From 75fa3ad2a03da846258f6a9126f0753541a04eb3 Mon Sep 17 00:00:00 2001 From: ilammy Date: Thu, 1 Jun 2017 16:05:07 +0300 Subject: [PATCH] channels/cliprdr: avoid possible integer overflow If the server sends us garbage (or the client provides it) then it is possible for the multiplication to overflow (as it is performed on unsigned 32-bit values) which will result in a false positive failure of the sanity check. Avoid it by rearranging arithmetics a little. Keep the multiplication in the error message because we are interested in the number of bytes in the stream and how it compares to the number we have expected based on the presumed file count. --- channels/cliprdr/client/cliprdr_format.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/channels/cliprdr/client/cliprdr_format.c b/channels/cliprdr/client/cliprdr_format.c index a9b7df9..12ffdce 100644 --- a/channels/cliprdr/client/cliprdr_format.c +++ b/channels/cliprdr/client/cliprdr_format.c @@ -393,10 +393,10 @@ UINT cliprdr_parse_file_list(const BYTE* format_data, UINT32 format_data_length, Stream_Read_UINT32(s, count); /* cItems (4 bytes) */ - if (Stream_GetRemainingLength(s) < count * CLIPRDR_FILEDESCRIPTOR_SIZE) + if (Stream_GetRemainingLength(s) / CLIPRDR_FILEDESCRIPTOR_SIZE < count) { - WLog_ERR(TAG, "packed file list is too short: expected %"PRIu32", have %"PRIuz, - count * CLIPRDR_FILEDESCRIPTOR_SIZE, + WLog_ERR(TAG, "packed file list is too short: expected %"PRIuz", have %"PRIuz, + ((size_t) count) * CLIPRDR_FILEDESCRIPTOR_SIZE, Stream_GetRemainingLength(s)); result = ERROR_INCORRECT_SIZE; -- 2.7.4