From efa0567c027239b901ccdc590b9e229e0111c68b Mon Sep 17 00:00:00 2001 From: Armin Novak <anovak@thincast.com> Date: Sat, 5 Aug 2023 08:57:28 +0200 Subject: [PATCH] [coded,rfx] check indices are within range reported by @pwn2carr (cherry picked from commit 61e17f4707cee66ecaa7519073bae74ecf0a9af4) --- libfreerdp/codec/rfx.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c index 13d48c24f329..d7f0d8c65d25 100644 --- a/libfreerdp/codec/rfx.c +++ b/libfreerdp/codec/rfx.c @@ -936,6 +936,30 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa Stream_Read_UINT8(&sub, tile->quantIdxY); /* quantIdxY (1 byte) */ Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */ Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */ + if (tile->quantIdxY >= context->numQuant) + { + WLog_Print(context->priv->log, WLOG_ERROR, + "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY, + context->numQuant); + rc = FALSE; + break; + } + if (tile->quantIdxCb >= context->numQuant) + { + WLog_Print(context->priv->log, WLOG_ERROR, + "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb, + context->numQuant); + rc = FALSE; + break; + } + if (tile->quantIdxCr >= context->numQuant) + { + WLog_Print(context->priv->log, WLOG_ERROR, + "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr, + context->numQuant); + rc = FALSE; + break; + Stream_Read_UINT16(&sub, tile->xIdx); /* xIdx (2 bytes) */ Stream_Read_UINT16(&sub, tile->yIdx); /* yIdx (2 bytes) */ Stream_Read_UINT16(&sub, tile->YLen); /* YLen (2 bytes) */