diff --git a/libfreerdp-codec/nsc.c b/libfreerdp-codec/nsc.c index a39bdd33e..a86ea80f4 100644 --- a/libfreerdp-codec/nsc.c +++ b/libfreerdp-codec/nsc.c @@ -217,6 +217,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz) if (i == 5) { + if (stream_get_left(out) < 1) + { + printf("nsc_rle_decode failed"); + abort(); + } stream_write_uint8(out,value); i-=1; } @@ -228,6 +233,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz) { uint8 len; stream_read_uint8(in, len); + if (stream_get_left(out) < len+2) + { + printf("nsc_rle_decode failed"); + abort(); + } stream_set_byte(out, value, len+2); i -= (len+2); } @@ -236,17 +246,32 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz) uint32 len; stream_seek(in, 1); stream_read_uint32(in, len); + if (stream_get_left (out) < len) + { + printf("nsc_rle_decode failed"); + abort(); + } stream_set_byte(out, value, len); i -= len; } } else { + if (stream_get_left(out) < 1) + { + printf("nsc_rle_decode failed"); + abort(); + } stream_write_uint8(out, value); i -= 1; } } + if (stream_get_left(out) < 4) + { + printf("nsc_rle_decode failed"); + abort(); + } stream_copy(out, in, 4); } @@ -264,11 +289,25 @@ void nsc_rle_decompress_data(NSC_CONTEXT* context) origsize = context->OrgByteCount[i]; if (i == 3 && context->nsc_stream->PlaneByteCount[i] == 0) + { + if (stream_get_left(context->org_buf[i]) < origsize) + { + printf("nsc_rle_decompress_data failed"); + abort(); + } stream_set_byte(context->org_buf[i], 0xff, origsize); + } else if (context->nsc_stream->PlaneByteCount[i] < origsize) nsc_rle_decode(rles, context->org_buf[i], origsize); else + { + if (stream_get_left(context->org_buf[i]) < origsize) + { + printf("nsc_rle_decompress_data failed"); + abort(); + } stream_copy(context->org_buf[i], rles, origsize); + } context->org_buf[i]->p = context->org_buf[i]->data; }