From 811406382d8c3d01407442550e958e964c685670 Mon Sep 17 00:00:00 2001
From: Martin Fleisz <martin.fleisz@thincast.com>
Date: Tue, 6 Mar 2018 15:52:34 +0100
Subject: [PATCH] core: Fix possible out-of-bounds read

---
 libfreerdp/core/orders.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 8acca43..b68ac91 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -162,7 +162,7 @@ static const BYTE BPP_CBR23[] =
 
 static const BYTE BMF_BPP[] =
 {
-	0, 1, 0, 8, 16, 24, 32
+	0, 1, 0, 8, 16, 24, 32, 0
 };
 
 static const BYTE BPP_BMF[] =
@@ -566,7 +566,7 @@ static INLINE BOOL update_read_brush(wStream* s, rdpBrush* brush,
 	if (brush->style & CACHED_BRUSH)
 	{
 		brush->index = brush->hatch;
-		brush->bpp = BMF_BPP[brush->style & 0x0F];
+		brush->bpp = BMF_BPP[brush->style & 0x07];
 
 		if (brush->bpp == 0)
 			brush->bpp = 1;
@@ -612,7 +612,7 @@ static INLINE BOOL update_write_brush(wStream* s, rdpBrush* brush,
 	if (brush->style & CACHED_BRUSH)
 	{
 		brush->hatch = brush->index;
-		brush->bpp = BMF_BPP[brush->style & 0x0F];
+		brush->bpp = BMF_BPP[brush->style & 0x07];
 
 		if (brush->bpp == 0)
 			brush->bpp = 1;
-- 
2.7.4