|
 |
0c73ee |
diff --git a/libfreerdp-codec/nsc.c b/libfreerdp-codec/nsc.c
|
|
|
0c73ee |
index a39bdd33e..a86ea80f4 100644
|
|
|
0c73ee |
--- a/libfreerdp-codec/nsc.c
|
|
|
0c73ee |
+++ b/libfreerdp-codec/nsc.c
|
|
|
0c73ee |
@@ -217,6 +217,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz)
|
|
|
0c73ee |
|
|
|
0c73ee |
if (i == 5)
|
|
|
0c73ee |
{
|
|
|
0c73ee |
+ if (stream_get_left(out) < 1)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ printf("nsc_rle_decode failed");
|
|
|
0c73ee |
+ abort();
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
stream_write_uint8(out,value);
|
|
|
0c73ee |
i-=1;
|
|
|
0c73ee |
}
|
|
|
0c73ee |
@@ -228,6 +233,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz)
|
|
|
0c73ee |
{
|
|
|
0c73ee |
uint8 len;
|
|
|
0c73ee |
stream_read_uint8(in, len);
|
|
|
0c73ee |
+ if (stream_get_left(out) < len+2)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ printf("nsc_rle_decode failed");
|
|
|
0c73ee |
+ abort();
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
stream_set_byte(out, value, len+2);
|
|
|
0c73ee |
i -= (len+2);
|
|
|
0c73ee |
}
|
|
|
0c73ee |
@@ -236,17 +246,32 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz)
|
|
|
0c73ee |
uint32 len;
|
|
|
0c73ee |
stream_seek(in, 1);
|
|
|
0c73ee |
stream_read_uint32(in, len);
|
|
|
0c73ee |
+ if (stream_get_left (out) < len)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ printf("nsc_rle_decode failed");
|
|
|
0c73ee |
+ abort();
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
stream_set_byte(out, value, len);
|
|
|
0c73ee |
i -= len;
|
|
|
0c73ee |
}
|
|
|
0c73ee |
}
|
|
|
0c73ee |
else
|
|
|
0c73ee |
{
|
|
|
0c73ee |
+ if (stream_get_left(out) < 1)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ printf("nsc_rle_decode failed");
|
|
|
0c73ee |
+ abort();
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
stream_write_uint8(out, value);
|
|
|
0c73ee |
i -= 1;
|
|
|
0c73ee |
}
|
|
|
0c73ee |
}
|
|
|
0c73ee |
|
|
|
0c73ee |
+ if (stream_get_left(out) < 4)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ printf("nsc_rle_decode failed");
|
|
|
0c73ee |
+ abort();
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
stream_copy(out, in, 4);
|
|
|
0c73ee |
}
|
|
|
0c73ee |
|
|
|
0c73ee |
@@ -264,11 +289,25 @@ void nsc_rle_decompress_data(NSC_CONTEXT* context)
|
|
|
0c73ee |
origsize = context->OrgByteCount[i];
|
|
|
0c73ee |
|
|
|
0c73ee |
if (i == 3 && context->nsc_stream->PlaneByteCount[i] == 0)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ if (stream_get_left(context->org_buf[i]) < origsize)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ printf("nsc_rle_decompress_data failed");
|
|
|
0c73ee |
+ abort();
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
stream_set_byte(context->org_buf[i], 0xff, origsize);
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
else if (context->nsc_stream->PlaneByteCount[i] < origsize)
|
|
|
0c73ee |
nsc_rle_decode(rles, context->org_buf[i], origsize);
|
|
|
0c73ee |
else
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ if (stream_get_left(context->org_buf[i]) < origsize)
|
|
|
0c73ee |
+ {
|
|
|
0c73ee |
+ printf("nsc_rle_decompress_data failed");
|
|
|
0c73ee |
+ abort();
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
stream_copy(context->org_buf[i], rles, origsize);
|
|
|
0c73ee |
+ }
|
|
|
0c73ee |
|
|
|
0c73ee |
context->org_buf[i]->p = context->org_buf[i]->data;
|
|
|
0c73ee |
}
|
|
|
0c73ee |
|