From 98a4cd28bdf1c71d65cd95358b679fab24d39807 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Wed, 29 Apr 2020 15:48:43 +0200
Subject: [PATCH] Fixed int overflow in PresentationContext_new

Thanks to hac425 CVE-2020-11038
---
 channels/video/client/video_main.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/channels/video/client/video_main.c b/channels/video/client/video_main.c
index a161a11..1efadb3 100644
--- a/channels/video/client/video_main.c
+++ b/channels/video/client/video_main.c
@@ -220,8 +220,14 @@ error_frames:
 static PresentationContext* PresentationContext_new(VideoClientContext* video, BYTE PresentationId,
                                                     UINT32 x, UINT32 y, UINT32 width, UINT32 height)
 {
+	size_t s;
 	VideoClientContextPriv* priv = video->priv;
-	PresentationContext* ret = calloc(1, sizeof(*ret));
+	PresentationContext* ret;
+	s = width * height * 4ULL;
+	if (s > INT32_MAX)
+		return NULL;
+
+	ret = calloc(1, sizeof(*ret));
 	if (!ret)
 		return NULL;
 
@@ -243,7 +249,7 @@ static PresentationContext* PresentationContext_new(VideoClientContext* video, B
 		goto error_currentSample;
 	}
 
-	ret->surfaceData = BufferPool_Take(priv->surfacePool, width * height * 4);
+	ret->surfaceData = BufferPool_Take(priv->surfacePool, s);
 	if (!ret->surfaceData)
 	{
 		WLog_ERR(TAG, "unable to allocate surfaceData");
-- 
2.7.4