diff options
author | Laxmikant Rashinkar <LK.Rashinkar@gmail.com> | 2014-07-20 11:11:20 -0700 |
---|---|---|
committer | Laxmikant Rashinkar <LK.Rashinkar@gmail.com> | 2014-07-20 11:11:20 -0700 |
commit | 023c0b5bc1591fad9094d2e440b6315a8ff908d8 (patch) | |
tree | dee4526ef6a7123d0432d083f60f123cbaa402b1 /rdp/rdp_rdp.c | |
parent | ccd75bd4cd968fc21b2cf72b741a23536b17742a (diff) | |
download | xrdp-proprietary-023c0b5bc1591fad9094d2e440b6315a8ff908d8.tar.gz xrdp-proprietary-023c0b5bc1591fad9094d2e440b6315a8ff908d8.zip |
coverity: fixed out of bounds read-write
Diffstat (limited to 'rdp/rdp_rdp.c')
-rw-r--r-- | rdp/rdp_rdp.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/rdp/rdp_rdp.c b/rdp/rdp_rdp.c index 973b8fe9..70155c60 100644 --- a/rdp/rdp_rdp.c +++ b/rdp/rdp_rdp.c @@ -427,6 +427,12 @@ rdp_rdp_process_color_pointer_pdu(struct rdp_rdp *self, struct stream *s) return 1; } + /* there are only 32 cursors */ + if (cache_idx > 31) + { + return 1; + } + cursor = self->cursors + cache_idx; in_uint16_le(s, cursor->x); in_uint16_le(s, cursor->y); @@ -457,7 +463,7 @@ rdp_rdp_process_cached_pointer_pdu(struct rdp_rdp *self, struct stream *s) in_uint16_le(s, cache_idx); - if (cache_idx >= sizeof(self->cursors) / sizeof(cursor)) + if (cache_idx > 31) { return 1; } |