /* fillPixel (4 bytes) */
-
Stream_Read_UINT16(s, pdu.fillRectCount); /* fillRectCount (2 bytes) */
+ if (Stream_GetRemainingLength(s) < (pdu.fillRectCount * 8))
+ return -1;
+
pdu.fillRects = (RDPGFX_RECT16*) calloc(pdu.fillRectCount, sizeof(RDPGFX_RECT16));
if (!pdu.fillRects)
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 14)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceIdSrc); /* surfaceIdSrc (2 bytes) */
Stream_Read_UINT16(s, pdu.surfaceIdDest); /* surfaceIdDest (2 bytes) */
-
rdpgfx_read_rect16(s, &(pdu.rectSrc)); /* rectSrc (8 bytes ) */
-
Stream_Read_UINT16(s, pdu.destPtsCount); /* destPtsCount (2 bytes) */
+ if (Stream_GetRemainingLength(s) < (pdu.destPtsCount * 4))
+ return -1;
+
pdu.destPts = (RDPGFX_POINT16*) calloc(pdu.destPtsCount, sizeof(RDPGFX_POINT16));
if (!pdu.destPts)
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 20)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT64(s, pdu.cacheKey); /* cacheKey (8 bytes) */
Stream_Read_UINT16(s, pdu.cacheSlot); /* cacheSlot (2 bytes) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 6)
+ return -1;
+
Stream_Read_UINT16(s, pdu.cacheSlot); /* cacheSlot (2 bytes) */
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT16(s, pdu.destPtsCount); /* destPtsCount (2 bytes) */
+ if (Stream_GetRemainingLength(s) < (pdu.destPtsCount * 4))
+ return -1;
+
pdu.destPts = (RDPGFX_POINT16*) calloc(pdu.destPtsCount, sizeof(RDPGFX_POINT16));
if (!pdu.destPts)
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 12)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT16(s, pdu.reserved); /* reserved (2 bytes) */
Stream_Read_UINT32(s, pdu.outputOriginX); /* outputOriginX (4 bytes) */
RDPGFX_PLUGIN* gfx = (RDPGFX_PLUGIN*) callback->plugin;
RdpgfxClientContext* context = (RdpgfxClientContext*) gfx->iface.pInterface;
+ if (Stream_GetRemainingLength(s) < 18)
+ return -1;
+
Stream_Read_UINT16(s, pdu.surfaceId); /* surfaceId (2 bytes) */
Stream_Read_UINT64(s, pdu.windowId); /* windowId (8 bytes) */
Stream_Read_UINT32(s, pdu.mappedWidth); /* mappedWidth (4 bytes) */
beg = Stream_GetPosition(s);
- rdpgfx_read_header(s, &header);
+ status = rdpgfx_read_header(s, &header);
+
+ if (status < 0)
+ return -1;
#if 1
WLog_Print(gfx->log, WLOG_DEBUG, "cmdId: %s (0x%04X) flags: 0x%04X pduLength: %d",
break;
default:
- fprintf(stderr, "Unknown GFX cmdId: 0x%04X\n", header.cmdId);
+ status = -1;
break;
}
+ if (status < 0)
+ {
+ fprintf(stderr, "Error while parsing GFX cmdId: %s (0x%04X)\n",
+ rdpgfx_get_cmd_id_string(header.cmdId), header.cmdId);
+ return -1;
+ }
+
end = Stream_GetPosition(s);
if (end != (beg + header.pduLength))
while (Stream_GetPosition(s) < Stream_Length(s))
{
status = rdpgfx_recv_pdu(callback, s);
+
+ if (status < 0)
+ break;
}
Stream_Free(s, TRUE);
projects / platform / upstream / freerdp.git / commitdiff