From 7eff021771df4bbe783ae633642e6bc8d345c8bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= <marcandre.moreau@gmail.com>
Date: Sun, 8 Jan 2012 16:02:59 -0500
Subject: [PATCH] libfreerdp-core: fix parsing bugs with synchronize, font map
 and session logon info PDUs

---
 libfreerdp-core/activation.c | 35 ++++++++++++++++++++++++++++++++++-
 libfreerdp-core/activation.h |  5 ++++-
 libfreerdp-core/info.c       |  1 +
 libfreerdp-core/peer.c       |  2 +-
 libfreerdp-core/rdp.c        |  4 ++--
 5 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/libfreerdp-core/activation.c b/libfreerdp-core/activation.c
index 4b7937609..5c781b8bf 100644
--- a/libfreerdp-core/activation.c
+++ b/libfreerdp-core/activation.c
@@ -36,6 +36,14 @@ void rdp_write_synchronize_pdu(STREAM* s, rdpSettings* settings)
 	stream_write_uint16(s, settings->pdu_source); /* targetUser (2 bytes) */
 }
 
+boolean rdp_recv_synchronize_pdu(rdpRdp* rdp, STREAM* s)
+{
+	if (rdp->settings->server_mode)
+		return rdp_recv_server_synchronize_pdu(rdp, s);
+	else
+		return rdp_recv_client_synchronize_pdu(rdp, s);
+}
+
 boolean rdp_recv_server_synchronize_pdu(rdpRdp* rdp, STREAM* s)
 {
 	rdp->finalize_sc_pdus |= FINALIZE_SC_SYNCHRONIZE_PDU;
@@ -54,17 +62,22 @@ boolean rdp_send_server_synchronize_pdu(rdpRdp* rdp)
 	return true;
 }
 
-boolean rdp_recv_client_synchronize_pdu(STREAM* s)
+boolean rdp_recv_client_synchronize_pdu(rdpRdp* rdp, STREAM* s)
 {
 	uint16 messageType;
 
+	rdp->finalize_sc_pdus |= FINALIZE_SC_SYNCHRONIZE_PDU;
+
 	if (stream_get_left(s) < 4)
 		return false;
 
 	stream_read_uint16(s, messageType); /* messageType (2 bytes) */
+
 	if (messageType != SYNCMSGTYPE_SYNC)
 		return false;
+
 	/* targetUser (2 bytes) */
+	stream_seek_uint16(s);
 
 	return true;
 }
@@ -220,12 +233,32 @@ boolean rdp_send_client_font_list_pdu(rdpRdp* rdp, uint16 flags)
 	return rdp_send_data_pdu(rdp, s, DATA_PDU_TYPE_FONT_LIST, rdp->mcs->user_id);
 }
 
+boolean rdp_recv_font_map_pdu(rdpRdp* rdp, STREAM* s)
+{
+	if (rdp->settings->server_mode)
+		return rdp_recv_server_font_map_pdu(rdp, s);
+	else
+		return rdp_recv_client_font_map_pdu(rdp, s);
+}
+
 boolean rdp_recv_server_font_map_pdu(rdpRdp* rdp, STREAM* s)
 {
 	rdp->finalize_sc_pdus |= FINALIZE_SC_FONT_MAP_PDU;
 	return true;
 }
 
+boolean rdp_recv_client_font_map_pdu(rdpRdp* rdp, STREAM* s)
+{
+	rdp->finalize_sc_pdus |= FINALIZE_SC_FONT_MAP_PDU;
+
+	stream_seek_uint16(s); /* numberEntries (2 bytes) */
+	stream_seek_uint16(s); /* totalNumEntries (2 bytes) */
+	stream_seek_uint16(s); /* mapFlags (2 bytes) */
+	stream_seek_uint16(s); /* entrySize (2 bytes) */
+
+	return true;
+}
+
 boolean rdp_send_server_font_map_pdu(rdpRdp* rdp)
 {
 	STREAM* s;
diff --git a/libfreerdp-core/activation.h b/libfreerdp-core/activation.h
index 5c414ed14..25891711a 100644
--- a/libfreerdp-core/activation.h
+++ b/libfreerdp-core/activation.h
@@ -41,9 +41,10 @@
 boolean rdp_recv_deactivate_all(rdpRdp* rdp, STREAM* s);
 boolean rdp_send_deactivate_all(rdpRdp* rdp);
 
