Blame SOURCES/CVE-2018-8787.patch
|
 |
c45e68 |
diff --git a/libfreerdp-gdi/graphics.c b/libfreerdp-gdi/graphics.c
|
|
|
c45e68 |
index 04816334c..5a49bd365 100644
|
|
|
c45e68 |
--- a/libfreerdp-gdi/graphics.c
|
|
|
c45e68 |
+++ b/libfreerdp-gdi/graphics.c
|
|
|
c45e68 |
@@ -30,6 +30,8 @@
|
|
|
c45e68 |
#include <freerdp/codec/bitmap.h>
|
|
|
c45e68 |
#include <freerdp/cache/glyph.h>
|
|
|
c45e68 |
|
|
|
c45e68 |
+#include <stdint.h>
|
|
|
c45e68 |
+
|
|
|
c45e68 |
#include "graphics.h"
|
|
|
c45e68 |
|
|
|
c45e68 |
/* Bitmap Class */
|
|
|
c45e68 |
@@ -89,9 +91,18 @@ void gdi_Bitmap_Paint(rdpContext* context, rdpBitmap* bitmap)
|
|
|
c45e68 |
void gdi_Bitmap_Decompress(rdpContext* context, rdpBitmap* bitmap,
|
|
|
c45e68 |
uint8* data, int width, int height, int bpp, int length, boolean compressed)
|
|
|
c45e68 |
{
|
|
|
c45e68 |
- uint16 size;
|
|
|
c45e68 |
+ uint32 size = width * height;
|
|
|
c45e68 |
+ int bpp_op = (bpp + 7) / 8;
|
|
|
c45e68 |
+
|
|
|
c45e68 |
+ if ((bpp == 0) ||
|
|
|
c45e68 |
+ (width == 0) || (height == 0) || (width > UINT32_MAX / height) ||
|
|
|
c45e68 |
+ (size > (UINT32_MAX / bpp_op)))
|
|
|
c45e68 |
+ {
|
|
|
c45e68 |
+ printf("gdi_Bitmap_Decompress failed\n");
|
|
|
c45e68 |
+ abort();
|
|
|
c45e68 |
+ }
|
|
|
c45e68 |
|
|
|
c45e68 |
- size = width * height * (bpp + 7) / 8;
|
|
|
c45e68 |
+ size *= bpp_op;
|
|
|
c45e68 |
|
|
|
c45e68 |
if (bitmap->data == NULL)
|
|
|
c45e68 |
bitmap->data = (uint8*) xmalloc(size);
|