diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 01:25:36 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 01:25:36 +0000 |
commit | 8050c230ded858d59518fce751e28713dd4266f9 (patch) | |
tree | 3b2835ad0af9b436b7ae77963fc10735adc13d25 /libfreerdp | |
parent | Adding upstream version 3.5.0+dfsg1. (diff) | |
download | freerdp3-8050c230ded858d59518fce751e28713dd4266f9.tar.xz freerdp3-8050c230ded858d59518fce751e28713dd4266f9.zip |
Adding upstream version 3.5.1+dfsg1.upstream/3.5.1+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'libfreerdp')
26 files changed, 493 insertions, 194 deletions
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c index 512aeae..c9538c8 100644 --- a/libfreerdp/codec/clear.c +++ b/libfreerdp/codec/clear.c @@ -500,12 +500,12 @@ static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* clear, wStream* s, { case 0: /* Uncompressed */ { - UINT32 nSrcStep = width * FreeRDPGetBytesPerPixel(PIXEL_FORMAT_BGR24); - UINT32 nSrcSize = nSrcStep * height; + const UINT32 nSrcStep = width * FreeRDPGetBytesPerPixel(PIXEL_FORMAT_BGR24); + const size_t nSrcSize = 1ull * nSrcStep * height; if (bitmapDataByteCount != nSrcSize) { - WLog_ERR(TAG, "bitmapDataByteCount %" PRIu32 " != nSrcSize %" PRIu32 "", + WLog_ERR(TAG, "bitmapDataByteCount %" PRIu32 " != nSrcSize %" PRIuz "", bitmapDataByteCount, nSrcSize); return FALSE; } @@ -798,10 +798,16 @@ static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32 count = (vBarPixelCount > y) ? (vBarPixelCount - y) : 0; if (count > 0) - pSrcPixel = - &vBarShortEntry - ->pixels[(y - vBarYOn) * FreeRDPGetBytesPerPixel(clear->format)]; - + { + const size_t offset = + (1ull * y - vBarYOn) * FreeRDPGetBytesPerPixel(clear->format); + pSrcPixel = &vBarShortEntry->pixels[offset]; + if (offset + count > vBarShortEntry->count) + { + WLog_ERR(TAG, "offset + count > vBarShortEntry->count"); + return FALSE; + } + } for (UINT32 x = 0; x < count; x++) { UINT32 color = 0; @@ -1169,7 +1175,10 @@ CLEAR_CONTEXT* clear_context_new(BOOL Compressor) return clear; error_nsc: + WINPR_PRAGMA_DIAG_PUSH + WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC clear_context_free(clear); + WINPR_PRAGMA_DIAG_POP return NULL; } diff --git a/libfreerdp/codec/color.c b/libfreerdp/codec/color.c index 186d477..2c3d08a 100644 --- a/libfreerdp/codec/color.c +++ b/libfreerdp/codec/color.c @@ -583,16 +583,16 @@ static BOOL freerdp_image_copy_no_overlap(BYTE* WINPR_RESTRICT pDstData, DWORD D UINT32 nSrcStep, UINT32 nXSrc, UINT32 nYSrc, const gdiPalette* WINPR_RESTRICT palette, UINT32 flags) { - const UINT32 dstByte = FreeRDPGetBytesPerPixel(DstFormat); - const UINT32 srcByte = FreeRDPGetBytesPerPixel(SrcFormat); - const UINT32 copyDstWidth = nWidth * dstByte; - const UINT32 xSrcOffset = nXSrc * srcByte; - const UINT32 xDstOffset = nXDst * dstByte; + const SSIZE_T dstByte = FreeRDPGetBytesPerPixel(DstFormat); + const SSIZE_T srcByte = FreeRDPGetBytesPerPixel(SrcFormat); + const SSIZE_T copyDstWidth = nWidth * dstByte; + const SSIZE_T xSrcOffset = nXSrc * srcByte; + const SSIZE_T xDstOffset = nXDst * dstByte; const BOOL vSrcVFlip = (flags & FREERDP_FLIP_VERTICAL) ? TRUE : FALSE; - UINT32 srcVOffset = 0; - INT32 srcVMultiplier = 1; - UINT32 dstVOffset = 0; - INT32 dstVMultiplier = 1; + SSIZE_T srcVOffset = 0; + SSIZE_T srcVMultiplier = 1; + SSIZE_T dstVOffset = 0; + SSIZE_T dstVMultiplier = 1; if ((nHeight > INT32_MAX) || (nWidth > INT32_MAX)) return FALSE; @@ -608,24 +608,24 @@ static BOOL freerdp_image_copy_no_overlap(BYTE* WINPR_RESTRICT pDstData, DWORD D if (vSrcVFlip) { - srcVOffset = (nHeight - 1) * nSrcStep; + srcVOffset = (nHeight - 1ll) * nSrcStep; srcVMultiplier = -1; } if (((flags & FREERDP_KEEP_DST_ALPHA) != 0) && FreeRDPColorHasAlpha(DstFormat)) { - for (UINT32 y = 0; y < nHeight; y++) + for (SSIZE_T y = 0; y < nHeight; y++) { const BYTE* WINPR_RESTRICT srcLine = - &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; + &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; BYTE* WINPR_RESTRICT dstLine = - &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; UINT32 color = FreeRDPReadColor(&srcLine[nXSrc * srcByte], SrcFormat); UINT32 oldColor = color; UINT32 dstColor = FreeRDPConvertColor(color, SrcFormat, DstFormat, palette); FreeRDPWriteColorIgnoreAlpha(&dstLine[nXDst * dstByte], DstFormat, dstColor); - for (UINT32 x = 1; x < nWidth; x++) + for (SSIZE_T x = 1; x < nWidth; x++) { color = FreeRDPReadColor(&srcLine[(x + nXSrc) * srcByte], SrcFormat); if (color == oldColor) @@ -645,29 +645,29 @@ static BOOL freerdp_image_copy_no_overlap(BYTE* WINPR_RESTRICT pDstData, DWORD D } else if (FreeRDPAreColorFormatsEqualNoAlpha(SrcFormat, DstFormat)) { - for (UINT32 y = 0; y < nHeight; y++) + for (SSIZE_T y = 0; y < nHeight; y++) { const BYTE* WINPR_RESTRICT srcLine = - &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; + &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; BYTE* WINPR_RESTRICT dstLine = - &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; memcpy(&dstLine[xDstOffset], &srcLine[xSrcOffset], copyDstWidth); } } else { - for (UINT32 y = 0; y < nHeight; y++) + for (SSIZE_T y = 0; y < nHeight; y++) { const