From 41c9286c3c46fa76b8bd2f0c4ff817f9a0939d22 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Sat, 28 Feb 2026 11:51:38 +0100 Subject: [PATCH] [gdi,gfx] tighter bounds checks for gfx updates --- libfreerdp/gdi/gfx.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c index 4bc6f5cd7..d16588452 100644 --- a/libfreerdp/gdi/gfx.c +++ b/libfreerdp/gdi/gfx.c @@ -63,6 +63,14 @@ static BOOL is_within_surface(const gdiGfxSurface* surface, const RDPGFX_SURFACE rect.left, rect.top, cmd->width, cmd->height, surface->width, surface->height); return FALSE; } + if (rect.left > surface->width) + return FALSE; + if (rect.right > surface->width) + return FALSE; + if (rect.top > surface->height) + return FALSE; + if (rect.bottom > surface->height) + return FALSE; return TRUE; } @@ -434,6 +442,9 @@ static UINT gdi_SurfaceCommand_RemoteFX(rdpGdi* gdi, RdpgfxClientContext* contex return ERROR_NOT_FOUND; } + if (!is_within_surface(surface, cmd)) + return ERROR_INVALID_DATA; + WINPR_ASSERT(surface->codecs); rfx_context_set_pixel_format(surface->codecs->rfx, cmd->format); region16_init(&invalidRegion); @@ -492,6 +503,9 @@ static UINT gdi_SurfaceCommand_ClearCodec(rdpGdi* gdi, RdpgfxClientContext* cont return ERROR_NOT_FOUND; } + if (!is_within_surface(surface, cmd)) + return ERROR_INVALID_DATA; + WINPR_ASSERT(surface->codecs); rc = clear_decompress(surface->codecs->clear, cmd->data, cmd->length, cmd->width, cmd->height, surface->data, surface->format, surface->scanline, cmd->left, cmd->top, @@ -621,6 +635,9 @@ static UINT gdi_SurfaceCommand_AVC420(rdpGdi* gdi, RdpgfxClientContext* context, if (!surface->h264) return ERROR_NOT_SUPPORTED; + if (!is_within_surface(surface, cmd)) + return ERROR_INVALID_DATA; + bs = (RDPGFX_AVC420_BITMAP_STREAM*)cmd->extra; if (!bs) @@ -707,6 +724,9 @@ static UINT gdi_SurfaceCommand_AVC444(rdpGdi* gdi, RdpgfxClientContext* context, if (!surface->h264) return ERROR_NOT_SUPPORTED; + if (!is_within_surface(surface, cmd)) + return ERROR_INVALID_DATA; + bs = (RDPGFX_AVC444_BITMAP_STREAM*)cmd->extra; if (!bs)