From 9b8ba7f3e03f38a290897355032d254397222574 Mon Sep 17 00:00:00 2001
From: hardening <rdp.effort@gmail.com>
Date: Fri, 1 Feb 2013 22:43:20 +0100
Subject: [PATCH] check size before decompressing fixed return value from BOOL
 to int

---
 libfreerdp/core/rdp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/core/rdp.c b/libfreerdp/core/rdp.c
index edd2e8e..5473891 100644
--- a/libfreerdp/core/rdp.c
+++ b/libfreerdp/core/rdp.c
@@ -510,6 +510,11 @@ int rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
 
 	if (compressed_type & PACKET_COMPRESSED)
 	{
+		if (stream_get_left(s) < compressed_len - 18)
+		{
+			printf("decompress_rdp: not enough bytes for compressed_len=%d\n", compressed_len);
+			return -1;	
+		}
 		if (decompress_rdp(rdp->mppc_dec, s->p, compressed_len - 18, compressed_type, &roff, &rlen))
 		{
 			comp_stream = stream_new(0);
@@ -575,7 +580,7 @@ int rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
 
 		case DATA_PDU_TYPE_SAVE_SESSION_INFO:
 			if(!rdp_recv_save_session_info(rdp, comp_stream))
-				return FALSE;
+				return -1;
 			break;
 
 		case DATA_PDU_TYPE_FONT_LIST:
-- 
2.7.4