rpms / freerdp

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7-alt
  2.   SOURCES
  3.   CVE-2018-8787.patch
Blob Blame History Raw 
diff --git a/libfreerdp-gdi/graphics.c b/libfreerdp-gdi/graphics.c
index 04816334c..5a49bd365 100644
--- a/libfreerdp-gdi/graphics.c
+++ b/libfreerdp-gdi/graphics.c
@@ -30,6 +30,8 @@
 #include <freerdp/codec/bitmap.h>
 #include <freerdp/cache/glyph.h>
 
+#include <stdint.h>
+
 #include "graphics.h"
 
 /* Bitmap Class */
@@ -89,9 +91,18 @@ void gdi_Bitmap_Paint(rdpContext* context, rdpBitmap* bitmap)
 void gdi_Bitmap_Decompress(rdpContext* context, rdpBitmap* bitmap,
 		uint8* data, int width, int height, int bpp, int length, boolean compressed)
 {
-	uint16 size;
+	uint32 size = width * height;
+	int bpp_op = (bpp + 7) / 8;
+
+	if ((bpp == 0) ||
+	    (width == 0) || (height == 0) || (width > UINT32_MAX / height) ||
+	    (size > (UINT32_MAX / bpp_op)))
+	{
+		printf("gdi_Bitmap_Decompress failed\n");
+		abort();
+	}
 
-	size = width * height * (bpp + 7) / 8;
+	size *= bpp_op;
 
 	if (bitmap->data == NULL)
 		bitmap->data = (uint8*) xmalloc(size);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation