[WIP]: Check RDP sound format value before use.

[WIP]: Check argc in user handler.
[WIP]: Check surface allocations
2020-04-16 13:53:14 -04:00 · 2020-04-16 13:50:34 -04:00 · 2020-04-16 13:47:30 -04:00 · 2020-04-16 13:42:25 -04:00 · 2020-04-16 13:39:34 -04:00
5 changed files with 16 additions and 2 deletions
--- a/src/common/surface.c
+++ b/src/common/surface.c
@ -1219,10 +1219,14 @@ guac_common_surface* guac_common_surface_alloc(guac_client* client,
    /* Create corresponding Cairo surface */
    surface->stride = cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, w);
    surface->buffer = calloc(h, surface->stride);
    if (surface->buffer == NULL)
        return NULL;
    /* Create corresponding heat map */
    surface->heat_map = calloc(heat_width * heat_height,
            sizeof(guac_common_surface_heat_cell));
 	if (surface->heat_map == NULL)
        return NULL;
    /* Reset clipping rect */
    guac_common_surface_reset_clip(surface);
@ -1286,6 +1290,8 @@ void guac_common_surface_resize(guac_common_surface* surface, int w, int h) {
    surface->height = h;
    surface->stride = cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, w);
    surface->buffer = calloc(h, surface->stride);
    if (surface->buffer == NULL)
        return NULL;
    __guac_common_bound_rect(surface, &surface->clip_rect, NULL, NULL);
    /* Copy relevant old data */
@ -1299,6 +1305,8 @@ void guac_common_surface_resize(guac_common_surface* surface, int w, int h) {
    free(surface->heat_map);
    surface->heat_map = calloc(heat_width * heat_height,
            sizeof(guac_common_surface_heat_cell));
    if (surface->heat_map == NULL)
        return NULL;
    /* Resize dirty rect to fit new surface dimensions */
    if (surface->dirty) {
--- a/src/libguac/user-handlers.c
+++ b/src/libguac/user-handlers.c
@ -459,6 +459,10 @@ int __guac_handle_ack(guac_user* user, int argc, char** argv) {
 int __guac_handle_blob(guac_user* user, int argc, char** argv) {
    /* Fail if we have less than two arguments. */
    if (argc < 2)
        return 0;
    int stream_index = atoi(argv[0]);
    guac_stream* stream = __get_open_input_stream(user, stream_index);
--- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c
+++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c
@ -250,7 +250,7 @@ void guac_rdpsnd_wave_info_handler(guac_rdp_common_svc* svc,
    rdpsnd->next_pdu_is_wave = TRUE;
    /* Reset audio stream if format has changed */
-    if (audio != NULL)
+    if (audio != NULL && format < GUAC_RDP_MAX_FORMATS)
        guac_audio_stream_reset(audio, NULL,
                rdpsnd->formats[format].rate,
                rdpsnd->formats[format].channels,
--- a/src/protocols/rdp/upload.c
+++ b/src/protocols/rdp/upload.c
@ -49,7 +49,7 @@ static void __generate_upload_path(const char* filename, char* path) {
    /* Add initial backslash */
    *(path++) = '\\';
-    for (i=1; i<GUAC_RDP_FS_MAX_PATH; i++) {
+    for (i=1; i<i(GUAC_RDP_FS_MAX_PATH - 1); i++) {
        /* Get current, stop at end */
        char c = *(filename++);
--- a/src/protocols/vnc/display.c
+++ b/src/protocols/vnc/display.c
@ -70,6 +70,8 @@ void guac_vnc_update(rfbClient* client, int x, int y, int w, int h) {
    /* Init Cairo buffer */
    stride = cairo_format_stride_for_width(CAIRO_FORMAT_RGB24, w);
    buffer = malloc(h*stride);
    if (buffer == NULL)
        return;
    buffer_row_current = buffer;
    bpp = client->format.bitsPerPixel/8;
Author	SHA1	Message	Date
Nick Couchman	0e2e3d20ae	[WIP]: Check RDP sound format value before use.	2020-04-16 13:53:14 -04:00
Nick Couchman	f3f8be0591	[WIP]: Check argc in user handler.	2020-04-16 13:50:34 -04:00
Nick Couchman	4135c6e3b0	[WIP]: Check surface allocations	2020-04-16 13:47:30 -04:00
Nick Couchman	e011cf38eb	[WIP] Check VNC buffer allocation.	2020-04-16 13:42:25 -04:00
Nick Couchman	ab38b6c912	[WIP]: Fix upload path out-of-bounds error.	2020-04-16 13:39:34 -04:00