From 138256fbc57b8feb22f8a92d2682a874fcb439d5 Mon Sep 17 00:00:00 2001 From: Giovanni Panozzo Date: Wed, 15 Jul 2020 00:08:15 +0200 Subject: [PATCH] Fix seeking in Cache Brush and other Secondary Drawing Orders (cherry picked from commit 9f7e475c1652c2b1e30e0406ec0bc7ea3f2330ff) Fixes #6374 --- libfreerdp/core/orders.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c index 4e62ce5..74870fa 100644 --- a/libfreerdp/core/orders.c +++ b/libfreerdp/core/orders.c @@ -2623,7 +2623,7 @@ static BOOL update_decompress_brush(wStream* s, BYTE* output, size_t outSize, BY const BYTE* palette = Stream_Pointer(s) + 16; const INT32 bytesPerPixel = ((bpp + 1) / 8); - if (!Stream_SafeSeek(s, 16ULL + 7ULL * bytesPerPixel)) // 64 / 4 + if (Stream_GetRemainingLength(s) < 16 + bytesPerPixel * 4) return FALSE; for (y = 7; y >= 0; y--) @@ -3617,7 +3617,7 @@ static BOOL update_recv_primary_order(rdpUpdate* update, wStream* s, BYTE flags) static BOOL update_recv_secondary_order(rdpUpdate* update, wStream* s, BYTE flags) { BOOL rc = FALSE; - size_t start, end, diff; + size_t start, end, pos, diff; BYTE orderType; UINT16 extraFlags; UINT16 orderLength; @@ -3766,15 +3766,15 @@ static BOOL update_recv_secondary_order(rdpUpdate* update, wStream* s, BYTE flag WLog_Print(update->log, WLOG_ERROR, "SECONDARY ORDER %s failed", name); } - start += orderLength + 7; - end = Stream_GetPosition(s); - if (start > end) + end = start + orderLength + 7; + pos = Stream_GetPosition(s); + if (pos > end) { WLog_Print(update->log, WLOG_WARN, "SECONDARY_ORDER %s: read %" PRIuz "bytes too much", - name, end - start); + name, pos - end); return FALSE; } - diff = end - start; + diff = end - pos; if (diff > 0) { WLog_Print(update->log, WLOG_DEBUG, -- 2.7.4