Skip to content

Commit

Permalink
[coded,rfx] check indices are within range
Browse files Browse the repository at this point in the history 
reported by @pwn2carr
  • Loading branch information
@mfleisz
Armin Novak authored and mfleisz committed Aug 21, 2023
1 parent 1ca6362 commit e204fc8
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions libfreerdp/codec/rfx.c
View file
Expand Up @@ -994,6 +994,31 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa
Stream_Read_UINT8(sub, tile->quantIdxY); /* quantIdxY (1 byte) */
Stream_Read_UINT8(sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
Stream_Read_UINT8(sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
if (tile->quantIdxY >= context->numQuant)
{
WLog_Print(context->priv->log, WLOG_ERROR,
"quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY,
context->numQuant);
rc = FALSE;
break;
}
if (tile->quantIdxCb >= context->numQuant)
{
WLog_Print(context->priv->log, WLOG_ERROR,
"quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb,
context->numQuant);
rc = FALSE;
break;
}
if (tile->quantIdxCr >= context->numQuant)
{
WLog_Print(context->priv->log, WLOG_ERROR,
"quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr,
context->numQuant);
rc = FALSE;
break;
}

Stream_Read_UINT16(sub, tile->xIdx); /* xIdx (2 bytes) */
Stream_Read_UINT16(sub, tile->yIdx); /* yIdx (2 bytes) */
Stream_Read_UINT16(sub, tile->YLen); /* YLen (2 bytes) */
Expand Down

1 comment on commit e204fc8

@coldtobi
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the Debian security tracker, this fixes CVE-2023-39350

Please sign in to comment.