morgan/FreeRDP
1
0
Fork 0
mirror of https://github.com/morgan9e/FreeRDP synced 2026-04-15 08:54:38 +09:00
Code Issues Packages Projects Releases Wiki Activity

[coded,rfx] check indices are within range

Browse Source 
reported by @pwn2carr
This commit is contained in:
Armin Novak
2023-08-05 08:57:28 +02:00
committed by Martin Fleisz
parent 1ca6362498
commit e204fc8be5
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
libfreerdp/codec/rfx.c
View File

@@ -994,6 +994,31 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa
Stream_Read_UINT8(sub, tile->quantIdxY); /* quantIdxY (1 byte) */
Stream_Read_UINT8(sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
Stream_Read_UINT8(sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
if (tile->quantIdxY >= context->numQuant)
{
WLog_Print(context->priv->log, WLOG_ERROR,
"quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY,
context->numQuant);
rc = FALSE;
break;
}
if (tile->quantIdxCb >= context->numQuant)
{
WLog_Print(context->priv->log, WLOG_ERROR,
"quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb,
context->numQuant);
rc = FALSE;
break;
}
if (tile->quantIdxCr >= context->numQuant)
{
WLog_Print(context->priv->log, WLOG_ERROR,
"quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr,
context->numQuant);
rc = FALSE;
break;
}
Stream_Read_UINT16(sub, tile->xIdx); /* xIdx (2 bytes) */
Stream_Read_UINT16(sub, tile->yIdx); /* yIdx (2 bytes) */
Stream_Read_UINT16(sub, tile->YLen); /* YLen (2 bytes) */