Skip to content

Commit 0a98c45

Browse files
committed
Fixed out of bound read in RLEDECOMPRESS
CVE-2020-4033 thanks to @antonio-morales for finding this.
1 parent e7bffa6 commit 0a98c45

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

Diff for: libfreerdp/codec/include/bitmap.c

+12
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
201201

202202
if (code == LITE_SET_FG_FG_RUN || code == MEGA_MEGA_SET_FG_RUN)
203203
{
204+
if (pbSrc >= pbEnd)
205+
return FALSE;
204206
SRCREADPIXEL(fgPel, pbSrc);
205207
SRCNEXTPIXEL(pbSrc);
206208
}
@@ -231,8 +233,12 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
231233
case MEGA_MEGA_DITHERED_RUN:
232234
runLength = ExtractRunLength(code, pbSrc, &advance);
233235
pbSrc = pbSrc + advance;
236+
if (pbSrc >= pbEnd)
237+
return FALSE;
234238
SRCREADPIXEL(pixelA, pbSrc);
235239
SRCNEXTPIXEL(pbSrc);
240+
if (pbSrc >= pbEnd)
241+
return FALSE;
236242
SRCREADPIXEL(pixelB, pbSrc);
237243
SRCNEXTPIXEL(pbSrc);
238244

@@ -252,6 +258,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
252258
case MEGA_MEGA_COLOR_RUN:
253259
runLength = ExtractRunLength(code, pbSrc, &advance);
254260
pbSrc = pbSrc + advance;
261+
if (pbSrc >= pbEnd)
262+
return FALSE;
255263
SRCREADPIXEL(pixelA, pbSrc);
256264
SRCNEXTPIXEL(pbSrc);
257265

@@ -272,6 +280,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
272280
runLength = ExtractRunLength(code, pbSrc, &advance);
273281
pbSrc = pbSrc + advance;
274282

283+
if (pbSrc >= pbEnd)
284+
return FALSE;
275285
if (code == LITE_SET_FG_FGBG_IMAGE || code == MEGA_MEGA_SET_FGBG_IMAGE)
276286
{
277287
SRCREADPIXEL(fgPel, pbSrc);
@@ -338,6 +348,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
338348
return FALSE;
339349

340350
UNROLL(runLength, {
351+
if (pbSrc >= pbEnd)
352+
return FALSE;
341353
SRCREADPIXEL(temp, pbSrc);
342354
SRCNEXTPIXEL(pbSrc);
343355
DESTWRITEPIXEL(pbDest, temp);

0 commit comments

Comments
 (0)