62 lines
1.7 KiB
Diff
62 lines
1.7 KiB
Diff
From 00a593f9eda67212539e4dcac68ea5a699eb3e93 Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Holy <oholy@redhat.com>
|
|
Date: Thu, 22 Jan 2026 12:48:37 +0100
|
|
Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks
|
|
|
|
Backport of commit c4391827d7facfc874ca7f61a92afb82232a5748.
|
|
|
|
Co-Authored-By: Claude <noreply@anthropic.com>
|
|
---
|
|
libfreerdp/codec/clear.c | 17 +++++++++--------
|
|
1 file changed, 9 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
|
|
index e38fa0dcf..299acef2e 100644
|
|
--- a/libfreerdp/codec/clear.c
|
|
+++ b/libfreerdp/codec/clear.c
|
|
@@ -62,7 +62,7 @@ struct _CLEAR_CONTEXT
|
|
NSC_CONTEXT* nsc;
|
|
UINT32 seqNumber;
|
|
BYTE* TempBuffer;
|
|
- UINT32 TempSize;
|
|
+ size_t TempSize;
|
|
UINT32 nTempStep;
|
|
UINT32 TempFormat;
|
|
UINT32 format;
|
|
@@ -313,24 +313,25 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
|
|
|
|
static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height)
|
|
{
|
|
- UINT32 size;
|
|
-
|
|
if (!clear)
|
|
return FALSE;
|
|
|
|
- size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format));
|
|
+ const UINT64 size = 1ull * (width + 16ull) * (height + 16ull);
|
|
+ const size_t bpp = GetBytesPerPixel(clear->format);
|
|
+ if (size > UINT32_MAX / bpp)
|
|
+ return FALSE;
|
|
|
|
- if (size > clear->TempSize)
|
|
+ if (size > clear->TempSize / bpp)
|
|
{
|
|
- BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size);
|
|
+ BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size * bpp);
|
|
|
|
if (!tmp)
|
|
{
|
|
- WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu32 " bytes", size);
|
|
+ WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu64 " bytes", size);
|
|
return FALSE;
|
|
}
|
|
|
|
- clear->TempSize = size;
|
|
+ clear->TempSize = size * bpp;
|
|
clear->TempBuffer = tmp;
|
|
}
|
|
|
|
--
|
|
2.52.0
|
|
|