From e204fc8be5a372626b13f66daf2abafe71dbc2dc Mon Sep 17 00:00:00 2001
From: Armin Novak <anovak@thincast.com>
Date: Sat, 5 Aug 2023 08:57:28 +0200
Subject: [PATCH] [coded,rfx] check indices are within range

reported by @pwn2carr
---
 libfreerdp/codec/rfx.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c
index 58ab10d21b56..3716084b52e3 100644
--- a/libfreerdp/codec/rfx.c
+++ b/libfreerdp/codec/rfx.c
@@ -994,6 +994,31 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa
 			Stream_Read_UINT8(sub, tile->quantIdxY);  /* quantIdxY (1 byte) */
 			Stream_Read_UINT8(sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
 			Stream_Read_UINT8(sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
+			if (tile->quantIdxY >= context->numQuant)
+			{
+				WLog_Print(context->priv->log, WLOG_ERROR,
+				           "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY,
+				           context->numQuant);
+				rc = FALSE;
+				break;
+			}
+			if (tile->quantIdxCb >= context->numQuant)
+			{
+				WLog_Print(context->priv->log, WLOG_ERROR,
+				           "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb,
+				           context->numQuant);
+				rc = FALSE;
+				break;
+			}
+			if (tile->quantIdxCr >= context->numQuant)
+			{
+				WLog_Print(context->priv->log, WLOG_ERROR,
+				           "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr,
+				           context->numQuant);
+				rc = FALSE;
+				break;
+			}
+
 			Stream_Read_UINT16(sub, tile->xIdx);      /* xIdx (2 bytes) */
 			Stream_Read_UINT16(sub, tile->yIdx);      /* yIdx (2 bytes) */
 			Stream_Read_UINT16(sub, tile->YLen);      /* YLen (2 bytes) */