From 94235a5297db9cb83c2c23ade8a69cabe3e5f9f4 Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Tue, 27 Jan 2026 16:15:28 +0100 Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks Backport of commit c4391827d7facfc874ca7f61a92afb82232a5748. Co-Authored-By: Claude --- libfreerdp/codec/clear.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c index b0813937d..28450b357 100644 --- a/libfreerdp/codec/clear.c +++ b/libfreerdp/codec/clear.c @@ -58,7 +58,7 @@ struct S_CLEAR_CONTEXT NSC_CONTEXT* nsc; UINT32 seqNumber; BYTE* TempBuffer; - UINT32 TempSize; + size_t TempSize; UINT32 nTempStep; UINT32 TempFormat; UINT32 format; @@ -328,25 +328,26 @@ static BOOL clear_decompress_subcode_rlex(wStream* WINPR_RESTRICT s, UINT32 bitm static BOOL clear_resize_buffer(CLEAR_CONTEXT* WINPR_RESTRICT clear, UINT32 width, UINT32 height) { - UINT32 size = 0; - if (!clear) return FALSE; - size = ((width + 16) * (height + 16) * FreeRDPGetBytesPerPixel(clear->format)); + const UINT64 size = 1ull * (width + 16ull) * (height + 16ull); + const size_t bpp = FreeRDPGetBytesPerPixel(clear->format); + if (size > UINT32_MAX / bpp) + return FALSE; - if (size > clear->TempSize) + if (size > clear->TempSize / bpp) { - BYTE* tmp = (BYTE*)winpr_aligned_recalloc(clear->TempBuffer, size, sizeof(BYTE), 32); + BYTE* tmp = (BYTE*)winpr_aligned_recalloc(clear->TempBuffer, size, bpp, 32); if (!tmp) { - WLog_ERR(TAG, "clear->TempBuffer winpr_aligned_recalloc failed for %" PRIu32 " bytes", + WLog_ERR(TAG, "clear->TempBuffer winpr_aligned_recalloc failed for %" PRIu64 " bytes", size); return FALSE; } - clear->TempSize = size; + clear->TempSize = size * bpp; clear->TempBuffer = tmp; } -- 2.52.0