From 7b7e6de8fe427a2f01d331056774aec69710590b Mon Sep 17 00:00:00 2001 From: akallabeth Date: Sat, 10 Jan 2026 08:43:40 +0100 Subject: [PATCH 1/5] [channels,urbdrc] check interface indices before use --- channels/urbdrc/client/data_transfer.c | 6 +- .../urbdrc/client/libusb/libusb_udevice.c | 78 ++++++++++++------- channels/urbdrc/common/msusb.c | 6 +- 3 files changed, 54 insertions(+), 36 deletions(-) diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c index e2270e565..762fe0d31 100644 --- a/channels/urbdrc/client/data_transfer.c +++ b/channels/urbdrc/client/data_transfer.c @@ -454,14 +454,12 @@ static void func_select_all_interface_for_msconfig(IUDEVICE* pdev, MSUSB_CONFIG_DESCRIPTOR* MsConfig) { MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces; - BYTE InterfaceNumber = 0; - BYTE AlternateSetting = 0; UINT32 NumInterfaces = MsConfig->NumInterfaces; for (UINT32 inum = 0; inum < NumInterfaces; inum++) { - InterfaceNumber = MsInterfaces[inum]->InterfaceNumber; - AlternateSetting = MsInterfaces[inum]->AlternateSetting; + const BYTE InterfaceNumber = MsInterfaces[inum]->InterfaceNumber; + const BYTE AlternateSetting = MsInterfaces[inum]->AlternateSetting; pdev->select_interface(pdev, InterfaceNumber, AlternateSetting); } } diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c index afc7f11c6..aa5639f09 100644 --- a/channels/urbdrc/client/libusb/libusb_udevice.c +++ b/channels/urbdrc/client/libusb/libusb_udevice.c @@ -582,25 +582,13 @@ static MSUSB_CONFIG_DESCRIPTOR* libusb_udev_complete_msconfig_setup(IUDEVICE* idev, MSUSB_CONFIG_DESCRIPTOR* MsConfig) { UDEVICE* pdev = (UDEVICE*)idev; - MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = NULL; - MSUSB_INTERFACE_DESCRIPTOR* MsInterface = NULL; - MSUSB_PIPE_DESCRIPTOR** MsPipes = NULL; - MSUSB_PIPE_DESCRIPTOR* MsPipe = NULL; - MSUSB_PIPE_DESCRIPTOR** t_MsPipes = NULL; - MSUSB_PIPE_DESCRIPTOR* t_MsPipe = NULL; - LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig = NULL; - const LIBUSB_INTERFACE* LibusbInterface = NULL; - const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting = NULL; - const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint = NULL; - BYTE LibusbNumEndpoint = 0; - URBDRC_PLUGIN* urbdrc = NULL; UINT32 MsOutSize = 0; if (!pdev || !pdev->LibusbConfig || !pdev->urbdrc || !MsConfig) return NULL; - urbdrc = pdev->urbdrc; - LibusbConfig = pdev->LibusbConfig; + URBDRC_PLUGIN* urbdrc = pdev->urbdrc; + LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig = pdev->LibusbConfig; if (LibusbConfig->bNumInterfaces != MsConfig->NumInterfaces) { @@ -608,28 +596,57 @@ libusb_udev_complete_msconfig_setup(IUDEVICE* idev, MSUSB_CONFIG_DESCRIPTOR* MsC "Select Configuration: Libusb NumberInterfaces(%" PRIu8 ") is different " "with MsConfig NumberInterfaces(%" PRIu32 ")", LibusbConfig->bNumInterfaces, MsConfig->NumInterfaces); + return NULL; } /* replace MsPipes for libusb */ - MsInterfaces = MsConfig->MsInterfaces; + MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces; for (UINT32 inum = 0; inum < MsConfig->NumInterfaces; inum++) { - MsInterface = MsInterfaces[inum]; + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum]; + if (MsInterface->InterfaceNumber >= MsConfig->NumInterfaces) + { + WLog_Print(urbdrc->log, WLOG_ERROR, + "MSUSB_CONFIG_DESCRIPTOR::NumInterfaces (%" PRIu32 + " <= MSUSB_INTERFACE_DESCRIPTOR::InterfaceNumber( %" PRIu8 ")", + MsConfig->NumInterfaces, MsInterface->InterfaceNumber); + return NULL; + } + + const LIBUSB_INTERFACE* LibusbInterface = + &LibusbConfig->interface[MsInterface->InterfaceNumber]; + if (MsInterface->AlternateSetting >= LibusbInterface->num_altsetting) + { + WLog_Print(urbdrc->log, WLOG_ERROR, + "LIBUSB_INTERFACE::num_altsetting (%" PRId32 + " <= MSUSB_INTERFACE_DESCRIPTOR::AlternateSetting( %" PRIu8 ")", + LibusbInterface->num_altsetting, MsInterface->AlternateSetting); + return NULL; + } + } + + for (UINT32 inum = 0; inum < MsConfig->NumInterfaces; inum++) + { + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum]; + /* get libusb's number of endpoints */ - LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber]; - LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting]; - LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; - t_MsPipes = + const LIBUSB_INTERFACE* LibusbInterface = + &LibusbConfig->interface[MsInterface->InterfaceNumber]; + const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting = + &LibusbInterface->altsetting[MsInterface->AlternateSetting]; + const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; + MSUSB_PIPE_DESCRIPTOR** t_MsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(LibusbNumEndpoint, sizeof(MSUSB_PIPE_DESCRIPTOR*)); for (UINT32 pnum = 0; pnum < LibusbNumEndpoint; pnum++) { - t_MsPipe = (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR)); + MSUSB_PIPE_DESCRIPTOR* t_MsPipe = + (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR)); if (pnum < MsInterface->NumberOfPipes && MsInterface->MsPipes) { - MsPipe = MsInterface->MsPipes[pnum]; + MSUSB_PIPE_DESCRIPTOR* MsPipe = MsInterface->MsPipes[pnum]; t_MsPipe->MaximumPacketSize = MsPipe->MaximumPacketSize; t_MsPipe->MaximumTransferSize = MsPipe->MaximumTransferSize; t_MsPipe->PipeFlags = MsPipe->PipeFlags; @@ -668,10 +685,12 @@ libusb_udev_complete_msconfig_setup(IUDEVICE* idev, MSUSB_CONFIG_DESCRIPTOR* MsC for (UINT32 inum = 0; inum < MsConfig->NumInterfaces; inum++) { MsOutSize += 16; - MsInterface = MsInterfaces[inum]; + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum]; /* get libusb's interface */ - LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber]; - LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting]; + const LIBUSB_INTERFACE* LibusbInterface = + &LibusbConfig->interface[MsInterface->InterfaceNumber]; + const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting = + &LibusbInterface->altsetting[MsInterface->AlternateSetting]; /* InterfaceHandle: 4 bytes * --------------------------------------------------------------- * ||<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>|| @@ -688,15 +707,16 @@ libusb_udev_complete_msconfig_setup(IUDEVICE* idev, MSUSB_CONFIG_DESCRIPTOR* MsC MsInterface->bInterfaceSubClass = LibusbAltsetting->bInterfaceSubClass; MsInterface->bInterfaceProtocol = LibusbAltsetting->bInterfaceProtocol; MsInterface->InitCompleted = 1; - MsPipes = MsInterface->MsPipes; - LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; + MSUSB_PIPE_DESCRIPTOR** MsPipes = MsInterface->MsPipes; + const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; for (UINT32 pnum = 0; pnum < LibusbNumEndpoint; pnum++) { MsOutSize += 20; - MsPipe = MsPipes[pnum]; + + MSUSB_PIPE_DESCRIPTOR* MsPipe = MsPipes[pnum]; /* get libusb's endpoint */ - LibusbEndpoint = &LibusbAltsetting->endpoint[pnum]; + const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint = &LibusbAltsetting->endpoint[pnum]; /* PipeHandle: 4 bytes * --------------------------------------------------------------- * ||<<< 1 byte >>>|<<< 1 byte >>>|<<<<<<<<<< 2 byte >>>>>>>>>>>|| diff --git a/channels/urbdrc/common/msusb.c b/channels/urbdrc/common/msusb.c index 8d6809741..1b6e29aeb 100644 --- a/channels/urbdrc/common/msusb.c +++ b/channels/urbdrc/common/msusb.c @@ -134,6 +134,8 @@ BOOL msusb_msinterface_replace(MSUSB_CONFIG_DESCRIPTOR* MsConfig, BYTE Interface { if (!MsConfig || !MsConfig->MsInterfaces) return FALSE; + if (MsConfig->NumInterfaces <= InterfaceNumber) + return