From 5565b366b0003b500d23e0315a147cd44db5d912 Mon Sep 17 00:00:00 2001
From: Kobi Mizrachi <kmizrachi18@gmail.com>
Date: Wed, 4 Dec 2019 15:25:08 +0100
Subject: [PATCH] rail: stream size checks and rail_read_sysparam_order fixes

---
 channels/rail/rail_common.c      | 68 ++++++++++++++++++++++++++++++++++------
 channels/rail/server/rail_main.c | 34 ++++++++++----------
 2 files changed, 76 insertions(+), 26 deletions(-)

diff --git a/channels/rail/rail_common.c b/channels/rail/rail_common.c
index bab9646..229029b 100644
--- a/channels/rail/rail_common.c
+++ b/channels/rail/rail_common.c
@@ -186,8 +186,12 @@ static UINT rail_read_high_contrast(wStream* s, RAIL_HIGH_CONTRAST* highContrast
 	if (!s || !highContrast)
 		return ERROR_INVALID_PARAMETER;
 
-	Stream_Read_UINT32(s, highContrast->flags);                   /* flags (4 bytes) */
-	Stream_Read_UINT32(s, highContrast->colorSchemeLength);       /* colorSchemeLength (4 bytes) */
+	if (Stream_GetRemainingLength(s) < 8)
+		return ERROR_INVALID_DATA;
+
+	Stream_Read_UINT32(s, highContrast->flags);             /* flags (4 bytes) */
+	Stream_Read_UINT32(s, highContrast->colorSchemeLength); /* colorSchemeLength (4 bytes) */
+
 	if (!rail_read_unicode_string(s, &highContrast->colorScheme)) /* colorScheme */
 		return ERROR_INTERNAL_ERROR;
 	return CHANNEL_RC_OK;
@@ -219,6 +223,27 @@ static UINT rail_write_high_contrast(wStream* s, const RAIL_HIGH_CONTRAST* highC
  *
  * @return 0 on success, otherwise a Win32 error code
  */
+static UINT rail_read_filterkeys(wStream* s, TS_FILTERKEYS* filterKeys)
+{
+	if (!s || !filterKeys)
+		return ERROR_INVALID_PARAMETER;
+
+	if (Stream_GetRemainingLength(s) < 20)
+		return ERROR_INVALID_DATA;
+
+	Stream_Read_UINT32(s, filterKeys->Flags);
+	Stream_Read_UINT32(s, filterKeys->WaitTime);
+	Stream_Read_UINT32(s, filterKeys->DelayTime);
+	Stream_Read_UINT32(s, filterKeys->RepeatTime);
+	Stream_Read_UINT32(s, filterKeys->BounceTime);
+	return CHANNEL_RC_OK;
+}
+
+/**
+ * Function description
+ *
+ * @return 0 on success, otherwise a Win32 error code
+ */
 static UINT rail_write_filterkeys(wStream* s, const TS_FILTERKEYS* filterKeys)
 {
 	if (!s || !filterKeys)
@@ -256,30 +281,38 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 
 	Stream_Read_UINT32(s, sysparam->param); /* systemParam (4 bytes) */
 
+	sysparam->params = 0; /* bitflags of received params */
+
 	switch (sysparam->param)
 	{
 		/* Client sysparams */
 		case SPI_SET_DRAG_FULL_WINDOWS:
+			sysparam->params |= SPI_MASK_SET_DRAG_FULL_WINDOWS;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->dragFullWindows = body != 0;
 			break;
 
 		case SPI_SET_KEYBOARD_CUES:
+			sysparam->params |= SPI_MASK_SET_KEYBOARD_CUES;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->keyboardCues = body != 0;
 			break;
 
 		case SPI_SET_KEYBOARD_PREF:
+			sysparam->params |= SPI_MASK_SET_KEYBOARD_PREF;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->keyboardPref = body != 0;
 			break;
 
 		case SPI_SET_MOUSE_BUTTON_SWAP:
+			sysparam->params |= SPI_MASK_SET_MOUSE_BUTTON_SWAP;
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->mouseButtonSwap = body != 0;
 			break;
 
 		case SPI_SET_WORK_AREA:
+			sysparam->params |= SPI_MASK_SET_WORK_AREA;
+
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@@ -293,6 +326,8 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;
 
 		case SPI_DISPLAY_CHANGE:
+			sysparam->params |= SPI_MASK_DISPLAY_CHANGE;
+
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@@ -306,6 +341,8 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;
 
 		case SPI_TASKBAR_POS:
+			sysparam->params |= SPI_MASK_TASKBAR_POS;
+
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@@ -319,6 +356,7 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;
 
 		case SPI_SET_HIGH_CONTRAST:
+			sysparam->params |= SPI_MASK_SET_HIGH_CONTRAST;
 			if (Stream_GetRemainingLength(s) < 8)
 			{
 				WLog_ERR(TAG, "Stream_GetRemainingLength failed!");
@@ -329,7 +367,9 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;
 
 		case SPI_SETCARETWIDTH:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_CARET_WIDTH;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;
 
 			if (Stream_GetRemainingLength(s) < 4)
@@ -346,7 +386,9 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 			break;
 
 		case SPI_SETSTICKYKEYS:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_STICKY_KEYS;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;
 
 			if (Stream_GetRemainingLength(s) < 4)
@@ -355,11 +397,13 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 				return ERROR_INVALID_DATA;
 			}
 
