github/FreeRDP
7
0
Fork 0
mirror of https://github.com/FreeRDP/FreeRDP.git synced 2025-06-03 00:00:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

[channels,rdpgfx] fix potential stack corruption.

Browse Source
This commit is contained in:
Vic Lee 2024-01-11 20:03:58 +08:00 committed by Martin Fleisz
parent 5b731aca4d
commit 277ea28926
1 changed files with 15 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
channels/rdpgfx/client/rdpgfx_main.c
View File

@ -841,7 +841,7 @@ static UINT rdpgfx_send_cache_offer(RDPGFX_PLUGIN* gfx)
int idx, count; int idx, count;
UINT error = CHANNEL_RC_OK; UINT error = CHANNEL_RC_OK;
PERSISTENT_CACHE_ENTRY entry; PERSISTENT_CACHE_ENTRY entry;
RDPGFX_CACHE_IMPORT_OFFER_PDU offer = { 0 }; RDPGFX_CACHE_IMPORT_OFFER_PDU* offer = NULL;
rdpPersistentCache* persistent = NULL; rdpPersistentCache* persistent = NULL;
WINPR_ASSERT(gfx); WINPR_ASSERT(gfx);
@ -883,7 +883,14 @@ static UINT rdpgfx_send_cache_offer(RDPGFX_PLUGIN* gfx)
if (count > gfx->MaxCacheSlots) if (count > gfx->MaxCacheSlots)
count = gfx->MaxCacheSlots; count = gfx->MaxCacheSlots;
offer.cacheEntriesCount = (UINT16)count; offer = (RDPGFX_CACHE_IMPORT_OFFER_PDU*)calloc(1, sizeof(RDPGFX_CACHE_IMPORT_OFFER_PDU));
if (!offer)
{
error = CHANNEL_RC_NO_MEMORY;
goto fail;
}
offer->cacheEntriesCount = (UINT16)count;
WLog_DBG(TAG, "Sending Cache Import Offer: %d", count); WLog_DBG(TAG, "Sending Cache Import Offer: %d", count);
@ -895,15 +902,13 @@ static UINT rdpgfx_send_cache_offer(RDPGFX_PLUGIN* gfx)
goto fail; goto fail;
} }
offer.cacheEntries[idx].cacheKey = entry.key64; offer->cacheEntries[idx].cacheKey = entry.key64;
offer.cacheEntries[idx].bitmapLength = entry.size; offer->cacheEntries[idx].bitmapLength = entry.size;
} }
persistent_cache_free(persistent); if (offer->cacheEntriesCount > 0)
if (offer.cacheEntriesCount > 0)
{ {
error = rdpgfx_send_cache_import_offer_pdu(context, &offer); error = rdpgfx_send_cache_import_offer_pdu(context, offer);
if (error != CHANNEL_RC_OK) if (error != CHANNEL_RC_OK)
{ {
WLog_Print(gfx->log, WLOG_ERROR, "Failed to send cache import offer PDU"); WLog_Print(gfx->log, WLOG_ERROR, "Failed to send cache import offer PDU");
@ -911,9 +916,9 @@ static UINT rdpgfx_send_cache_offer(RDPGFX_PLUGIN* gfx)
} }
} }
return error;
fail: fail:
persistent_cache_free(persistent); persistent_cache_free(persistent);
free(offer);
return error; return error;
} }
@ -2057,7 +2062,7 @@ static UINT rdpgfx_recv_pdu(GENERIC_CHANNEL_CALLBACK* callback, wStream* s)
WLog_Print(gfx->log, WLOG_ERROR, "Error while processing GFX cmdId: %s (0x%04" PRIX16 ")", WLog_Print(gfx->log, WLOG_ERROR, "Error while processing GFX cmdId: %s (0x%04" PRIX16 ")",
rdpgfx_get_cmd_id_string(header.cmdId), header.cmdId); rdpgfx_get_cmd_id_string(header.cmdId), header.cmdId);
Stream_SetPosition(s, (beg + header.pduLength)); Stream_SetPosition(s, (beg + header.pduLength));
return 0; return error;
} }
end = Stream_GetPosition(s); end = Stream_GetPosition(s);