Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added missing length checks in zgfx_decompress_segment
(cherry picked from commit 64716b3)
  • Loading branch information
akallabeth committed Nov 14, 2022
1 parent ff82ae8 commit e865c24
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions libfreerdp/codec/zgfx.c
Expand Up @@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
BYTE* pbSegment;
size_t cbSegment;

if (!zgfx || !stream)
if (!zgfx || !stream || (segmentSize < 2))
return FALSE;

cbSegment = segmentSize - 1;

if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
(segmentSize > UINT32_MAX))
if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
return FALSE;

Stream_Read_UINT8(stream, flags); /* header (1 byte) */
zgfx->OutputCount = 0;
pbSegment = Stream_Pointer(stream);
Stream_Seek(stream, cbSegment);
if (!Stream_SafeSeek(stream, cbSegment))
return FALSE;

if (!(flags & PACKET_COMPRESSED))
{
Expand Down Expand Up @@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
return FALSE;

if (count > zgfx->cBitsRemaining / 8)
return FALSE;

CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
count);
zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
Expand Down

0 comments on commit e865c24

Please sign in to comment.