morgan/FreeRDP
1
0
Fork 0
mirror of https://github.com/morgan9e/FreeRDP synced 2026-04-15 00:44:19 +09:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12310 from akallabeth/clear-fix

Browse Source 
Clear fix bounds checks
This commit is contained in:
akallabeth
2026-02-15 22:52:43 +01:00
committed by GitHub
parent 6db1965bb2 f4d74c33fd
commit a9e5642d69
4 changed files with 64 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
include/freerdp/codec/nsc.h
View File

@@ -53,11 +53,33 @@ extern "C"
FREERDP_API BOOL nsc_context_set_parameters(NSC_CONTEXT* WINPR_RESTRICT context,
NSC_PARAMETER what, UINT32 value);
/** @brief decode a NSC message
*
* @param context The context to work on
* @param bpp The bit depth of the data
* @param width The width in pixels of the NSC surface
* @param height The height in pixels of the NSC surface
* @param data The data to decode
* @param length The length of \ref data in bytes
* @param pDstData The destination buffer. Must be at least \n nDstStride * nHeight in size.
* @param DstFormat The color format of the destination
* @param nDstStride The number of bytes per destination buffer line. Must be larger than
* bytes(DstFormat) * nWidth or \0 (in which case it is set to former minimum bound)
* @param nXDst The X offset in the destination buffer in pixels
* @param nYDst The Y offset in the destination buffer in pixels
* @param nWidth The width of the destination buffer in pixels
* @param nHeight The height of the destination buffer in pixels
* @param flip Image flipping flags FREERDP_FLIP_NONE et al passed on to \ref
* freerdp_image_copy
*
* @return \b TRUE in case of success, \b FALSE for any error. Check WLog for details.
*/
FREERDP_API BOOL nsc_process_message(NSC_CONTEXT* WINPR_RESTRICT context, UINT16 bpp,
UINT32 width, UINT32 height, const BYTE* data,
UINT32 length, BYTE* WINPR_RESTRICT pDstData,
UINT32 DstFormat, UINT32 nDstStride, UINT32 nXDst,
UINT32 nYDst, UINT32 nWidth, UINT32 nHeight, UINT32 flip);
FREERDP_API BOOL nsc_compose_message(NSC_CONTEXT* WINPR_RESTRICT context,
wStream* WINPR_RESTRICT s,
const BYTE* WINPR_RESTRICT bmpdata, UINT32 width,

51
libfreerdp/codec/clear.c
View File

@@ -455,40 +455,41 @@ static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* WINPR_RESTRICT clear,
UINT32 nDstWidth, UINT32 nDstHeight,
const gdiPalette* WINPR_RESTRICT palette)
{
UINT16 xStart = 0;
UINT16 yStart = 0;
UINT16 width = 0;
UINT16 height = 0;
UINT32 bitmapDataByteCount = 0;
BYTE subcodecId = 0;
UINT32 suboffset = 0;
if (!Stream_CheckAndLogRequiredLength(TAG, s, subcodecByteCount))
return FALSE;
suboffset = 0;
while (suboffset < subcodecByteCount)
{
UINT32 nXDstRel = 0;
UINT32 nYDstRel = 0;
if (!Stream_CheckAndLogRequiredLength(TAG, s, 13))
return FALSE;
Stream_Read_UINT16(s, xStart);
Stream_Read_UINT16(s, yStart);
Stream_Read_UINT16(s, width);
Stream_Read_UINT16(s, height);
Stream_Read_UINT32(s, bitmapDataByteCount);
Stream_Read_UINT8(s, subcodecId);
const UINT16 xStart = Stream_Get_UINT16(s);
const UINT16 yStart = Stream_Get_UINT16(s);
const UINT16 width = Stream_Get_UINT16(s);
const UINT16 height = Stream_Get_UINT16(s);
const UINT32 bitmapDataByteCount = Stream_Get_UINT32(s);
const UINT8 subcodecId = Stream_Get_UINT8(s);
suboffset += 13;
if (!Stream_CheckAndLogRequiredLength(TAG, s, bitmapDataByteCount))
return FALSE;
nXDstRel = nXDst + xStart;
nYDstRel = nYDst + yStart;
const UINT32 nXDstRel = nXDst + xStart;
const UINT32 nYDstRel = nYDst + yStart;
if (1ull * nXDstRel + width > nWidth)
{
WLog_ERR(TAG, "nXDstRel %" PRIu16 " + width %" PRIu16 " > nWidth %" PRIu32 "", xStart,
width, nWidth);
return FALSE;
}
if (1ull * nYDstRel + height > nHeight)
{
WLog_ERR(TAG, "nYDstRel %" PRIu16 " + height %" PRIu16 " > nHeight %" PRIu32 "", yStart,
height, nHeight);
return FALSE;
}
if (1ull * xStart + width > nWidth)
{
@@ -1045,6 +1046,18 @@ INT32 clear_decompress(CLEAR_CONTEXT* WINPR_RESTRICT clear, const BYTE* WINPR_RE
if ((nWidth > 0xFFFF) || (nHeight > 0xFFFF))
return -1004;
if (nXDst > nDstWidth)
{
WLog_WARN(TAG, "nXDst %" PRIu32 " > nDstWidth %" PRIu32, nXDst, nDstWidth);
return -1005;
}
if (nYDst > nDstHeight)
{
WLog_WARN(TAG, "nYDst %" PRIu32 " > nDstHeight %" PRIu32, nYDst, nDstHeight);
return -1006;
}
s = Stream_StaticConstInit(&sbuffer, pSrcData, SrcSize);
if (!s)

12
libfreerdp/codec/nsc.c
View File

@@ -436,19 +436,25 @@ BOOL nsc_process_message(NSC_CONTEXT* WINPR_RESTRICT context, UINT16 bpp, UINT32
UINT32 nXDst, UINT32 nYDst, UINT32 nWidth,
WINPR_ATTR_UNUSED UINT32 nHeight, UINT32 flip)
{
wStream* s = NULL;
wStream sbuffer = { 0 };
BOOL ret = 0;
if (!context || !data || !pDstData)
return FALSE;
s = Stream_StaticConstInit(&sbuffer, data, length);
if (nXDst > nWidth)
return FALSE;
if (nYDst > nHeight)
return FALSE;
wStream* s = Stream_StaticConstInit(&sbuffer, data, length);
if (!s)
return FALSE;
const UINT32 minStride = nWidth * FreeRDPGetBytesPerPixel(DstFormat);
if (nDstStride == 0)
nDstStride = nWidth * FreeRDPGetBytesPerPixel(DstFormat);
nDstStride = minStride;
if (nDstStride < minStride)
return FALSE;
switch (bpp)
{

2
libfreerdp/core/settings.c
View File

@@ -974,7 +974,7 @@ rdpSettings* freerdp_settings_new(DWORD flags)
DEFAULT_COOKIE_MAX_LENGTH) ||
!freerdp_settings_set_uint32(settings, FreeRDP_ClientBuild,
18363) || /* Windows 10, Version 1909 */
!freerdp_settings_set_uint32(settings, FreeRDP_KeyboardType, 4) ||
!freerdp_settings_set_uint32(settings, FreeRDP_KeyboardType, WINPR_KBD_TYPE_IBM_ENHANCED) ||
!freerdp_settings_set_uint32(settings, FreeRDP_KeyboardSubType, 0) ||
!freerdp_settings_set_uint32(settings, FreeRDP_KeyboardFunctionKey, 12) ||
!freerdp_settings_set_uint32(settings, FreeRDP_KeyboardLayout, 0) ||