BYTE* WINPR_RESTRICT srcLine = - &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; + &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; BYTE* WINPR_RESTRICT dstLine = - &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; UINT32 color = FreeRDPReadColor(&srcLine[nXSrc * srcByte], SrcFormat); UINT32 oldColor = color; UINT32 dstColor = FreeRDPConvertColor(color, SrcFormat, DstFormat, palette); FreeRDPWriteColor(&dstLine[nXDst * dstByte], DstFormat, dstColor); - for (UINT32 x = 1; x < nWidth; x++) + for (SSIZE_T x = 1; x < nWidth; x++) { color = FreeRDPReadColor(&srcLine[(x + nXSrc) * srcByte], SrcFormat); if (color == oldColor) @@ -699,10 +699,10 @@ static BOOL freerdp_image_copy_overlap(BYTE* pDstData, DWORD DstFormat, UINT32 n const UINT32 xSrcOffset = nXSrc * srcByte; const UINT32 xDstOffset = nXDst * dstByte; const BOOL vSrcVFlip = (flags & FREERDP_FLIP_VERTICAL) ? TRUE : FALSE; - UINT32 srcVOffset = 0; - INT32 srcVMultiplier = 1; - UINT32 dstVOffset = 0; - INT32 dstVMultiplier = 1; + SSIZE_T srcVOffset = 0; + SSIZE_T srcVMultiplier = 1; + SSIZE_T dstVOffset = 0; + SSIZE_T dstVMultiplier = 1; if ((nHeight > INT32_MAX) || (nWidth > INT32_MAX)) return FALSE; @@ -718,16 +718,16 @@ static BOOL freerdp_image_copy_overlap(BYTE* pDstData, DWORD DstFormat, UINT32 n if (vSrcVFlip) { - srcVOffset = (nHeight - 1) * nSrcStep; + srcVOffset = (nHeight - 1ll) * nSrcStep; srcVMultiplier = -1; } if (((flags & FREERDP_KEEP_DST_ALPHA) != 0) && FreeRDPColorHasAlpha(DstFormat)) { - for (UINT32 y = 0; y < nHeight; y++) + for (SSIZE_T y = 0; y < nHeight; y++) { - const BYTE* srcLine = &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; - BYTE* dstLine = &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + const BYTE* srcLine = &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; + BYTE* dstLine = &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; UINT32 color = FreeRDPReadColor(&srcLine[nXSrc * srcByte], SrcFormat); UINT32 oldColor = color; @@ -756,44 +756,44 @@ static BOOL freerdp_image_copy_overlap(BYTE* pDstData, DWORD DstFormat, UINT32 n /* Copy down */ if (nYDst < nYSrc) { - for (INT32 y = 0; y < (INT32)nHeight; y++) + for (SSIZE_T y = 0; y < nHeight; y++) { const BYTE* srcLine = &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; - BYTE* dstLine = &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + BYTE* dstLine = &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; memcpy(&dstLine[xDstOffset], &srcLine[xSrcOffset], copyDstWidth); } } /* Copy up */ else if (nYDst > nYSrc) { - for (INT32 y = (INT32)nHeight - 1; y >= 0; y--) + for (SSIZE_T y = nHeight - 1; y >= 0; y--) { const BYTE* srcLine = - &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; - BYTE* dstLine = &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; + BYTE* dstLine = &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; memcpy(&dstLine[xDstOffset], &srcLine[xSrcOffset], copyDstWidth); } } /* Copy left */ else if (nXSrc > nXDst) { - for (INT32 y = 0; y < (INT32)nHeight; y++) + for (SSIZE_T y = 0; y < nHeight; y++) { const BYTE* srcLine = - &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; - BYTE* dstLine = &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; + BYTE* dstLine = &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; memmove(&dstLine[xDstOffset], &srcLine[xSrcOffset], copyDstWidth); } } /* Copy right */ else if (nXSrc < nXDst) { - for (INT32 y = (INT32)nHeight - 1; y >= 0; y--) + for (SSIZE_T y = nHeight - 1; y >= 0; y--) { const BYTE* srcLine = - &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; - BYTE* dstLine = &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; + BYTE* dstLine = &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; memmove(&dstLine[xDstOffset], &srcLine[xSrcOffset], copyDstWidth); } } @@ -804,16 +804,16 @@ static BOOL freerdp_image_copy_overlap(BYTE* pDstData, DWORD DstFormat, UINT32 n } else { - for (UINT32 y = 0; y < nHeight; y++) + for (SSIZE_T y = 0; y < nHeight; y++) { - const BYTE* srcLine = &pSrcData[(y + nYSrc) * nSrcStep * srcVMultiplier + srcVOffset]; - BYTE* dstLine = &pDstData[(y + nYDst) * nDstStep * dstVMultiplier + dstVOffset]; + const BYTE* srcLine = &pSrcData[srcVMultiplier * (y + nYSrc) * nSrcStep + srcVOffset]; + BYTE* dstLine = &pDstData[dstVMultiplier * (y + nYDst) * nDstStep + dstVOffset]; UINT32 color = FreeRDPReadColor(&srcLine[nXSrc * srcByte], SrcFormat); UINT32 oldColor = color; UINT32 dstColor = FreeRDPConvertColor(color, SrcFormat, DstFormat, palette); FreeRDPWriteColor(&dstLine[nXDst * dstByte], DstFormat, dstColor); - for (UINT32 x = 1; x < nWidth; x++) + for (SSIZE_T x = 1; x < nWidth; x++) { color = FreeRDPReadColor(&srcLine[(x + nXSrc) * srcByte], SrcFormat); if (color == oldColor) @@ -847,6 +847,9 @@ BOOL freerdp_image_copy(BYTE* pDstData, DWORD DstFormat, UINT32 nDstStep, UINT32 if (!pDstData || !pSrcData) return FALSE; + if ((nWidth == 0) || (nHeight == 0)) + return TRUE; + if (nDstStep == 0) nDstStep = nWidth * FreeRDPGetBytesPerPixel(DstFormat); diff --git a/libfreerdp/codec/h264_ffmpeg.c b/libfreerdp/codec/h264_ffmpeg.c index 54492e1..a2ad12f 100644 --- a/libfreerdp/codec/h264_ffmpeg.c +++ b/libfreerdp/codec/h264_ffmpeg.c @@ -636,6 +636,7 @@ static BOOL libavcodec_init(H264_CONTEXT* h264) goto fail_hwdevice_create; } } + WLog_Print(h264->log, WLOG_INFO, "Using VAAPI for accelerated H264 decoding"); sys->codecDecoderContext->get_format = libavcodec_get_format; sys->hw_pix_fmt = AV_PIX_FMT_VAAPI; diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c index df148b6..262895d 100644 --- a/libfreerdp/codec/interleaved.c +++ b/libfreerdp/codec/interleaved.c @@ -212,7 +212,7 @@ static UINT ExtractRunLengthRegularFgBg(const BYTE* pbOrderHdr, const BYTE* pbEn runLength = (*pbOrderHdr) & g_MaskRegularRunLength; if (runLength == 0) { - if (!buffer_within_range(pbOrderHdr, 1, pbEnd)) + if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) { *advance = 0; return 0; @@ -262,7 +262,7 @@ static UINT ExtractRunLengthRegular(const BYTE* pbOrderHdr, const BYTE* pbEnd, U runLength = *pbOrderHdr & g_MaskRegularRunLength; if (runLength == 0) { - if (!buffer_within_range(pbOrderHdr, 1, pbEnd)) + if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) { *advance = 0; return 0; @@ -282,7 +282,7 @@ static UINT ExtractRunLengthMegaMega(const BYTE* pbOrderHdr, const BYTE* pbEnd, WINPR_ASSERT(pbEnd); WINPR_ASSERT(advance); - if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) + if (!buffer_within_range(pbOrderHdr, 3, pbEnd)) { *advance = 0; return 0; @@ -305,7 +305,7 @@ static UINT ExtractRunLengthLite(const BYTE* pbOrderHdr, const BYTE* pbEnd, UINT runLength = *pbOrderHdr & g_MaskLiteRunLength; if (runLength == 0) { - if (!buffer_within_range(pbOrderHdr, 1, pbEnd)) + if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) { *advance = 0; return 0; @@ -735,7 +735,10 @@ BITMAP_INTERLEAVED_CONTEXT* bitmap_interleaved_context_new(BOOL Compressor) return interleaved; fail: + WINPR_PRAGMA_DIAG_PUSH + WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC bitmap_interleaved_context_free(interleaved); + WINPR_PRAGMA_DIAG_POP return NULL; } diff --git a/libfreerdp/codec/nsc.c b/libfreerdp/codec/nsc.c index 74f4e28..d1b594b 100644 --- a/libfreerdp/codec/nsc.c +++ b/libfreerdp/codec/nsc.c @@ -86,8 +86,8 @@ static BOOL nsc_decode(NSC_CONTEXT* context) for (UINT32 x = 0; x < context->width; x++) { INT16 y_val = (INT16)*yplane; - INT16 co_val = (INT16)(INT8)(*coplane << shift); - INT16 cg_val = (INT16)(INT8)(*cgplane << shift); + INT16 co_val = (INT16)(INT8)(((INT16)*coplane) << shift); + INT16 cg_val = (INT16)(INT8)(((INT16)*cgplane) << shift); INT16 r_val = y_val + co_val - cg_val; INT16 g_val = y_val + cg_val; INT16 b_val = y_val - co_val - cg_val; @@ -250,6 +250,13 @@ static BOOL nsc_stream_initialize(NSC_CONTEXT* context, wStream* s) } Stream_Read_UINT8(s, context->ColorLossLevel); /* ColorLossLevel (1 byte) */ + if ((context->ColorLossLevel < 1) || (context->ColorLossLevel > 7)) + { + WLog_Print(context->priv->log, WLOG_ERROR, + "ColorLossLevel=%" PRIu8 " out of range, must be [1,7] inclusive", + context->ColorLossLevel); + return FALSE; + } Stream_Read_UINT8(s, context->ChromaSubsamplingLevel); /* ChromaSubsamplingLevel (1 byte) */ Stream_Seek(s, 2); /* Reserved (2 bytes) */ context->Planes = Stream_Pointer(s); @@ -363,7 +370,10 @@ NSC_CONTEXT* nsc_context_new(void) NSC_INIT_SIMD(context); return context; error: + WINPR_PRAGMA_DIAG_PUSH + WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC nsc_context_free(context); + WINPR_PRAGMA_DIAG_POP return NULL; } diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c index 4b51a02..e894761 100644 --- a/libfreerdp/codec/planar.c +++ b/libfreerdp/codec/planar.c @@ -1747,7 +1747,10 @@ BITMAP_PLANAR_CONTEXT* freerdp_bitmap_planar_context_new(DWORD flags, UINT32 max if (!freerdp_bitmap_planar_context_reset(context, maxWidth, maxHeight)) { + WINPR_PRAGMA_DIAG_PUSH + WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC freerdp_bitmap_planar_context_free(context); + WINPR_PRAGMA_DIAG_POP return NULL; } diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c index df98ad3..3ab84ef 100644 --- a/libfreerdp/codec/progressive.c +++ b/libfreerdp/codec/progressive.c @@ -2312,67 +2312,11 @@ static SSIZE_T progressive_parse_block(PROGRESSIVE_CONTEXT* progressive, wStream return rc; } -INT32 progressive_decompress(PROGRESSIVE_CONTEXT* progressive, const BYTE* pSrcData, UINT32 SrcSize, - BYTE* pDstData, UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst, - UINT32 nYDst, REGION16* invalidRegion, UINT16 surfaceId, - UINT32 frameId) +static BOOL update_tiles(PROGRESSIVE_CONTEXT* progressive, PROGRESSIVE_SURFACE_CONTEXT* surface, + BYTE* pDstData, UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst, + UINT32 nYDst, PROGRESSIVE_BLOCK_REGION* region, REGION16* invalidRegion) { - INT32 rc = 1; - - WINPR_ASSERT(progressive); - PROGRESSIVE_SURFACE_CONTEXT* surface = progressive_get_surface_data(progressive, surfaceId); - - if (!surface) - { - WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion no surface for %" PRIu16, - surfaceId); - return -1001; - } - - PROGRESSIVE_BLOCK_REGION* region = &progressive->region; - WINPR_ASSERT(region); - - if (surface->frameId != frameId) - { - surface->frameId = frameId; - surface->numUpdatedTiles = 0; - } - - wStream ss = { 0 }; - wStream* s = Stream_StaticConstInit(&ss, pSrcData, SrcSize); - WINPR_ASSERT(s); - - switch (DstFormat) - { - case PIXEL_FORMAT_RGBA32: - case PIXEL_FORMAT_RGBX32: - case PIXEL_FORMAT_BGRA32: - case PIXEL_FORMAT_BGRX32: - progressive->format = DstFormat; - break; - default: - progressive->format = PIXEL_FORMAT_XRGB32; - break; - } - - const size_t start = Stream_GetPosition(s); - progressive->state = 0; /* Set state to not initialized */ - while (Stream_GetRemainingLength(s) > 0) - { - if (progressive_parse_block(progressive, s, surface, region) < 0) - goto fail; - } - - const size_t end = Stream_GetPosition(s); - if ((end - start) != SrcSize) - { - WLog_Print(progressive->log, WLOG_ERROR, - "total block len %" PRIuz " does not match read data %" PRIu32, end - start, - SrcSize); - rc = -1041; - goto fail; - } - + BOOL rc = TRUE; REGION16 clippingRects = { 0 }; region16_init(&clippingRects); @@ -2425,13 +2369,11 @@ INT32 progressive_decompress(PROGRESSIVE_CONTEXT* progressive, const BYTE* pSrcD goto fail; if (rect->top + height > surface->height) goto fail; - if (!freerdp_image_copy(pDstData, DstFormat, nDstStep, rect->left, rect->top, width, + rc = freerdp_image_copy(pDstData, DstFormat, nDstStep, rect->left, rect->top, width, height, tile->data, progressive->format, tile->stride, nXSrc, - nYSrc, NULL, FREERDP_KEEP_DST_ALPHA)) - { - rc = -42; + nYSrc, NULL, FREERDP_KEEP_DST_ALPHA); + if (!rc) break; - } if (invalidRegion) region16_union_rect(invalidRegion, invalidRegion, rect); @@ -2441,8 +2383,75 @@ INT32 progressive_decompress(PROGRESSIVE_CONTEXT* progressive, const BYTE* pSrcD tile->dirty = FALSE; } +fail: region16_uninit(&clippingRects); - surface->numUpdatedTiles = 0; + return rc; +} + +INT32 progressive_decompress(PROGRESSIVE_CONTEXT* progressive, const BYTE* pSrcData, UINT32 SrcSize, + BYTE* pDstData, UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst, + UINT32 nYDst, REGION16* invalidRegion, UINT16 surfaceId, + UINT32 frameId) +{ + INT32 rc = 1; + + WINPR_ASSERT(progressive); + PROGRESSIVE_SURFACE_CONTEXT* surface = progressive_get_surface_data(progressive, surfaceId); + + if (!surface) + { + WLog_Print(progressive->log, WLOG_ERROR, "ProgressiveRegion no surface for %" PRIu16, + surfaceId); + return -1001; + } + + PROGRESSIVE_BLOCK_REGION* region = &progressive->region; + WINPR_ASSERT(region); + + if (surface->frameId != frameId) + { + surface->frameId = frameId; + surface->numUpdatedTiles = 0; + } + + wStream ss = { 0 }; + wStream* s = Stream_StaticConstInit(&ss, pSrcData, SrcSize); + WINPR_ASSERT(s); + + switch (DstFormat) + { + case PIXEL_FORMAT_RGBA32: + case PIXEL_FORMAT_RGBX32: + case PIXEL_FORMAT_BGRA32: + case PIXEL_FORMAT_BGRX32: + progressive->format = DstFormat; + break; + default: + progressive->format = PIXEL_FORMAT_XRGB32; + break; + } + + const size_t start = Stream_GetPosition(s); + progressive->state = 0; /* Set state to not initialized */ + while (Stream_GetRemainingLength(s) > 0) + { + if (progressive_parse_block(progressive, s, surface, region) < 0) + goto fail; + } + + const size_t end = Stream_GetPosition(s); + if ((end - start) != SrcSize) + { + WLog_Print(progressive->log, WLOG_ERROR, + "total block len %" PRIuz " does not match read data %" PRIu32, end - start, + SrcSize); + rc = -1041; + goto fail; + } + + if (!update_tiles(progressive, surface, pDstData, DstFormat, nDstStep, nXDst, nYDst, region, + invalidRegion)) + return -2002; fail: return rc; } @@ -2631,7 +2640,10 @@ PROGRESSIVE_CONTEXT* progressive_context_new_ex(BOOL Compressor, UINT32 Threadin } return progressive; fail: + WINPR_PRAGMA_DIAG_PUSH + WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC progressive_context_free(progressive); + WINPR_PRAGMA_DIAG_POP return NULL; } diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c index 66ed1e0..c12f6d4 100644 --- a/libfreerdp/codec/rfx.c +++ b/libfreerdp/codec/rfx.c @@ -342,7 +342,10 @@ RFX_CONTEXT* rfx_context_new_ex(BOOL encoder, UINT32 ThreadingFlags) context->expectedDataBlockType = WBT_FRAME_BEGIN; return context; fail: + WINPR_PRAGMA_DIAG_PUSH + WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC rfx_context_free(context); + WINPR_PRAGMA_DIAG_POP return NULL; } diff --git a/libfreerdp/codec/test/TestFuzzCodecs.c b/libfreerdp/codec/test/TestFuzzCodecs.c index d83d8d4..f923765 100644 --- a/libfreerdp/codec/test/TestFuzzCodecs.c +++ b/libfreerdp/codec/test/TestFuzzCodecs.c @@ -453,28 +453,15 @@ int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) if (Size < 4) return 0; - int i = 0; - winpr_RAND(&i, sizeof(i)); - i = i % 18; - - if (i < 2) - TestFreeRDPCodecClear(Data, Size); - else if (i < 4) - TestFreeRDPCodecXCrush(Data, Size); - else if (i < 6) - TestFreeRDPCodecZGfx(Data, Size); - else if (i < 8) - TestFreeRDPCodecNCrush(Data, Size); - else if (i < 10) - TestFreeRDPCodecRemoteFX(Data, Size); - else if (i < 12) - TestFreeRDPCodecMppc(Data, Size); - else if (i < 14) - TestFreeRDPCodecProgressive(Data, Size); - else if (i < 16) - TestFreeRDPCodecInterleaved(Data, Size); - else if (i < 