static BOOL nsc_rle_decode(const BYTE* in, size_t inSize, BYTE* out, UINT32 outSize,
UINT32 originalSize)
{
UINT32 left = originalSize;
while (left > 4)
{
if (inSize < 1)
return FALSE;
inSize--;
const BYTE value = *in++;
UINT32 len = 0;
if (left == 5)
{
if (outSize < 1)
return FALSE;
outSize--;
*out++ = value;
left--;
}
else if (inSize < 1)
return FALSE;
else if (value == *in)
{
inSize--;
in++;
if (inSize < 1)
return FALSE;
else if (*in < 0xFF)
{
inSize--;
len = (UINT32)*in++;
len += 2;
}
else
{
if (inSize < 5)
return FALSE;
inSize -= 5;
in++;
len = ((UINT32)(*in++));
len |= ((UINT32)(*in++)) << 8U;
len |= ((UINT32)(*in++)) << 16U;
len |= ((UINT32)(*in++)) << 24U;
}
[1] if (outSize < len)
return FALSE;
outSize -= len;
FillMemory(out, len, value);
out += len;
[2] left -= len;
}
else
{
if (outSize < 1)
return FALSE;
outSize--;
*out++ = value;
left--;
}
}
...
}
Impact
FreeRDP
based clients are affectedNSC
codec are affectedAs a result 'left' will be a large positive value.
Patches
Workarounds
-nsc
)References