summaryrefslogtreecommitdiffstats
path: root/rdp/rdp_rdp.c
diff options
context:
space:
mode:
authorLaxmikant Rashinkar <LK.Rashinkar@gmail.com>2014-07-20 11:11:20 -0700
committerLaxmikant Rashinkar <LK.Rashinkar@gmail.com>2014-07-20 11:11:20 -0700
commit023c0b5bc1591fad9094d2e440b6315a8ff908d8 (patch)
treedee4526ef6a7123d0432d083f60f123cbaa402b1 /rdp/rdp_rdp.c
parentccd75bd4cd968fc21b2cf72b741a23536b17742a (diff)
downloadxrdp-proprietary-023c0b5bc1591fad9094d2e440b6315a8ff908d8.tar.gz
xrdp-proprietary-023c0b5bc1591fad9094d2e440b6315a8ff908d8.zip
coverity: fixed out of bounds read-write
Diffstat (limited to 'rdp/rdp_rdp.c')
-rw-r--r--rdp/rdp_rdp.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/rdp/rdp_rdp.c b/rdp/rdp_rdp.c
index 973b8fe9..70155c60 100644
--- a/rdp/rdp_rdp.c
+++ b/rdp/rdp_rdp.c
@@ -427,6 +427,12 @@ rdp_rdp_process_color_pointer_pdu(struct rdp_rdp *self, struct stream *s)
return 1;
}
+ /* there are only 32 cursors */
+ if (cache_idx > 31)
+ {
+ return 1;
+ }
+
cursor = self->cursors + cache_idx;
in_uint16_le(s, cursor->x);
in_uint16_le(s, cursor->y);
@@ -457,7 +463,7 @@ rdp_rdp_process_cached_pointer_pdu(struct rdp_rdp *self, struct stream *s)
in_uint16_le(s, cache_idx);
- if (cache_idx >= sizeof(self->cursors) / sizeof(cursor))
+ if (cache_idx > 31)
{
return 1;
}