From: akallabeth <akallabeth@posteo.net>
Date: Mon, 18 May 2020 15:40:28 +0000 (+0200)
Subject: Fixed multiple sanitizer errors in codecs
X-Git-Tag: 2.1.1^2~20
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cf4f6dbf3f57fb432e93773630ed5407ddec9147;p=platform%2Fupstream%2Ffreerdp.git

Fixed multiple sanitizer errors in codecs

(cherry picked from commit 2278d92a5d902692a7d1088629b2345c9b4e229c)
---

diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
index 118e09b..083f1aa 100644
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -783,7 +783,7 @@ static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32
 			if (vBarUpdate)
 			{
 				UINT32 x;
-				BYTE* pSrcPixel;
+				BYTE* pSrcPixel = NULL;
 				BYTE* dstBuffer;
 
 				if (clear->VBarStorageCursor >= CLEARCODEC_VBAR_SIZE)
@@ -826,8 +826,9 @@ static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32
 				if ((y + count) > vBarPixelCount)
 					count = (vBarPixelCount > y) ? (vBarPixelCount - y) : 0;
 
-				pSrcPixel =
-				    &vBarShortEntry->pixels[(y - vBarYOn) * GetBytesPerPixel(clear->format)];
+				if (count > 0)
+					pSrcPixel =
+					    &vBarShortEntry->pixels[(y - vBarYOn) * GetBytesPerPixel(clear->format)];
 
 				for (x = 0; x < count; x++)
 				{
diff --git a/libfreerdp/codec/nsc.c b/libfreerdp/codec/nsc.c
index 6c07552..6627e0b 100644
--- a/libfreerdp/codec/nsc.c
+++ b/libfreerdp/codec/nsc.c
@@ -113,14 +113,12 @@ static BOOL nsc_decode(NSC_CONTEXT* context)
 
 static BOOL nsc_rle_decode(BYTE* in, BYTE* out, UINT32 outSize, UINT32 originalSize)
 {
-	UINT32 len;
-	UINT32 left;
-	BYTE value;
-	left = originalSize;
+	UINT32 left = originalSize;
 
 	while (left > 4)
 	{
-		value = *in++;
+		const BYTE value = *in++;
+		UINT32 len = 0;
 
 		if (left == 5)
 		{
@@ -143,8 +141,10 @@ static BOOL nsc_rle_decode(BYTE* in, BYTE* out, UINT32 outSize, UINT32 originalS
 			else
 			{
 				in++;
-				len = *((UINT32*)in);
-				in += 4;
+				len = ((UINT32)(*in++));
+				len |= ((UINT32)(*in++)) << 8U;
+				len |= ((UINT32)(*in++)) << 16U;
+				len |= ((UINT32)(*in++)) << 24U;
 			}
 
 			if (outSize < len)
diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c
index bfa2dc5..04cd346 100644
--- a/libfreerdp/codec/progressive.c
+++ b/libfreerdp/codec/progressive.c
@@ -1183,7 +1183,7 @@ static INLINE int progressive_rfx_upgrade_block(RFX_PROGRESSIVE_UPGRADE_STATE* s
 			sign[index] = input;
 		}
 
-		buffer[index] += (input << shift);
+		buffer[index] += (INT16)((UINT32)input << shift);
 	}
 
 	return 1;