-			Stream_Write_UINT32(s, sysparam->stickyKeys);
+			Stream_Read_UINT32(s, sysparam->stickyKeys);
 			break;
 
 		case SPI_SETTOGGLEKEYS:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_TOGGLE_KEYS;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;
 
 			if (Stream_GetRemainingLength(s) < 4)
@@ -368,11 +412,13 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 				return ERROR_INVALID_DATA;
 			}
 
-			Stream_Write_UINT32(s, sysparam->toggleKeys);
+			Stream_Read_UINT32(s, sysparam->toggleKeys);
 			break;
 
 		case SPI_SETFILTERKEYS:
-			if (extendedSpiSupported)
+			sysparam->params |= SPI_MASK_SET_FILTER_KEYS;
+
+			if (!extendedSpiSupported)
 				return ERROR_INVALID_DATA;
 
 			if (Stream_GetRemainingLength(s) < 20)
@@ -381,16 +427,20 @@ UINT rail_read_sysparam_order(wStream* s, RAIL_SYSPARAM_ORDER* sysparam, BOOL ex
 				return ERROR_INVALID_DATA;
 			}
 
-			error = rail_write_filterkeys(s, &sysparam->filterKeys);
+			error = rail_read_filterkeys(s, &sysparam->filterKeys);
 			break;
 
 		/* Server sysparams */
 		case SPI_SETSCREENSAVEACTIVE:
+			sysparam->params |= SPI_MASK_SET_SCREEN_SAVE_ACTIVE;
+
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->setScreenSaveActive = body != 0;
 			break;
 
 		case SPI_SETSCREENSAVESECURE:
+			sysparam->params |= SPI_MASK_SET_SET_SCREEN_SAVE_SECURE;
+
 			Stream_Read_UINT8(s, body); /* body (1 byte) */
 			sysparam->setScreenSaveSecure = body != 0;
 			break;
diff --git a/channels/rail/server/rail_main.c b/channels/rail/server/rail_main.c
index 817ce96..5bdfd23 100644
--- a/channels/rail/server/rail_main.c
+++ b/channels/rail/server/rail_main.c
@@ -105,15 +105,15 @@ static UINT rail_write_min_max_info_order(wStream* s, const RAIL_MINMAXINFO_ORDE
 	if (!s || !minMaxInfo)
 		return ERROR_INVALID_PARAMETER;
 
-	Stream_Write_UINT32(s, minMaxInfo->windowId);       /* WindowId (4 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxWidth);       /* MaxWidth (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxHeight);      /* MaxHeight (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxPosX);        /* MaxPosX (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxPosY);        /* MaxPosY (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->minTrackWidth);  /* MinTrackWidth (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->minTrackHeight); /* MinTrackHeight (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxTrackWidth);  /* MaxTrackWidth (2 bytes) */
-	Stream_Write_UINT16(s, minMaxInfo->maxTrackHeight); /* MaxTrackHeight (2 bytes) */
+	Stream_Write_UINT32(s, minMaxInfo->windowId);      /* WindowId (4 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxWidth);       /* MaxWidth (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxHeight);      /* MaxHeight (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxPosX);        /* MaxPosX (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxPosY);        /* MaxPosY (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->minTrackWidth);  /* MinTrackWidth (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->minTrackHeight); /* MinTrackHeight (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxTrackWidth);  /* MaxTrackWidth (2 bytes) */
+	Stream_Write_INT16(s, minMaxInfo->maxTrackHeight); /* MaxTrackHeight (2 bytes) */
 	return ERROR_SUCCESS;
 }
 
@@ -796,10 +796,10 @@ static UINT rail_read_window_move_order(wStream* s, RAIL_WINDOW_MOVE_ORDER* wind
 		return ERROR_INVALID_DATA;
 
 	Stream_Read_UINT32(s, windowMove->windowId); /* WindowId (4 bytes) */
-	Stream_Read_UINT16(s, windowMove->left);     /* Left (2 bytes) */
-	Stream_Read_UINT16(s, windowMove->top);      /* Top (2 bytes) */
-	Stream_Read_UINT16(s, windowMove->right);    /* Right (2 bytes) */
-	Stream_Read_UINT16(s, windowMove->bottom);   /* Bottom (2 bytes) */
+	Stream_Read_INT16(s, windowMove->left);      /* Left (2 bytes) */
+	Stream_Read_INT16(s, windowMove->top);       /* Top (2 bytes) */
+	Stream_Read_INT16(s, windowMove->right);     /* Right (2 bytes) */
+	Stream_Read_INT16(s, windowMove->bottom);    /* Bottom (2 bytes) */
 	return CHANNEL_RC_OK;
 }
 
@@ -814,10 +814,10 @@ static UINT rail_read_snap_arange_order(wStream* s, RAIL_SNAP_ARRANGE* snapArran
 		return ERROR_INVALID_DATA;
 
 	Stream_Read_UINT32(s, snapArrange->windowId); /* WindowId (4 bytes) */
-	Stream_Read_UINT16(s, snapArrange->left);     /* Left (2 bytes) */
-	Stream_Read_UINT16(s, snapArrange->top);      /* Top (2 bytes) */
-	Stream_Read_UINT16(s, snapArrange->right);    /* Right (2 bytes) */
-	Stream_Read_UINT16(s, snapArrange->bottom);   /* Bottom (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->left);      /* Left (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->top);       /* Top (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->right);     /* Right (2 bytes) */
+	Stream_Read_INT16(s, snapArrange->bottom);    /* Bottom (2 bytes) */
 	return CHANNEL_RC_OK;
 }
 
-- 
2.7.4