18) - TestFreeRDPCodecPlanar(Data, Size); + TestFreeRDPCodecClear(Data, Size); + TestFreeRDPCodecXCrush(Data, Size); + TestFreeRDPCodecZGfx(Data, Size); + TestFreeRDPCodecNCrush(Data, Size); + TestFreeRDPCodecRemoteFX(Data, Size); + TestFreeRDPCodecMppc(Data, Size); + TestFreeRDPCodecProgressive(Data, Size); + TestFreeRDPCodecInterleaved(Data, Size); + TestFreeRDPCodecPlanar(Data, Size); return 0; } diff --git a/libfreerdp/codec/yuv.c b/libfreerdp/codec/yuv.c index c546566..97c2374 100644 --- a/libfreerdp/codec/yuv.c +++ b/libfreerdp/codec/yuv.c @@ -251,7 +251,10 @@ YUV_CONTEXT* yuv_context_new(BOOL encoder, UINT32 ThreadingFlags) return ret; error_threadpool: + WINPR_PRAGMA_DIAG_PUSH + WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC yuv_context_free(ret); + WINPR_PRAGMA_DIAG_POP return NULL; } diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c index b7ee275..3a9d2e5 100644 --- a/libfreerdp/codec/zgfx.c +++ b/libfreerdp/codec/zgfx.c @@ -382,16 +382,46 @@ static BYTE* aligned_zgfx_malloc(size_t size) return malloc(size + 64); } +static BOOL zgfx_append(ZGFX_CONTEXT* zgfx, BYTE** ppConcatenated, size_t uncompressedSize, + size_t* pUsed) +{ + WINPR_ASSERT(zgfx); + WINPR_ASSERT(ppConcatenated); + WINPR_ASSERT(pUsed); + + const size_t used = *pUsed; + if (zgfx->OutputCount > UINT32_MAX - used) + return FALSE; + + if (used + zgfx->OutputCount > uncompressedSize) + return FALSE; + + BYTE* tmp = realloc(*ppConcatenated, used + zgfx->OutputCount + 64ull); + if (!tmp) + return FALSE; + *ppConcatenated = tmp; + CopyMemory(&tmp[used], zgfx->OutputBuffer, zgfx->OutputCount); + *pUsed = used + zgfx->OutputCount; + return TRUE; +} + int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BYTE** ppDstData, UINT32* pDstSize, UINT32 flags) { int status = -1; BYTE descriptor = 0; wStream sbuffer = { 0 }; + size_t used = 0; + BYTE* pConcatenated = NULL; wStream* stream = Stream_StaticConstInit(&sbuffer, pSrcData, SrcSize); WINPR_ASSERT(zgfx); WINPR_ASSERT(stream); + WINPR_ASSERT(ppDstData); + WINPR_ASSERT(pDstSize); + + *ppDstData = NULL; + *pDstSize = 0; if (!Stream_CheckAndLogRequiredLength(TAG, stream, 1)) goto fail; @@ -403,16 +433,15 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY if (!zgfx_decompress_segment(zgfx, stream, Stream_GetRemainingLength(stream))) goto fail; - *ppDstData = NULL; - if (zgfx->OutputCount > 0) - *ppDstData = aligned_zgfx_malloc(zgfx->OutputCount); - - if (!*ppDstData) - goto fail; - - *pDstSize = zgfx->OutputCount; - CopyMemory(*ppDstData, zgfx->OutputBuffer, zgfx->OutputCount); + { + if (!zgfx_append(zgfx, &pConcatenated, zgfx->OutputCount, &used)) + goto fail; + if (used != zgfx->OutputCount) + goto fail; + *ppDstData = pConcatenated; + *pDstSize = zgfx->OutputCount; + } } else if (descriptor == ZGFX_SEGMENTED_MULTIPART) { @@ -420,8 +449,6 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY UINT16 segmentNumber = 0; UINT16 segmentCount = 0; UINT32 uncompressedSize = 0; - BYTE* pConcatenated = NULL; - size_t used = 0; if (!Stream_CheckAndLogRequiredLength(TAG, stream, 6)) goto fail; @@ -429,17 +456,6 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY Stream_Read_UINT16(stream, segmentCount); /* segmentCount (2 bytes) */ Stream_Read_UINT32(stream, uncompressedSize); /* uncompressedSize (4 bytes) */ - if (!Stream_CheckAndLogRequiredLengthOfSize(TAG, stream, segmentCount, sizeof(UINT32))) - goto fail; - - pConcatenated = aligned_zgfx_malloc(uncompressedSize); - - if (!pConcatenated) - goto fail; - - *ppDstData = pConcatenated; - *pDstSize = uncompressedSize; - for (segmentNumber = 0; segmentNumber < segmentCount; segmentNumber++) { if (!Stream_CheckAndLogRequiredLength(TAG, stream, sizeof(UINT32))) @@ -450,16 +466,15 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY if (!zgfx_decompress_segment(zgfx, stream, segmentSize)) goto fail; - if (zgfx->OutputCount > UINT32_MAX - used) + if (!zgfx_append(zgfx, &pConcatenated, uncompressedSize, &used)) goto fail; + } - if (used + zgfx->OutputCount > uncompressedSize) - goto fail; + if (used != uncompressedSize) + goto fail; - CopyMemory(pConcatenated, zgfx->OutputBuffer, zgfx->OutputCount); - pConcatenated += zgfx->OutputCount; - used += zgfx->OutputCount; - } + *ppDstData = pConcatenated; + *pDstSize = uncompressedSize; } else { @@ -468,6 +483,8 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY status = 1; fail: + if (status < 0) + free(pConcatenated); return status; } diff --git a/libfreerdp/core/aad.c b/libfreerdp/core/aad.c index 15eabed..00593a0 100644 --- a/libfreerdp/core/aad.c +++ b/libfreerdp/core/aad.c @@ -716,11 +716,11 @@ static char* bn_to_base64_url(wLog* wlog, rdpPrivateKey* key, enum FREERDP_KEY_P WINPR_ASSERT(key); size_t len = 0; - char* bn = freerdp_key_get_param(key, param, &len); + BYTE* bn = freerdp_key_get_param(key, param, &len); if (!bn) return NULL; - char* b64 = (char*)crypto_base64url_encode(bn, len); + char* b64 = crypto_base64url_encode(bn, len); free(bn); if (!b64) diff --git a/libfreerdp/core/gcc.c b/libfreerdp/core/gcc.c index 733a763..f2d035a 100644 --- a/libfreerdp/core/gcc.c +++ b/libfreerdp/core/gcc.c @@ -1765,6 +1765,9 @@ static BOOL gcc_update_server_random(rdpSettings* settings) */ BOOL