FALSE; msusb_msinterface_free(MsConfig->MsInterfaces[InterfaceNumber]); MsConfig->MsInterfaces[InterfaceNumber] = NewMsInterface; @@ -142,12 +144,10 @@ BOOL msusb_msinterface_replace(MSUSB_CONFIG_DESCRIPTOR* MsConfig, BYTE Interface MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* s) { - MSUSB_INTERFACE_DESCRIPTOR* MsInterface = NULL; - if (!Stream_CheckAndLogRequiredCapacity(TAG, (s), 12)) return NULL; - MsInterface = msusb_msinterface_new(); + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = msusb_msinterface_new(); if (!MsInterface) return NULL; From 62a9e787edb2cfce9858fa4ceda5461680efc590 Mon Sep 17 00:00:00 2001 From: akallabeth Date: Sat, 10 Jan 2026 08:31:07 +0100 Subject: [PATCH 2/5] [crypto,base64] ensure char is singend --- libfreerdp/crypto/base64.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libfreerdp/crypto/base64.c b/libfreerdp/crypto/base64.c index 091e9a7e2..68ad3f076 100644 --- a/libfreerdp/crypto/base64.c +++ b/libfreerdp/crypto/base64.c @@ -400,7 +400,8 @@ static inline char* base64_encode(const BYTE* WINPR_RESTRICT alphabet, static inline int base64_decode_char(const signed char* WINPR_RESTRICT alphabet, char c) { - if (c <= '\0') + /* ensure char is signed for this check */ + if ((int)c <= '\0') return -1; return alphabet[(size_t)c]; From cd1ffa112cfbe1b40a9fd57e299a8ea12e23df0d Mon Sep 17 00:00:00 2001 From: akallabeth Date: Sat, 10 Jan 2026 08:36:38 +0100 Subject: [PATCH 3/5] [channels,audin] free up old audio formats --- channels/audin/client/audin_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/channels/audin/client/audin_main.c b/channels/audin/client/audin_main.c index bcaf1a646..b4c8ba580 100644 --- a/channels/audin/client/audin_main.c +++ b/channels/audin/client/audin_main.c @@ -206,6 +206,10 @@ static UINT audin_process_formats(AUDIN_PLUGIN* audin, AUDIN_CHANNEL_CALLBACK* c } Stream_Seek_UINT32(s); /* cbSizeFormatsPacket */ + + audio_formats_free(callback->formats, callback->formats_count); + callback->formats_count = 0; + callback->formats = audio_formats_new(NumFormats); if (!callback->formats) From 668fcb49d4856fad28f685db54a572af2a284b50 Mon Sep 17 00:00:00 2001 From: akallabeth Date: Sat, 10 Jan 2026 09:33:54 +0100 Subject: [PATCH 4/5] [channels,rdpear] fix ndr_read checks --- channels/rdpear/common/ndr.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/channels/rdpear/common/ndr.c b/channels/rdpear/common/ndr.c index d318ed63c..d0bd6d959 100644 --- a/channels/rdpear/common/ndr.c +++ b/channels/rdpear/common/ndr.c @@ -574,8 +574,10 @@ BOOL ndr_read_uconformant_array(NdrContext* context, wStream* s, const NdrArrayH WINPR_ASSERT(itemType); WINPR_ASSERT(vtarget); - UINT32 count = 0; + if (itemType->itemSize == 0) + return FALSE; + UINT32 count = 0; if (!ndr_read_uint32(context, s, &count)) return FALSE; @@ -910,6 +912,8 @@ BOOL ndr_read_pointedMessageEx(NdrContext* context, wStream* s, ndr_refid ptrId, if (!ret) { size_t itemCount = ndr_hintsCount(descr, hints); + if (itemCount == 0) + return FALSE; ret = calloc(itemCount, descr->itemSize); if (!ret) return FALSE; From 8d97de1b40ec917e412590bcc5245f19f6d2cc72 Mon Sep 17 00:00:00 2001 From: akallabeth Date: Sat, 10 Jan 2026 09:37:19 +0100 Subject: [PATCH 5/5] [cmake,compiler] add -fsigned-char to compiler flags --- cmake/CommonCompilerFlags.cmake | 1 + 1 file changed, 1 insertion(+) diff --git a/cmake/CommonCompilerFlags.cmake b/cmake/CommonCompilerFlags.cmake index 59fc03e29..d45400dd8 100644 --- a/cmake/CommonCompilerFlags.cmake +++ b/cmake/CommonCompilerFlags.cmake @@ -32,6 +32,7 @@ if(ENABLE_WARNING_ERROR) endif() list(APPEND COMMON_COMPILER_FLAGS -fno-omit-frame-pointer -Wredundant-decls) +list(APPEND COMMON_COMPILER_FLAGS -fsigned-char) include(ExportAllSymbols) include(CompilerSanitizerOptions)