From 947feeadfddf01d30dda5aa16ebc335bfcc23ae0 Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Tue, 29 Apr 2026 13:42:00 +0000 Subject: [PATCH] [codec,clear] Update CLEAR_GLYPH_ENTRY::count after alloc Backport of commit c49d1ad43b8c7b32794d0250f2623c2dccd7ef25. Adapted for 2.11.7: uses GetBytesPerPixel instead of FreeRDPGetBytesPerPixel, plain realloc instead of winpr_aligned_recalloc; overflow checks match upstream (size_t count, hlimit / exceeded logging); glyphEntry->count set via (UINT32)cast after successful realloc. Made-with: Cursor --- libfreerdp/codec/clear.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c --- a/libfreerdp/codec/clear.c +++ b/libfreerdp/codec/clear.c @@ -979,20 +979,31 @@ { const UINT32 bpp = GetBytesPerPixel(clear->format); CLEAR_GLYPH_ENTRY* glyphEntry = &(clear->GlyphCache[glyphIndex]); - glyphEntry->count = nWidth * nHeight; + const size_t count = 1ull * nWidth * nHeight; + const size_t hlimit = SIZE_MAX / ((nWidth > 0) ? nWidth : 1); + if ((nWidth == 0) || (nHeight == 0) || (hlimit < nHeight)) + { + const char* exceeded = (hlimit < nHeight) ? "within" : "outside"; + WLog_ERR(TAG, + "CLEARCODEC_FLAG_GLYPH_INDEX: nWidth=%" PRIu32 ", nHeight=%" PRIu32 + ", nWidth * nHeight is %s allowed range", + nWidth, nHeight, exceeded); + return FALSE; + } - if (glyphEntry->count > glyphEntry->size) + if (count > glyphEntry->size) { BYTE* tmp; - tmp = realloc(glyphEntry->pixels, 1ull * glyphEntry->count * bpp); + tmp = realloc(glyphEntry->pixels, 1ull * count * bpp); if (!tmp) { - WLog_ERR(TAG, "glyphEntry->pixels realloc %" PRIu32 " failed!", - glyphEntry->count * bpp); + WLog_ERR(TAG, "glyphEntry->pixels realloc %" PRIuz " failed!", + count * bpp); return FALSE; } + glyphEntry->count = (UINT32)count; glyphEntry->size = glyphEntry->count; glyphEntry->pixels = (UINT32*)tmp; }