From efa0567c027239b901ccdc590b9e229e0111c68b Mon Sep 17 00:00:00 2001
From: Armin Novak <anovak@thincast.com>
Date: Sat, 5 Aug 2023 08:57:28 +0200
Subject: [PATCH] [coded,rfx] check indices are within range

reported by @pwn2carr

(cherry picked from commit 61e17f4707cee66ecaa7519073bae74ecf0a9af4)
---
 libfreerdp/codec/rfx.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c
index 13d48c24f329..d7f0d8c65d25 100644
--- a/libfreerdp/codec/rfx.c
+++ b/libfreerdp/codec/rfx.c
@@ -936,6 +936,30 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa
 		Stream_Read_UINT8(&sub, tile->quantIdxY);  /* quantIdxY (1 byte) */
 		Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
 		Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
+		if (tile->quantIdxY >= context->numQuant)
+			{
+				WLog_Print(context->priv->log, WLOG_ERROR,
+				           "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY,
+				           context->numQuant);
+				rc = FALSE;
+				break;
+			}
+			if (tile->quantIdxCb >= context->numQuant)
+			{
+				WLog_Print(context->priv->log, WLOG_ERROR,
+				           "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb,
+				           context->numQuant);
+				rc = FALSE;
+				break;
+			}
+			if (tile->quantIdxCr >= context->numQuant)
+			{
+				WLog_Print(context->priv->log, WLOG_ERROR,
+				           "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr,
+				           context->numQuant);
+				rc = FALSE;
+				break;
+
 		Stream_Read_UINT16(&sub, tile->xIdx);      /* xIdx (2 bytes) */
 		Stream_Read_UINT16(&sub, tile->yIdx);      /* yIdx (2 bytes) */
 		Stream_Read_UINT16(&sub, tile->YLen);      /* YLen (2 bytes) */