+boolean rdp_recv_synchronize_pdu(rdpRdp* rdp, STREAM* s);
 boolean rdp_recv_server_synchronize_pdu(rdpRdp* rdp, STREAM* s);
 boolean rdp_send_server_synchronize_pdu(rdpRdp* rdp);
-boolean rdp_recv_client_synchronize_pdu(STREAM* s);
+boolean rdp_recv_client_synchronize_pdu(rdpRdp* rdp, STREAM* s);
 boolean rdp_send_client_synchronize_pdu(rdpRdp* rdp);
 boolean rdp_recv_control_pdu(STREAM* s, uint16* action);
 boolean rdp_recv_server_control_pdu(rdpRdp* rdp, STREAM* s);
@@ -53,7 +54,9 @@ boolean rdp_send_client_control_pdu(rdpRdp* rdp, uint16 action);
 boolean rdp_send_client_persistent_key_list_pdu(rdpRdp* rdp);
 boolean rdp_recv_client_font_list_pdu(STREAM* s);
 boolean rdp_send_client_font_list_pdu(rdpRdp* rdp, uint16 flags);
+boolean rdp_recv_font_map_pdu(rdpRdp* rdp, STREAM* s);
 boolean rdp_recv_server_font_map_pdu(rdpRdp* rdp, STREAM* s);
+boolean rdp_recv_client_font_map_pdu(rdpRdp* rdp, STREAM* s);
 boolean rdp_send_server_font_map_pdu(rdpRdp* rdp);
 
 boolean rdp_server_accept_client_control_pdu(rdpRdp* rdp, STREAM* s);
diff --git a/libfreerdp-core/info.c b/libfreerdp-core/info.c
index 6c1794091..40c08e19b 100644
--- a/libfreerdp-core/info.c
+++ b/libfreerdp-core/info.c
@@ -612,6 +612,7 @@ void rdp_recv_logon_info_v2(rdpRdp* rdp, STREAM* s)
 
 	stream_seek_uint16(s); /* version (2 bytes) */
 	stream_seek_uint32(s); /* size (4 bytes) */
+	stream_seek_uint32(s); /* sessionId (4 bytes) */
 	stream_read_uint32(s, cbDomain); /* cbDomain (4 bytes) */
 	stream_read_uint32(s, cbUserName); /* cbUserName (4 bytes) */
 	stream_seek(s, 558); /* pad */
diff --git a/libfreerdp-core/peer.c b/libfreerdp-core/peer.c
index e85662da4..3960e9d91 100644
--- a/libfreerdp-core/peer.c
+++ b/libfreerdp-core/peer.c
@@ -64,7 +64,7 @@ static boolean peer_recv_data_pdu(freerdp_peer* client, STREAM* s)
 	switch (type)
 	{
 		case DATA_PDU_TYPE_SYNCHRONIZE:
-			if (!rdp_recv_client_synchronize_pdu(s))
+			if (!rdp_recv_client_synchronize_pdu(client->context->rdp, s))
 				return false;
 			break;
 
diff --git a/libfreerdp-core/rdp.c b/libfreerdp-core/rdp.c
index 4373a8310..5f32d5254 100644
--- a/libfreerdp-core/rdp.c
+++ b/libfreerdp-core/rdp.c
@@ -466,7 +466,7 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
 			break;
 
 		case DATA_PDU_TYPE_SYNCHRONIZE:
-			rdp_recv_server_synchronize_pdu(rdp, s);
+			rdp_recv_synchronize_pdu(rdp, s);
 			break;
 
 		case DATA_PDU_TYPE_REFRESH_RECT:
@@ -493,7 +493,7 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
 			break;
 
 		case DATA_PDU_TYPE_FONT_MAP:
-			rdp_recv_server_font_map_pdu(rdp, s);
+			rdp_recv_font_map_pdu(rdp, s);
 			break;
 
 		case DATA_PDU_TYPE_SET_KEYBOARD_INDICATORS: