56 lines
1.7 KiB
Diff
56 lines
1.7 KiB
Diff
From eca8a1a876b77de5da60b18793e35e5c0714ef97 Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Holy <oholy@redhat.com>
|
|
Date: Mon, 9 Mar 2026 12:56:11 +0100
|
|
Subject: [PATCH] [codec,planar]: fix missing destination bounds checks
|
|
|
|
Backport of commit a0be5cb87d760bb1c803ad1bb835aa1e73e62abc.
|
|
|
|
Made-with: Cursor
|
|
---
|
|
libfreerdp/codec/planar.c | 21 ++++++++++++++++++++-
|
|
1 file changed, 20 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
|
|
index 1cb2e22bc..9b4d13057 100644
|
|
--- a/libfreerdp/codec/planar.c
|
|
+++ b/libfreerdp/codec/planar.c
|
|
@@ -621,8 +621,9 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
|
|
if (planar->maxHeight < nSrcHeight)
|
|
return FALSE;
|
|
|
|
+ const UINT32 bpp = GetBytesPerPixel(DstFormat);
|
|
if (nDstStep <= 0)
|
|
- nDstStep = nDstWidth * GetBytesPerPixel(DstFormat);
|
|
+ nDstStep = nDstWidth * bpp;
|
|
|
|
srcp = pSrcData;
|
|
|
|
@@ -831,6 +832,24 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
|
|
}
|
|
else /* RLE */
|
|
{
|
|
+ if (nYDst + nSrcHeight > nTotalHeight)
|
|
+ {
|
|
+ WLog_ERR(TAG,
|
|
+ "planar plane destination Y %" PRIu32 " + height %" PRIu32
|
|
+ " exceeds totalHeight %" PRIu32,
|
|
+ nYDst, nSrcHeight, nTotalHeight);
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
+ if ((nXDst + nSrcWidth) * bpp > nDstStep)
|
|
+ {
|
|
+ WLog_ERR(TAG,
|
|
+ "planar plane destination (X %" PRIu32 " + width %" PRIu32
|
|
+ ") * bpp %" PRIu32 " exceeds stride %" PRIu32,
|
|
+ nXDst, nSrcWidth, bpp, nDstStep);
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
status =
|
|
planar_decompress_plane_rle(planes[0], rleSizes[0], pTempData, nTempStep, nXDst,
|
|
nYDst, nSrcWidth, nSrcHeight, 2, vFlip); /* RedPlane */
|
|
--
|
|
2.53.0
|
|
|