gcc_write_server_security_data(wStream* s, rdpMcs* mcs) { + if (!gcc_update_server_random(mcs_get_settings(mcs))) + return FALSE; + const rdpSettings* settings = mcs_get_const_settings(mcs); WINPR_ASSERT(s); @@ -1779,8 +1782,6 @@ BOOL gcc_write_server_security_data(wStream* s, rdpMcs* mcs) if (settings->EncryptionMethods == ENCRYPTION_METHOD_NONE) return TRUE; - if (!gcc_update_server_random(settings)) - return FALSE; if (!Stream_EnsureRemainingCapacity(s, sizeof(UINT32) + settings->ServerRandomLength)) return FALSE; diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c index 7d6eec1..3395e4d 100644 --- a/libfreerdp/core/info.c +++ b/libfreerdp/core/info.c @@ -1398,6 +1398,10 @@ static BOOL rdp_write_logon_info_v1(wStream* s, logon_info* info) return FALSE; /* domain */ + WINPR_ASSERT(info); + if (!info->domain || !info->username) + return FALSE; + len = strnlen(info->domain, charLen + 1); if (len > charLen) return FALSE; diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c index 855b700..bef1b45 100644 --- a/libfreerdp/core/orders.c +++ b/libfreerdp/core/orders.c @@ -797,9 +797,11 @@ static INLINE BOOL update_write_4byte_unsigned(wStream* s, UINT32 value) return TRUE; } + static INLINE BOOL update_read_delta(wStream* s, INT32* value) { BYTE byte = 0; + UINT32 uvalue = 0; if (!Stream_CheckAndLogRequiredLength(TAG, s, 1)) return FALSE; @@ -807,9 +809,9 @@ static INLINE BOOL update_read_delta(wStream* s, INT32* value) Stream_Read_UINT8(s, byte); if (byte & 0x40) - *value = (byte | ~0x3F); + uvalue = (byte | ~0x3F); else - *value = (byte & 0x3F); + uvalue = (byte & 0x3F); if (byte & 0x80) { @@ -817,8 +819,9 @@ static INLINE BOOL update_read_delta(wStream* s, INT32* value) return FALSE; Stream_Read_UINT8(s, byte); - *value = (*value << 8) | byte; + uvalue = (uvalue << 8) | byte; } + *value = (INT32)uvalue; return TRUE; } @@ -2171,7 +2174,9 @@ static BOOL update_read_ellipse_cb_order(const char* orderName, wStream* s, return TRUE; return FALSE; } + /* Secondary Drawing Orders */ +WINPR_ATTR_MALLOC(free_cache_bitmap_order, 2) static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wStream* s, BOOL compressed, UINT16 flags) { @@ -2290,6 +2295,7 @@ BOOL update_write_cache_bitmap_order(wStream* s, const CACHE_BITMAP_ORDER* cache return TRUE; } +WINPR_ATTR_MALLOC(free_cache_bitmap_v2_order, 2) static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* update, wStream* s, BOOL compressed, UINT16 flags) { @@ -2466,6 +2472,8 @@ BOOL update_write_cache_bitmap_v2_order(wStream* s, CACHE_BITMAP_V2_ORDER* cache cache_bitmap_v2->compressed = compressed; return TRUE; } + +WINPR_ATTR_MALLOC(free_cache_bitmap_v3_order, 2) static CACHE_BITMAP_V3_ORDER* update_read_cache_bitmap_v3_order(rdpUpdate* update, wStream* s, UINT16 flags) { @@ -2571,6 +2579,8 @@ BOOL update_write_cache_bitmap_v3_order(wStream* s, CACHE_BITMAP_V3_ORDER* cache Stream_Write(s, bitmapData->data, bitmapData->length); return TRUE; } + +WINPR_ATTR_MALLOC(free_cache_color_table_order, 2) static CACHE_COLOR_TABLE_ORDER* update_read_cache_color_table_order(rdpUpdate* update, wStream* s, UINT16 flags) { diff --git a/libfreerdp/core/peer.c b/libfreerdp/core/peer.c index 42c4c21..fba9281 100644 --- a/libfreerdp/core/peer.c +++ b/libfreerdp/core/peer.c @@ -1532,6 +1532,7 @@ BOOL freerdp_peer_context_new_ex(freerdp_peer* client, const rdpSettings* settin if (!client) return FALSE; + WINPR_ASSERT(client->ContextSize >= sizeof(rdpContext)); if (!(context = (rdpContext*)calloc(1, client->ContextSize))) goto fail; diff --git a/libfreerdp/core/redirection.c b/libfreerdp/core/redirection.c index 8538a90..5343a07 100644 --- a/libfreerdp/core/redirection.c +++ b/libfreerdp/core/redirection.c @@ -243,7 +243,7 @@ static BOOL rdp_redirection_read_base64_wchar(UINT32 flag, wStream* s, UINT32* p const WCHAR* wchar = (const WCHAR*)ptr; size_t utf8_len = 0; - char* utf8 = ConvertWCharNToUtf8Alloc(wchar, *pLength, &utf8_len); + char* utf8 = ConvertWCharNToUtf8Alloc(wchar, *pLength / sizeof(WCHAR), &utf8_len); if (!utf8) goto fail; diff --git a/libfreerdp/core/test/CMakeLists.txt b/libfreerdp/core/test/CMakeLists.txt index ebd8fef..9b2e654 100644 --- a/libfreerdp/core/test/CMakeLists.txt +++ b/libfreerdp/core/test/CMakeLists.txt @@ -10,7 +10,9 @@ set(${MODULE_PREFIX}_TESTS TestSettings.c) set(FUZZERS - TestFuzzCryptoCertificateDataSetPEM.c + TestFuzzCoreClient.c + TestFuzzCoreServer.c + TestFuzzCryptoCertificateDataSetPEM.c ) if(WITH_SAMPLE AND WITH_SERVER AND NOT WIN32) @@ -34,7 +36,7 @@ add_definitions(-DTESTING_SRC_DIRECTORY="${PROJECT_SOURCE_DIR}") target_link_libraries(${MODULE_NAME} freerdp winpr freerdp-client) include (AddFuzzerTest) -add_fuzzer_test("${FUZZERS}" "freerdp winpr") +add_fuzzer_test("${FUZZERS}" "freerdp-client freerdp winpr") set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}") @@ -44,4 +46,3 @@ foreach(test ${${MODULE_PREFIX}_TESTS}) endforeach() set_property(TARGET ${MODULE_NAME} PROPERTY FOLDER "FreeRDP/Core/Test") - diff --git a/libfreerdp/core/test/TestFuzzCoreClient.c b/libfreerdp/core/test/TestFuzzCoreClient.c new file mode 100644 index 0000000..5c67497 --- /dev/null +++ b/libfreerdp/core/test/TestFuzzCoreClient.c @@ -0,0 +1,116 @@ +#include <freerdp/client.h> + +#include "../fastpath.h" +#include "../surface.h" +#include "../window.h" +#include "../info.h" +#include "../multitransport.h" + +static BOOL test_client(const uint8_t* Data, size_t Size) +{ + RDP_CLIENT_ENTRY_POINTS entry = { 0 }; + + entry.Version = RDP_CLIENT_INTERFACE_VERSION; + entry.Size = sizeof(RDP_CLIENT_ENTRY_POINTS_V1); + entry.ContextSize = sizeof(rdpContext); + + rdpContext* context = freerdp_client_context_new(&entry); + if (!context) + goto fail; + + rdpRdp* rdp = context->rdp; + WINPR_ASSERT(rdp); + + wStream sbuffer = { 0 }; + wStream* s = Stream_StaticConstInit(&sbuffer, Data, Size); + + { + rdpFastPath* fastpath = rdp->fastpath; + WINPR_ASSERT(fastpath); + + fastpath_recv_updates(fastpath, s); + fastpath_recv_inputs(fastpath, s); + + UINT16 length = 0; + fastpath_read_header_rdp(fastpath, s, &length); + fastpath_decrypt(fastpath, s, &length); + } + + { + UINT16 length = 0; + UINT16 flags = 0; + UINT16 channelId = 0; + UINT16 tpktLength = 0; + UINT16 remainingLength = 0; + UINT16 type = 0; + UINT16 securityFlags = 0; + UINT32 share_id = 0; + BYTE compressed_type = 0; + BYTE btype = 0; + UINT16 compressed_len = 0; + + rdp_recv_callback(rdp->transport, s, rdp); + rdp_read_security_header(rdp, s, &flags, &length); + rdp_read_header(rdp, s, &length, &channelId); + rdp_read_share_control_header(rdp, s, &tpktLength, &remainingLength, &type, &channelId); + rdp_read_share_data_header(rdp, s, &length, &btype, &share_id, &compressed_type, + &compressed_len); + rdp_recv_enhanced_security_redirection_packet(rdp, s); + rdp_recv_out_of_sequence_pdu(rdp, s, type, length); + rdp_recv_message_channel_pdu(rdp, s, securityFlags); + } + { + rdpUpdate* update = rdp->update; + UINT16 channelId = 0; + UINT16 length = 0; + UINT16 pduSource = 0; + UINT16 pduLength = 0; + update_recv_order(update, s); + update_recv_altsec_window_order(update, s); + update_recv_play_sound(update, s); + update_recv_pointer(update, s); + update_recv_surfcmds(update, s); + rdp_recv_get_active_header(rdp, s, &channelId, &length); + rdp_recv_demand_active(rdp, s, pduSource, length); + rdp_recv_confirm_active(rdp, s, pduLength); + } + { + rdpNla* nla = nla_new(rdp->context, rdp->transport); + nla_recv_pdu(nla, s); + nla_free(nla); + } + { + rdp_recv_heartbeat_packet(rdp, s); + rdp->state = CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE; + rdp_recv_client_info(rdp, s); + rdp_recv_save_session_info(rdp, s); + } + { + freerdp_is_valid_mcs_create_request(Data, Size); + freerdp_is_valid_mcs_create_response(Data, Size); + } + { + multitransport_recv_request(rdp->multitransport, s); + multitransport_recv_response(rdp->multitransport, s); + } + { + autodetect_recv_request_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s); + autodetect_recv_response_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s); + } + { + rdp_recv_deactivate_all(rdp, s); + rdp_recv_server_synchronize_pdu(rdp, s); + rdp_recv_client_synchronize_pdu(rdp, s); + + rdp_recv_data_pdu(rdp, s); + rdp_recv_font_map_pdu(rdp, s); + } +fail: + freerdp_client_context_free(context); +} + +int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) +{ + test_client(Data, Size); + return 0; +} diff --git a/libfreerdp/core/test/TestFuzzCoreServer.c b/libfreerdp/core/test/TestFuzzCoreServer.c new file mode 100644 index 0000000..cd469f4 --- /dev/null +++ b/libfreerdp/core/test/TestFuzzCoreServer.c @@ -0,0 +1,108 @@ +#include <freerdp/peer.h> + +#include "../fastpath.h" +#include "../surface.h" +#include "../window.h" +#include "../info.h" +#include "../multitransport.h" + +static BOOL test_server(const uint8_t* Data, size_t Size) +{ + freerdp_peer* client = calloc(1, sizeof(freerdp_peer)); + if (!client) + goto fail; + client->ContextSize = sizeof(rdpContext); + if (!freerdp_peer_context_new(client)) + goto fail; + + WINPR_ASSERT(client->context); + rdpRdp* rdp = client->context->rdp; + WINPR_ASSERT(rdp); + + wStream sbuffer = { 0 }; + wStream* s = Stream_StaticConstInit(&sbuffer, Data, Size); + + { + rdpFastPath* fastpath = rdp->fastpath; + WINPR_ASSERT(fastpath); + + fastpath_recv_updates(fastpath, s); + fastpath_recv_inputs(fastpath, s); + + UINT16 length = 0; + fastpath_read_header_rdp(fastpath, s, &length); + fastpath_decrypt(fastpath, s, &length); + } + + { + UINT16 length = 0; + UINT16 flags = 0; + UINT16 channelId = 0; + UINT16 tpktLength = 0; + UINT16 remainingLength = 0; + UINT16 type = 0; + UINT16 securityFlags = 0; + UINT32 share_id = 0; + BYTE compressed_type = 0; + BYTE btype = 0; + UINT16 compressed_len = 0; + rdp_read_security_header(rdp, s, &flags, &length); + rdp_read_header(rdp, s, &length, &channelId); + rdp_read_share_control_header(rdp, s, &tpktLength, &remainingLength, &type, &channelId); + rdp_read_share_data_header(rdp, s, &length, &btype, &share_id, &compressed_type, + &compressed_len); + rdp_recv_message_channel_pdu(rdp, s, securityFlags); + } + { + rdpUpdate* update = rdp->update; + UINT16 channelId = 0; + UINT16 length = 0; + UINT16 pduSource = 0; + UINT16 pduLength = 