From f75b9143e2ea5cf487eb76e42f58f816c88e688a Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Tue, 10 Sep 2013 16:18:21 -0700 Subject: [PATCH] VUL: make sure cache entries are in range --- common/xrdp_constants.h | 3 +++ libxrdp/xrdp_rdp.c | 29 +++++++++++++++++++++++------ xrdp/xrdp.h | 2 +- xrdp/xrdp_cache.c | 17 ++++++++++++++--- xrdp/xrdp_types.h | 3 ++- 5 files changed, 43 insertions(+), 11 deletions(-) diff --git a/common/xrdp_constants.h b/common/xrdp_constants.h index b978d2de..a163df07 100644 --- a/common/xrdp_constants.h +++ b/common/xrdp_constants.h @@ -559,4 +559,7 @@ #define CMDTYPE_FRAME_MARKER 0x0004 #define CMDTYPE_STREAM_SURFACE_BITS 0x0006 +#define XRDP_MAX_BITMAP_CACHE_ID 3 +#define XRDP_MAX_BITMAP_CACHE_IDX 2000 + #endif diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 2d90485f..a940a695 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -915,13 +915,27 @@ static int APP_CC xrdp_process_capset_bmpcache(struct xrdp_rdp *self, struct stream *s, int len) { + int i; + self->client_info.bitmap_cache_version |= 1; in_uint8s(s, 24); - in_uint16_le(s, self->client_info.cache1_entries); + /* cache 1 */ + in_uint16_le(s, i); + i = MIN(i, XRDP_MAX_BITMAP_CACHE_IDX); + i = MAX(i, 0); + self->client_info.cache1_entries = i; in_uint16_le(s, self->client_info.cache1_size); - in_uint16_le(s, self->client_info.cache2_entries); + /* cache 2 */ + in_uint16_le(s, i); + i = MIN(i, XRDP_MAX_BITMAP_CACHE_IDX); + i = MAX(i, 0); + self->client_info.cache2_entries = i; in_uint16_le(s, self->client_info.cache2_size); - in_uint16_le(s, self->client_info.cache3_entries); + /* caceh 3 */ + in_uint16_le(s, i); + i = MIN(i, XRDP_MAX_BITMAP_CACHE_IDX); + i = MAX(i, 0); + self->client_info.cache3_entries = i; in_uint16_le(s, self->client_info.cache3_size); DEBUG(("cache1 entries %d size %d", self->client_info.cache1_entries, self->client_info.cache1_size)); @@ -947,16 +961,19 @@ xrdp_process_capset_bmpcache2(struct xrdp_rdp *self, struct stream *s, self->client_info.bitmap_cache_persist_enable = i; in_uint8s(s, 2); /* number of caches in set, 3 */ in_uint32_le(s, i); - i = MIN(i, 2000); + i = MIN(i, XRDP_MAX_BITMAP_CACHE_IDX); + i = MAX(i, 0); self->client_info.cache1_entries = i; self->client_info.cache1_size = 256 * Bpp; in_uint32_le(s, i); - i = MIN(i, 2000); + i = MIN(i, XRDP_MAX_BITMAP_CACHE_IDX); + i = MAX(i, 0); self->client_info.cache2_entries = i; self->client_info.cache2_size = 1024 * Bpp; in_uint32_le(s, i); i = i & 0x7fffffff; - i = MIN(i, 2000); + i = MIN(i, XRDP_MAX_BITMAP_CACHE_IDX); + i = MAX(i, 0); self->client_info.cache3_entries = i; self->client_info.cache3_size = 4096 * Bpp; DEBUG(("cache1 entries %d size %d", self->client_info.cache1_entries, diff --git a/xrdp/xrdp.h b/xrdp/xrdp.h index 081adf3c..6adf17f0 100644 --- a/xrdp/xrdp.h +++ b/xrdp/xrdp.h @@ -27,8 +27,8 @@ #include "trans.h" #include "list.h" #include "libxrdpinc.h" -#include "xrdp_types.h" #include "xrdp_constants.h" +#include "xrdp_types.h" #include "defines.h" #include "os_calls.h" #include "ssl_calls.h" diff --git a/xrdp/xrdp_cache.c b/xrdp/xrdp_cache.c index f421371d..b5787763 100644 --- a/xrdp/xrdp_cache.c +++ b/xrdp/xrdp_cache.c @@ -33,16 +33,27 @@ xrdp_cache_create(struct xrdp_wm *owner, self->wm = owner; self->session = session; self->use_bitmap_comp = client_info->use_bitmap_comp; - self->cache1_entries = client_info->cache1_entries; + + self->cache1_entries = MIN(XRDP_MAX_BITMAP_CACHE_IDX, + client_info->cache1_entries); + self->cache1_entries = MAX(self->cache1_entries, 0); self->cache1_size = client_info->cache1_size; - self->cache2_entries = client_info->cache2_entries; + + self->cache2_entries = MIN(XRDP_MAX_BITMAP_CACHE_IDX, + client_info->cache2_entries); + self->cache2_entries = MAX(self->cache2_entries, 0); self->cache2_size = client_info->cache2_size; - self->cache3_entries = client_info->cache3_entries; + + self->cache3_entries = MIN(XRDP_MAX_BITMAP_CACHE_IDX, + client_info->cache3_entries); + self->cache3_entries = MAX(self->cache3_entries, 0); self->cache3_size = client_info->cache3_size; + self->bitmap_cache_persist_enable = client_info->bitmap_cache_persist_enable; self->bitmap_cache_version = client_info->bitmap_cache_version; self->pointer_cache_entries = client_info->pointer_cache_entries; self->xrdp_os_del_list = list_create(); + return self; } diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h index e7bb7baf..5a43d9a9 100644 --- a/xrdp/xrdp_types.h +++ b/xrdp/xrdp_types.h @@ -195,7 +195,8 @@ struct xrdp_cache struct xrdp_palette_item palette_items[6]; /* bitmap */ int bitmap_stamp; - struct xrdp_bitmap_item bitmap_items[3][2000]; + struct xrdp_bitmap_item bitmap_items[XRDP_MAX_BITMAP_CACHE_ID] + [XRDP_MAX_BITMAP_CACHE_IDX]; int use_bitmap_comp; int cache1_entries; int cache1_size;