From: akallabeth <akallabeth@posteo.net>
Date: Wed, 29 Apr 2020 13:48:43 +0000 (+0200)
Subject: Fixed int overflow in PresentationContext_new
X-Git-Tag: 2.1.0^2~22
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=98a4cd28bdf1c71d65cd95358b679fab24d39807;p=platform%2Fupstream%2Ffreerdp.git

Fixed int overflow in PresentationContext_new

Thanks to hac425 CVE-2020-11038
---

diff --git a/channels/video/client/video_main.c b/channels/video/client/video_main.c
index a161a11..1efadb3 100644
--- a/channels/video/client/video_main.c
+++ b/channels/video/client/video_main.c
@@ -220,8 +220,14 @@ error_frames:
 static PresentationContext* PresentationContext_new(VideoClientContext* video, BYTE PresentationId,
                                                     UINT32 x, UINT32 y, UINT32 width, UINT32 height)
 {
+	size_t s;
 	VideoClientContextPriv* priv = video->priv;
-	PresentationContext* ret = calloc(1, sizeof(*ret));
+	PresentationContext* ret;
+	s = width * height * 4ULL;
+	if (s > INT32_MAX)
+		return NULL;
+
+	ret = calloc(1, sizeof(*ret));
 	if (!ret)
 		return NULL;
 
@@ -243,7 +249,7 @@ static PresentationContext* PresentationContext_new(VideoClientContext* video, B
 		goto error_currentSample;
 	}
 
-	ret->surfaceData = BufferPool_Take(priv->surfacePool, width * height * 4);
+	ret->surfaceData = BufferPool_Take(priv->surfacePool, s);
 	if (!ret->surfaceData)
 	{
 		WLog_ERR(TAG, "unable to allocate surfaceData");