diff --git a/channels/cliprdr/cliprdr_common.c b/channels/cliprdr/cliprdr_common.c index 1b079ad61..8eba10751 100644 --- a/channels/cliprdr/cliprdr_common.c +++ b/channels/cliprdr/cliprdr_common.c @@ -509,6 +509,9 @@ UINT cliprdr_read_format_list(wStream* s, CLIPRDR_FORMAT_LIST* formatList, BOOL while (Stream_GetRemainingLength(sub2) >= 4) { + if (index >= formatList->numFormats) + goto error_out; + size_t rest = 0; CLIPRDR_FORMAT* format = &formats[index]; diff --git a/libfreerdp/core/errbase.c b/libfreerdp/core/errbase.c index 4a59d0e45..8ca569df2 100644 --- a/libfreerdp/core/errbase.c +++ b/libfreerdp/core/errbase.c @@ -43,18 +43,14 @@ static const ERRINFO ERRBASE_CODES[] = { ERRBASE_DEFINE(SUCCESS), const char* freerdp_get_error_base_string(UINT32 code) { - const ERRINFO* errInfo = NULL; - - errInfo = &ERRBASE_CODES[0]; - - while (errInfo->code != ERRBASE_NONE) + for (size_t x = 0; x < ARRAYSIZE(ERRBASE_CODES); x++) { + const ERRINFO* errInfo = &ERRBASE_CODES[x]; + if (code == errInfo->code) { return errInfo->info; } - - errInfo++; } return "ERRBASE_UNKNOWN"; @@ -62,18 +58,13 @@ const char* freerdp_get_error_base_string(UINT32 code) const char* freerdp_get_error_base_category(UINT32 code) { - const ERRINFO* errInfo = NULL; - - errInfo = &ERRBASE_CODES[0]; - - while (errInfo->code != ERRBASE_NONE) + for (size_t x = 0; x < ARRAYSIZE(ERRBASE_CODES); x++) { + const ERRINFO* errInfo = &ERRBASE_CODES[x]; if (code == errInfo->code) { return errInfo->category; } - - errInfo++; } return "ERRBASE_UNKNOWN"; @@ -81,18 +72,13 @@ const char* freerdp_get_error_base_category(UINT32 code) const char* freerdp_get_error_base_name(UINT32 code) { - const ERRINFO* errInfo = NULL; - - errInfo = &ERRBASE_CODES[0]; - - while (errInfo->code != ERRBASE_NONE) + for (size_t x = 0; x < ARRAYSIZE(ERRBASE_CODES); x++) { + const ERRINFO* errInfo = &ERRBASE_CODES[x]; if (code == errInfo->code) { return errInfo->name; } - - errInfo++; } return "ERRBASE_UNKNOWN"; diff --git a/libfreerdp/core/gateway/rpc_client.c b/libfreerdp/core/gateway/rpc_client.c index 93d881122..ce6de8ea4 100644 --- a/libfreerdp/core/gateway/rpc_client.c +++ b/libfreerdp/core/gateway/rpc_client.c @@ -1128,6 +1128,12 @@ BOOL rpc_client_write_call(rdpRpc* rpc, wStream* s, UINT16 opnum) if (!credssp_auth_encrypt(auth, &plaintext, &ciphertext, &size, rpc->SendSeqNum++)) goto fail; + if (offset + size > request_pdu.header.frag_length) + { + sspi_SecBufferFree(&ciphertext); + goto fail; + } + CopyMemory(&buffer[offset], ciphertext.pvBuffer, size); offset += size; diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c index 39b3fbbfb..f79b58a0f 100644 --- a/libfreerdp/core/gateway/tsg.c +++ b/libfreerdp/core/gateway/tsg.c @@ -585,6 +585,13 @@ static BOOL tsg_ndr_read_version_caps(wLog* log, wStream* s, UINT32* index, if (!tsg_stream_align(log, s, 4)) return FALSE; + if (caps->numCapabilities > 1) + { + WLog_ERR(TAG, "TSG_PACKET_VERSIONCAPS::numCapabilities > 1 (%" PRIu32 "), not supported!", + caps->numCapabilities); + return FALSE; + } + return tsg_ndr_read_tsg_caps(log, s, &caps->tsgCaps); } @@ -600,6 +607,13 @@ static BOOL tsg_ndr_write_version_caps(wLog* log, wStream* s, UINT32* index, if (!Stream_EnsureRemainingCapacity(s, 10)) return FALSE; + + if (caps->numCapabilities > 1) + { + WLog_ERR(TAG, "TSG_PACKET_VERSIONCAPS::numCapabilities > 1 (%" PRIu32 "), not supported!", + caps->numCapabilities); + return FALSE; + } Stream_Write_UINT32(s, caps->numCapabilities); Stream_Write_UINT16(s, caps->majorVersion); Stream_Write_UINT16(s, caps->minorVersion); @@ -855,6 +869,13 @@ static BOOL tsg_packet_versioncaps_to_string(char** buffer, size_t* length, if (!tsg_print(buffer, length, " ")) return FALSE; + if (caps->numCapabilities > 1) + { + WLog_ERR(TAG, "TSG_PACKET_VERSIONCAPS::numCapabilities > 1 (%" PRIu32 "), not supported!", + caps->numCapabilities); + return FALSE; + } + if (!tsg_packet_capabilities_to_string(buffer, length, &caps->tsgCaps, caps->numCapabilities)) return FALSE; diff --git a/libfreerdp/core/window.c b/libfreerdp/core/window.c index 3a051be30..9ce080cf8 100644 --- a/libfreerdp/core/window.c +++ b/libfreerdp/core/window.c @@ -1043,6 +1043,11 @@ static BOOL update_read_desktop_actively_monitored_order(wStream* s, Stream_Read_UINT32(s, monitored_desktop->windowIds[i]); } } + else + { + free(monitored_desktop->windowIds); + monitored_desktop->windowIds = NULL; + } } return TRUE; @@ -1070,6 +1075,7 @@ static void dump_monitored_desktop(wLog* log, const char* msg, const WINDOW_ORDE DUMP_APPEND(buffer, bufferSize, " windows=("); for (UINT32 i = 0; i < monitored->numWindowIds; i++) { + WINPR_ASSERT(monitored->windowIds); DUMP_APPEND(buffer, bufferSize, "0x%" PRIx32 ",", monitored->windowIds[i]); } DUMP_APPEND(buffer, bufferSize, ")"); diff --git a/libfreerdp/crypto/certificate.c b/libfreerdp/crypto/certificate.c index 03743435f..8904d368f 100644 --- a/libfreerdp/crypto/certificate.c +++ b/libfreerdp/crypto/certificate.c @@ -1459,7 +1459,13 @@ static BOOL bio_read_pem(BIO* bio, char** ppem, size_t* plength) break; length += blocksize; } - pem[offset] = '\0'; + + if (pem) + { + if (offset >= length) + goto fail; + pem[offset] = '\0'; + } *ppem = pem; if (plength) *plength = offset; diff --git a/server/shadow/shadow_subsystem_builtin.c b/server/shadow/shadow_subsystem_builtin.c index c37973546..8337633de 100644 --- a/server/shadow/shadow_subsystem_builtin.c +++ b/server/shadow/shadow_subsystem_builtin.c @@ -29,12 +29,12 @@ typedef struct extern int ShadowSubsystemEntry(RDP_SHADOW_ENTRY_POINTS* pEntryPoints); extern const char* ShadowSubsystemName(void); -static RDP_SHADOW_SUBSYSTEM g_Subsystems[] = { +static const RDP_SHADOW_SUBSYSTEM g_Subsystems[] = { { ShadowSubsystemName, ShadowSubsystemEntry } }; -static size_t g_SubsystemCount = ARRAYSIZE(g_Subsystems); +static const size_t g_SubsystemCount = ARRAYSIZE(g_Subsystems); static pfnShadowSubsystemEntry shadow_subsystem_load_static_entry(const char* name) { diff --git a/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c b/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c index 94f652200..87d4f58c2 100644 --- a/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c +++ b/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c @@ -130,12 +130,17 @@ static SECURITY_STATUS NCryptP11StorageProvider_dtor(NCRYPT_HANDLE handle) static void fix_padded_string(char* str, size_t maxlen) { - char* ptr = str + maxlen - 1; + if (maxlen == 0) + return; - while (ptr > str && *ptr == ' ') + WINPR_ASSERT(str); + char* ptr = &str[maxlen - 1]; + + while ((ptr > str) && (*ptr == ' ')) + { + *ptr = '\0'; ptr--; - ptr++; - *ptr = 0; + } } static BOOL attributes_have_unallocated_buffers(CK_ATTRIBUTE_PTR attributes, CK_ULONG count)