1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
From 602fb7d788446969ccfedb8dab4a9abd0ab7df23 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Fri, 12 Mar 2021 10:15:51 +0100
Subject: [PATCH 27/36] Added missing bounds check.
(cherry picked from commit 2e6069d95b997d0dc7d2cc118255570d22f0ae0c)
---
libfreerdp/codec/planar.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index f31c2d46a..8588a9e21 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -508,7 +508,7 @@ static INLINE BOOL writeLine(BYTE** ppRgba, UINT32 DstFormat, UINT32 width, cons
static INLINE BOOL planar_decompress_planes_raw(const BYTE* pSrcData[4], BYTE* pDstData,
UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst,
UINT32 nYDst, UINT32 nWidth, UINT32 nHeight,
- BOOL vFlip)
+ BOOL vFlip, UINT32 totalHeight)
{
INT32 y;
INT32 beg, end, inc;
@@ -516,6 +516,7 @@ static INLINE BOOL planar_decompress_planes_raw(const BYTE* pSrcData[4], BYTE* p
const BYTE* pG = pSrcData[1];
const BYTE* pB = pSrcData[2];
const BYTE* pA = pSrcData[3];
+ const UINT32 bpp = GetBytesPerPixel(DstFormat);
if (vFlip)
{
@@ -530,9 +531,20 @@ static INLINE BOOL planar_decompress_planes_raw(const BYTE* pSrcData[4], BYTE* p
inc = 1;
}
+ if (nYDst + nHeight > totalHeight)
+ return FALSE;
+
+ if ((nXDst + nWidth) * bpp > nDstStep)
+ return FALSE;
+
for (y = beg; y != end; y += inc)
{
- BYTE* pRGB = &pDstData[((nYDst + y) * nDstStep) + (nXDst * GetBytesPerPixel(DstFormat))];
+ BYTE* pRGB;
+
+ if (y > (INT64)nHeight)
+ return FALSE;
+
+ pRGB = &pDstData[((nYDst + y) * nDstStep) + (nXDst * bpp)];
if (!writeLine(&pRGB, DstFormat, nWidth, &pR, &pG, &pB, &pA))
return FALSE;
@@ -739,6 +751,7 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
UINT32 TempFormat;
BYTE* pTempData = pDstData;
UINT32 nTempStep = nDstStep;
+ UINT32 nTotalHeight = nYDst + nDstHeight;
if (useAlpha)
TempFormat = PIXEL_FORMAT_BGRA32;
@@ -749,12 +762,13 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
{
pTempData = planar->pTempData;
nTempStep = planar->nTempStep;
+ nTotalHeight = planar->maxHeight;
}
if (!rle) /* RAW */
{
if (!planar_decompress_planes_raw(planes, pTempData, TempFormat, nTempStep, nXDst,
- nYDst, nSrcWidth, nSrcHeight, vFlip))
+ nYDst, nSrcWidth, nSrcHeight, vFlip, nTotalHeight))
return FALSE;
if (alpha)
@@ -819,6 +833,7 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
UINT32 TempFormat;
BYTE* pTempData = planar->pTempData;
UINT32 nTempStep = planar->nTempStep;
+ UINT32 nTotalHeight = planar->maxHeight;
if (useAlpha)
TempFormat = PIXEL_FORMAT_BGRA32;
@@ -901,7 +916,7 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
}
if (!planar_decompress_planes_raw(planes, pTempData, TempFormat, nTempStep, nXDst,
- nYDst, nSrcWidth, nSrcHeight, vFlip))
+ nYDst, nSrcWidth, nSrcHeight, vFlip, nTotalHeight))
return FALSE;
if (alpha)
--
2.30.2
|
