From 8af9c138e370f4945667bfa7c80b75821da500a9 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Fri, 15 Mar 2019 08:39:46 +0100
Subject: [PATCH] Fixed input stream length checks in
 rdpgfx_recv_caps_advertise_pdu

---
 channels/rdpgfx/server/rdpgfx_main.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/channels/rdpgfx/server/rdpgfx_main.c b/channels/rdpgfx/server/rdpgfx_main.c
index 0990d94..d8e4754 100644
--- a/channels/rdpgfx/server/rdpgfx_main.c
+++ b/channels/rdpgfx/server/rdpgfx_main.c
@@ -1202,13 +1202,6 @@ static UINT rdpgfx_recv_caps_advertise_pdu(RdpgfxServerContext* context,
 	}
 
 	Stream_Read_UINT16(s, pdu.capsSetCount); /* capsSetCount (2 bytes) */
-
-	if (Stream_GetRemainingLength(s) < (pdu.capsSetCount * (RDPGFX_CAPSET_BASE_SIZE + 4)))
-	{
-		WLog_ERR(TAG, "not enough data!");
-		return ERROR_INVALID_DATA;
-	}
-
 	capsSets = calloc(pdu.capsSetCount, (RDPGFX_CAPSET_BASE_SIZE + 4));
 
 	if (!capsSets)
@@ -1219,13 +1212,26 @@ static UINT rdpgfx_recv_caps_advertise_pdu(RdpgfxServerContext* context,
 	for (index = 0; index < pdu.capsSetCount; index++)
 	{
 		RDPGFX_CAPSET* capsSet = &(pdu.capsSets[index]);
+
+		if (Stream_GetRemainingLength(s) < 8)
+		{
+			WLog_ERR(TAG, "not enough data!");
+			return ERROR_INVALID_DATA;
+		}
+
 		Stream_Read_UINT32(s, capsSet->version); /* version (4 bytes) */
 		Stream_Read_UINT32(s, capsSet->length); /* capsDataLength (4 bytes) */
 
 		if (capsSet->length >= 4)
+		{
+			if (Stream_GetRemainingLength(s) < 4)
+				return ERROR_INVALID_DATA;
+
 			Stream_Peek_UINT32(s, capsSet->flags); /* capsData (4 bytes) */
+		}
 
-		Stream_Seek(s, capsSet->length);
+		if (!Stream_SafeSeek(s, capsSet->length))
+			return ERROR_INVALID_DATA;
 	}
 
 	if (context)
-- 
2.7.4