0; + update_recv_order(update, s); + update_recv_altsec_window_order(update, s); + update_recv_play_sound(update, s); + update_recv_pointer(update, s); + update_recv_surfcmds(update, s); + rdp_recv_get_active_header(rdp, s, &channelId, &length); + rdp_recv_demand_active(rdp, s, pduSource, length); + rdp_recv_confirm_active(rdp, s, pduLength); + } + { + rdpNla* nla = nla_new(rdp->context, rdp->transport); + nla_recv_pdu(nla, s); + nla_free(nla); + } + { + rdp_recv_heartbeat_packet(rdp, s); + rdp->state = CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE; + rdp_recv_client_info(rdp, s); + rdp_recv_save_session_info(rdp, s); + } + { + freerdp_is_valid_mcs_create_request(Data, Size); + freerdp_is_valid_mcs_create_response(Data, Size); + } + { + multitransport_recv_request(rdp->multitransport, s); + multitransport_recv_response(rdp->multitransport, s); + } + { + autodetect_recv_request_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s); + autodetect_recv_response_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s); + } + { + rdp_recv_deactivate_all(rdp, s); + rdp_recv_server_synchronize_pdu(rdp, s); + rdp_recv_client_synchronize_pdu(rdp, s); + } +fail: + freerdp_peer_context_free(client); + free(client); +} + +int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) +{ + test_server(Data, Size); + return 0; +} diff --git a/libfreerdp/core/update.c b/libfreerdp/core/update.c index cfc0abc..9e79863 100644 --- a/libfreerdp/core/update.c +++ b/libfreerdp/core/update.c @@ -2031,7 +2031,9 @@ static BOOL update_send_cache_brush(rdpContext* context, const CACHE_BRUSH_ORDER return FALSE; const size_t em = Stream_GetPosition(s); - WINPR_ASSERT(em > bm + 13); + if (em <= bm + 13) + return FALSE; + const size_t orderLength = (em - bm) - 13; WINPR_ASSERT(orderLength <= UINT16_MAX); Stream_SetPosition(s, bm); @@ -3299,6 +3301,9 @@ void update_free(rdpUpdate* update) MessageQueue_Free(up->queue); DeleteCriticalSection(&up->mux); + + if (up->us) + Stream_Free(up->us, TRUE); free(update); } } @@ -3328,7 +3333,9 @@ BOOL update_begin_paint(rdpUpdate* update) /* Reset the invalid regions, we start a new frame here. */ rdpGdi* gdi = update->context->gdi; - WINPR_ASSERT(gdi); + if (!gdi) + return FALSE; + if (gdi->hdc && gdi->primary && gdi->primary->hdc) { HGDI_WND hwnd = gdi->primary->hdc->hwnd; diff --git a/libfreerdp/crypto/privatekey.c b/libfreerdp/crypto/privatekey.c index 55379d4..9a6fb25 100644 --- a/libfreerdp/crypto/privatekey.c +++ b/libfreerdp/crypto/privatekey.c @@ -442,7 +442,7 @@ fail: return rc; } -char* freerdp_key_get_param(const rdpPrivateKey* key, enum FREERDP_KEY_PARAM param, size_t* plength) +BYTE* freerdp_key_get_param(const rdpPrivateKey* key, enum FREERDP_KEY_PARAM param, size_t* plength) { BYTE* buf = NULL; @@ -527,7 +527,7 @@ char* freerdp_key_get_param(const rdpPrivateKey* key, enum FREERDP_KEY_PARAM par fail: BN_free(bn); - return (char*)buf; + return buf; } WINPR_DIGEST_CTX* freerdp_key_digest_sign(rdpPrivateKey* key, WINPR_MD_TYPE digest) diff --git a/libfreerdp/crypto/privatekey.h b/libfreerdp/crypto/privatekey.h index 418abf5..b423c9a 100644 --- a/libfreerdp/crypto/privatekey.h +++ b/libfreerdp/crypto/privatekey.h @@ -52,7 +52,7 @@ extern "C" */ FREERDP_LOCAL EVP_PKEY* freerdp_key_get_evp_pkey(const rdpPrivateKey* key); - FREERDP_LOCAL char* freerdp_key_get_param(const rdpPrivateKey* key, + FREERDP_LOCAL BYTE* freerdp_key_get_param(const rdpPrivateKey* key, enum FREERDP_KEY_PARAM param, size_t* plength); FREERDP_LOCAL WINPR_DIGEST_CTX* freerdp_key_digest_sign(rdpPrivateKey* key, diff --git a/libfreerdp/emu/scard/smartcard_emulate.c b/libfreerdp/emu/scard/smartcard_emulate.c index d517bd6..6e21f17 100644 --- a/libfreerdp/emu/scard/smartcard_emulate.c +++ b/libfreerdp/emu/scard/smartcard_emulate.c @@ -38,8 +38,8 @@ #define MAX_CACHE_ITEM_SIZE 4096 #define MAX_CACHE_ITEM_VALUES 4096 -static const CHAR g_ReaderNameA[] = { 'F', 'r', 'e', 'e', 'R', 'D', 'P', ' ', 'E', - 'm', 'u', 'l', 'a', 't', 'o', 'r', '\0', '\0' }; +static CHAR g_ReaderNameA[] = { 'F', 'r', 'e', 'e', 'R', 'D', 'P', ' ', 'E', + 'm', 'u', 'l', 'a', 't', 'o', 'r', '\0', '\0' }; static INIT_ONCE g_ReaderNameWGuard = INIT_ONCE_STATIC_INIT; static WCHAR g_ReaderNameW[32] = { 0 }; static size_t g_ReaderNameWLen = 0; diff --git a/libfreerdp/gdi/test/TestGdiCreate.c b/libfreerdp/gdi/test/TestGdiCreate.c index c71b396..e6594ea 100644 --- a/libfreerdp/gdi/test/TestGdiCreate.c +++ b/libfreerdp/gdi/test/TestGdiCreate.c @@ -124,7 +124,7 @@ fail: if (hBitmap) gdi_DeleteObject((HGDIOBJECT)hBitmap); else - free(data); + winpr_aligned_free(data); return rc; } diff --git a/libfreerdp/primitives/test/TestPrimitivesYCoCg.c b/libfreerdp/primitives/test/TestPrimitivesYCoCg.c index 318aec6..10a8754 100644 --- a/libfreerdp/primitives/test/TestPrimitivesYCoCg.c +++ b/libfreerdp/primitives/test/TestPrimitivesYCoCg.c @@ -76,7 +76,7 @@ static BOOL test_YCoCgRToRGB_8u_AC4R_func(UINT32 width, UINT32 height) if (c != sse) { - printf("optimized->YCoCgRToRGB FAIL[%s] [%" PRIu32 "]: 0x%08" PRIx32 + printf("optimized->YCoCgRToRGB FAIL[%s] [%" PRIuz "]: 0x%08" PRIx32 " -> C 0x%08" PRIx32 " vs optimized 0x%08" PRIx32 "\n", formatName, i, in[i + 1], c, sse); status = -1; |