From 3890c98c84216a78428cd3eb33caa5ecdbfed1a9 Mon Sep 17 00:00:00 2001 From: akallabeth Date: Wed, 9 Apr 2025 22:21:37 +0200 Subject: [PATCH] [core,gateway] fix string reading for TSG The MaxCount field might be bigger than what is actually encoded, so only read the ActualCount elements from the stream. --- libfreerdp/core/gateway/tsg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c index f5cf7e430..873adf977 100644 --- a/libfreerdp/core/gateway/tsg.c +++ b/libfreerdp/core/gateway/tsg.c @@ -445,9 +445,9 @@ static BOOL tsg_ndr_read_string(wLog* log, wStream* s, WCHAR** str, UINT32 lengt if (str) *str = Stream_PointerAs(s, WCHAR); - if (!Stream_CheckAndLogRequiredLengthWLog(log, s, MaxCount)) + if (!Stream_CheckAndLogRequiredLengthWLog(log, s, ActualCount * sizeof(WCHAR))) return FALSE; - Stream_Seek(s, MaxCount); + Stream_Seek(s, ActualCount * sizeof(WCHAR)); return TRUE; }