Skip to content

Commit ed53cd1

Browse files
committed
Fixed #6006: bounds checks in update_read_synchronize
1 parent f5e73cc commit ed53cd1

File tree

1 file changed

+8
-7
lines changed

1 file changed

+8
-7
lines changed

Diff for: libfreerdp/core/update.c

+8-7
Original file line numberDiff line numberDiff line change
@@ -287,14 +287,14 @@ PALETTE_UPDATE* update_read_palette(rdpUpdate* update, wStream* s)
287287
return NULL;
288288
}
289289

290-
static void update_read_synchronize(rdpUpdate* update, wStream* s)
290+
static BOOL update_read_synchronize(rdpUpdate* update, wStream* s)
291291
{
292292
WINPR_UNUSED(update);
293-
Stream_Seek_UINT16(s); /* pad2Octets (2 bytes) */
294-
/**
295-
* The Synchronize Update is an artifact from the
296-
* T.128 protocol and should be ignored.
297-
*/
293+
return Stream_SafeSeek(s, 2); /* pad2Octets (2 bytes) */
294+
/**
295+
* The Synchronize Update is an artifact from the
296+
* T.128 protocol and should be ignored.
297+
*/
298298
}
299299

300300
static BOOL update_read_play_sound(wStream* s, PLAY_SOUND_UPDATE* play_sound)
@@ -807,7 +807,8 @@ BOOL update_recv(rdpUpdate* update, wStream* s)
807807
break;
808808

809809
case UPDATE_TYPE_SYNCHRONIZE:
810-
update_read_synchronize(update, s);
810+
if (!update_read_synchronize(update, s))
811+
goto fail;
811812
rc = IFCALLRESULT(TRUE, update->Synchronize, context);
812813
break;
813814

0 commit comments

Comments
 (0)