From fb76f88cacfecc980317e87e20619eee5611f4dc Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Mon, 22 Oct 2018 11:59:42 +0200 Subject: [PATCH] Added missing length check and log message information. --- channels/rdpsnd/client/rdpsnd_main.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/channels/rdpsnd/client/rdpsnd_main.c b/channels/rdpsnd/client/rdpsnd_main.c index db3379c..83abd33 100644 --- a/channels/rdpsnd/client/rdpsnd_main.c +++ b/channels/rdpsnd/client/rdpsnd_main.c @@ -449,8 +449,8 @@ static UINT rdpsnd_treat_wave(rdpsndPlugin* rdpsnd, wStream* s, size_t size) data = Stream_Pointer(s); format = &rdpsnd->ClientFormats[rdpsnd->wCurrentFormatNo]; - WLog_Print(rdpsnd->log, WLOG_DEBUG, "Wave: cBlockNo: %"PRIu8" wTimeStamp: %"PRIu16"", - rdpsnd->cBlockNo, rdpsnd->wTimeStamp); + WLog_Print(rdpsnd->log, WLOG_DEBUG, "Wave: cBlockNo: %"PRIu8" wTimeStamp: %"PRIu16", size: %"PRIdz, + rdpsnd->cBlockNo, rdpsnd->wTimeStamp, size); if (rdpsnd->device && rdpsnd->attached) { @@ -488,12 +488,16 @@ static UINT rdpsnd_treat_wave(rdpsndPlugin* rdpsnd, wStream* s, size_t size) static UINT rdpsnd_recv_wave_pdu(rdpsndPlugin* rdpsnd, wStream* s) { rdpsnd->expectingWave = FALSE; + /** * The Wave PDU is a special case: it is always sent after a Wave Info PDU, * and we do not process its header. Instead, the header is pad that needs * to be filled with the first four bytes of the audio sample data sent as * part of the preceding Wave Info PDU. */ + if (Stream_GetRemainingLength(s) < 4) + return ERROR_INVALID_DATA; + CopyMemory(Stream_Buffer(s), rdpsnd->waveData, 4); return rdpsnd_treat_wave(rdpsnd, s, rdpsnd->waveDataSize); } @@ -515,8 +519,8 @@ static UINT rdpsnd_recv_wave2_pdu(rdpsndPlugin* rdpsnd, wStream* s, UINT16 BodyS rdpsnd->waveDataSize = BodySize - 12; format = &rdpsnd->ClientFormats[wFormatNo]; rdpsnd->wArrivalTime = GetTickCount(); - WLog_Print(rdpsnd->log, WLOG_DEBUG, "Wave2PDU: cBlockNo: %"PRIu8" wFormatNo: %"PRIu16"", - rdpsnd->cBlockNo, wFormatNo); + WLog_Print(rdpsnd->log, WLOG_DEBUG, "Wave2PDU: cBlockNo: %"PRIu8" wFormatNo: %"PRIu16", align=%hu", + rdpsnd->cBlockNo, wFormatNo, format->nBlockAlign); if (!rdpsnd_ensure_device_is_open(rdpsnd, wFormatNo, format)) return ERROR_INTERNAL_ERROR; -- 2.7.4