From a1d4e2d2e6f88b345aecadbd606214be03c30b96 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Tue, 17 Dec 2013 14:28:20 -0800
Subject: [PATCH] Add maximum buffer size.

---
 src/protocols/rdp/guac_rdpdr/rdpdr_fs_messages.c | 10 +++++++---
 src/protocols/rdp/guac_rdpdr/rdpdr_service.h     |  5 +++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/protocols/rdp/guac_rdpdr/rdpdr_fs_messages.c b/src/protocols/rdp/guac_rdpdr/rdpdr_fs_messages.c
index ef96d45a..04afb353 100644
--- a/src/protocols/rdp/guac_rdpdr/rdpdr_fs_messages.c
+++ b/src/protocols/rdp/guac_rdpdr/rdpdr_fs_messages.c
@@ -148,12 +148,16 @@ void guac_rdpdr_fs_process_read(guac_rdpdr_device* device,
     Stream_Read_UINT32(input_stream, length);
     Stream_Read_UINT64(input_stream, offset);
 
-    /* Allocate buffer */
-    buffer = malloc(length);
-
     GUAC_RDP_DEBUG(2, "[file_id=%i] length=%i, offset=%" PRIu64,
              file_id, length, (uint64_t) offset);
 
+    /* Ensure buffer size does not exceed a safe maximum */
+    if (length > GUAC_RDP_MAX_READ_BUFFER)
+        length = GUAC_RDP_MAX_READ_BUFFER;
+
+    /* Allocate buffer */
+    buffer = malloc(length);
+
     /* Attempt read */
     bytes_read = guac_rdp_fs_read((guac_rdp_fs*) device->data, file_id, offset,
             buffer, length);
diff --git a/src/protocols/rdp/guac_rdpdr/rdpdr_service.h b/src/protocols/rdp/guac_rdpdr/rdpdr_service.h
index 128226c6..f7ca5c25 100644
--- a/src/protocols/rdp/guac_rdpdr/rdpdr_service.h
+++ b/src/protocols/rdp/guac_rdpdr/rdpdr_service.h
@@ -49,6 +49,11 @@
 #include <guacamole/client.h>
 #include <freerdp/utils/svc_plugin.h>
 
+/**
+ * The maximum number of bytes to allow for a device read.
+ */
+#define GUAC_RDP_MAX_READ_BUFFER 4194304
+
 typedef struct guac_rdpdrPlugin guac_rdpdrPlugin;
 typedef struct guac_rdpdr_device guac_rdpdr_device;