Added bounds check in rdpgfx_recv_wire_to_surface_1_pdu

(cherry picked from commit 5fc3846f7793d4afe48387ac3aeffd4ad6852bab)

diff --git a/channels/rdpgfx/client/rdpgfx_main.c b/channels/rdpgfx/client/rdpgfx_main.c
index 94b5b68..67b3a7d 100644 (file)
--- a/channels/rdpgfx/client/rdpgfx_main.c
+++ b/channels/rdpgfx/client/rdpgfx_main.c
@@ -999,6 +999,19 @@ static UINT rdpgfx_recv_wire_to_surface_1_pdu(RDPGFX_CHANNEL_CALLBACK* callback,
        cmd.data = pdu.bitmapData;
        cmd.extra = NULL;
 
+       if (cmd.right < cmd.left)
+       {
+               WLog_Print(gfx->log, WLOG_ERROR, "RecvWireToSurface1Pdu right=%" PRIu32 " < left=%" PRIu32,
+                          cmd.right, cmd.left);
+               return ERROR_INVALID_DATA;
+       }
+       if (cmd.bottom < cmd.top)
+       {
+               WLog_Print(gfx->log, WLOG_ERROR, "RecvWireToSurface1Pdu bottom=%" PRIu32 " < top=%" PRIu32,
+                          cmd.bottom, cmd.top);
+               return ERROR_INVALID_DATA;
+       }
+
        if ((error = rdpgfx_decode(gfx, &cmd)))
                WLog_Print(gfx->log, WLOG_ERROR, "rdpgfx_decode failed with error %" PRIu32 "!", error);