From 2d3d882de9e3f7a00cd259d9db96341c8b050bf9 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 4 Dec 2019 15:25:08 +0100 Subject: [PATCH] Stream size checks for rail_write_sysparam_order Ensure the stream is large enough to hold the data in rail_write_sysparam_order, rail_write_high_contrast and rail_write_filterkeys. --- channels/rail/rail_common.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/channels/rail/rail_common.c b/channels/rail/rail_common.c index 506ba5d..bab9646 100644 --- a/channels/rail/rail_common.c +++ b/channels/rail/rail_common.c @@ -186,9 +186,11 @@ static UINT rail_read_high_contrast(wStream* s, RAIL_HIGH_CONTRAST* highContrast if (!s || !highContrast) return ERROR_INVALID_PARAMETER; - Stream_Read_UINT32(s, highContrast->flags); /* flags (4 bytes) */ - Stream_Read_UINT32(s, highContrast->colorSchemeLength); /* colorSchemeLength (4 bytes) */ - return rail_read_unicode_string(s, &highContrast->colorScheme); /* colorScheme */ + Stream_Read_UINT32(s, highContrast->flags); /* flags (4 bytes) */ + Stream_Read_UINT32(s, highContrast->colorSchemeLength); /* colorSchemeLength (4 bytes) */ + if (!rail_read_unicode_string(s, &highContrast->colorScheme)) /* colorScheme */ + return ERROR_INTERNAL_ERROR; + return CHANNEL_RC_OK; } /** @@ -203,6 +205,9 @@ static UINT rail_write_high_contrast(wStream* s, const RAIL_HIGH_CONTRAST* highC if (!s || !highContrast) return ERROR_INVALID_PARAMETER; + if (!Stream_EnsureRemainingCapacity(s, 8)) + return CHANNEL_RC_NO_MEMORY; + colorSchemeLength = highContrast->colorScheme.length + 2; Stream_Write_UINT32(s, highContrast->flags); /* flags (4 bytes) */ Stream_Write_UINT32(s, colorSchemeLength); /* colorSchemeLength (4 bytes) */ @@ -219,6 +224,9 @@ static UINT rail_write_filterkeys(wStream* s, const TS_FILTERKEYS* filterKeys) if (!s || !filterKeys) return ERROR_INVALID_PARAMETER; + if (!Stream_EnsureRemainingCapacity(s, 20)) + return CHANNEL_RC_NO_MEMORY; + Stream_Write_UINT32(s, filterKeys->Flags); Stream_Write_UINT32(s, filterKeys->WaitTime); Stream_Write_UINT32(s, filterKeys->DelayTime); @@ -408,6 +416,9 @@ UINT rail_write_sysparam_order(wStream* s, const RAIL_SYSPARAM_ORDER* sysparam, if (!s || !sysparam) return ERROR_INVALID_PARAMETER; + if (!Stream_EnsureRemainingCapacity(s, 12)) + return CHANNEL_RC_NO_MEMORY; + Stream_Write_UINT32(s, sysparam->param); /* systemParam (4 bytes) */ switch (sysparam->param) -- 2.7.4