From 00a593f9eda67212539e4dcac68ea5a699eb3e93 Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Thu, 22 Jan 2026 12:48:37 +0100 Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks Backport of commit c4391827d7facfc874ca7f61a92afb82232a5748. Co-Authored-By: Claude --- libfreerdp/codec/clear.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c index e38fa0dcf..299acef2e 100644 --- a/libfreerdp/codec/clear.c +++ b/libfreerdp/codec/clear.c @@ -62,7 +62,7 @@ struct _CLEAR_CONTEXT NSC_CONTEXT* nsc; UINT32 seqNumber; BYTE* TempBuffer; - UINT32 TempSize; + size_t TempSize; UINT32 nTempStep; UINT32 TempFormat; UINT32 format; @@ -313,24 +313,25 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height) { - UINT32 size; - if (!clear) return FALSE; - size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format)); + const UINT64 size = 1ull * (width + 16ull) * (height + 16ull); + const size_t bpp = GetBytesPerPixel(clear->format); + if (size > UINT32_MAX / bpp) + return FALSE; - if (size > clear->TempSize) + if (size > clear->TempSize / bpp) { - BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size); + BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size * bpp); if (!tmp) { - WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu32 " bytes", size); + WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu64 " bytes", size); return FALSE; } - clear->TempSize = size; + clear->TempSize = size * bpp; clear->TempBuffer = tmp; } -- 2.52.0