From 8d9d0fc0971a65f6aac5d807bad6e707d09bcdb2 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sun, 5 Apr 2020 13:42:21 -0400 Subject: [PATCH] [WIP] More tweaks to code. --- src/protocols/rdp/channels/rdpsnd/rdpsnd.c | 9 ++++++--- src/protocols/rdp/plugins/guacai/guacai-messages.c | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index 012b9b7b..af1abcfa 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -35,15 +35,18 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, guac_rdpsnd* rdpsnd = (guac_rdpsnd*) svc->data; guac_rdpsnd_pdu_header header; - /* Check size prior to trying to read data. */ - if (Stream_GetRemainingLength(input_stream) < (sizeof(header) + header.body_size)) + /* Check that we at least have a header. */ + if (Stream_GetRemainingLength(input_stream) < sizeof(header)) return; /* Read RDPSND PDU header */ Stream_Read_UINT8(input_stream, header.message_type); Stream_Seek_UINT8(input_stream); - Stream_Read_UINT16(input_stream, header.body_size); + + /* Check that the body_size actually exists in the input stream. */ + if (Stream_GetRemainingLength(input_stream) < header.body_size) + return; /* * If next PDU is SNDWAVE (due to receiving WaveInfo PDU previously), diff --git a/src/protocols/rdp/plugins/guacai/guacai-messages.c b/src/protocols/rdp/plugins/guacai/guacai-messages.c index e32f9516..8281780a 100644 --- a/src/protocols/rdp/plugins/guacai/guacai-messages.c +++ b/src/protocols/rdp/plugins/guacai/guacai-messages.c @@ -267,7 +267,7 @@ void guac_rdp_ai_process_formats(guac_client* client, Stream_Seek_UINT32(stream); /* cbSizeFormatsPacket (MUST BE IGNORED) */ /* Check amount of data. */ - if (Stream_GetRemainingLength(stream) < (8 + nnum_formats)) + if (Stream_GetRemainingLength(stream) < (8 + num_formats)) return; UINT32 index;