diff options
| author | Laxmikant Rashinkar <LK.Rashinkar@gmail.com> | 2014-07-20 11:11:20 -0700 |
|---|---|---|
| committer | Laxmikant Rashinkar <LK.Rashinkar@gmail.com> | 2014-07-20 11:11:20 -0700 |
| commit | 023c0b5bc1591fad9094d2e440b6315a8ff908d8 (patch) | |
| tree | dee4526ef6a7123d0432d083f60f123cbaa402b1 | |
| parent | ccd75bd4cd968fc21b2cf72b741a23536b17742a (diff) | |
| download | xrdp-proprietary-023c0b5bc1591fad9094d2e440b6315a8ff908d8.tar.gz xrdp-proprietary-023c0b5bc1591fad9094d2e440b6315a8ff908d8.zip | |
coverity: fixed out of bounds read-write
| -rw-r--r-- | rdp/rdp_rdp.c | 8 | ||||
| -rw-r--r-- | sesman/chansrv/clipboard.c | 7 |
2 files changed, 12 insertions, 3 deletions
diff --git a/rdp/rdp_rdp.c b/rdp/rdp_rdp.c index 973b8fe9..70155c60 100644 --- a/rdp/rdp_rdp.c +++ b/rdp/rdp_rdp.c @@ -427,6 +427,12 @@ rdp_rdp_process_color_pointer_pdu(struct rdp_rdp *self, struct stream *s) return 1; } + /* there are only 32 cursors */ + if (cache_idx > 31) + { + return 1; + } + cursor = self->cursors + cache_idx; in_uint16_le(s, cursor->x); in_uint16_le(s, cursor->y); @@ -457,7 +463,7 @@ rdp_rdp_process_cached_pointer_pdu(struct rdp_rdp *self, struct stream *s) in_uint16_le(s, cache_idx); - if (cache_idx >= sizeof(self->cursors) / sizeof(cursor)) + if (cache_idx > 31) { return 1; } diff --git a/sesman/chansrv/clipboard.c b/sesman/chansrv/clipboard.c index 6d52da85..310e2093 100644 --- a/sesman/chansrv/clipboard.c +++ b/sesman/chansrv/clipboard.c @@ -1048,8 +1048,11 @@ clipboard_process_format_announce(struct stream *s, int clip_msg_status, log_debug("clipboard_process_format_announce: formatId 0x%8.8x " "wszFormatName [%s] clip_msg_len %d", formatId, desc, clip_msg_len); - g_formatIds[g_num_formatIds] = formatId; - g_num_formatIds++; + if (g_num_formatIds <= 15) + { + g_formatIds[g_num_formatIds] = formatId; + g_num_formatIds++; + } if (g_num_formatIds > 15) { log_debug("clipboard_process_format_announce: max formats"); |