[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
rdesktop 1.8.1 Bugs
From: |
Wheatley, Martin R |
Subject: |
rdesktop 1.8.1 Bugs |
Date: |
Fri, 31 Jan 2014 10:05:52 GMT |
We're investigating two core dumps; both in ui_create_cursor()...
000209c4 ui_create_cursor (11, fffffffc, 0, 7c, 266315, 265b15) + 1dc
00032908 ???????? (a0324, 10, 0, 265b03, 265b15, 266315)
0003cb50 rdp5_process (a0324, 0, ffffffff, fffffff8, a0324, 0) + 19c
00031f80 ???????? (0, 3eb, ffff80, 0, 265aa1, 22ec00)
00033124 rdp_loop (ffbfebc0, ffbfebbc, 5b800, 13, 6, 58) + 18
000347a0 rdp_main_loop (ffbfebc0, ffbfebbc, ffbfee50, ffbfee10, 40, 1) + c
00019dac main (0, 0, 5c000, ffbfec10, ffbfef90, ffbfee10) + 584
000185a0 _start (0, 0, 0, 0, 0, 0) + 5c
In process_colour_pointer_common() in rdp.c I think that the sanitizing
of 'x' and 'y'...
x = MAX(x, 0);
x = MIN(x, width - 1);
y = MAX(y, 0);
y = MIN(y, height - 1);
should be...
x = MIN(x, width - 1);
x = MAX(x, 0);
y = MIN(y, height - 1);
y = MAX(y, 0);
to protect against 'width' and 'height' being zero - which currently
results in 'x' and/or 'y' going -ve.
Should there also be some protection against invalid/illegal
values for 'width' and 'height' before they are used...?
width = MIN( width , 1 );
height = MIN( height , 1 );
NB: Including the 'width' and 'height' protection means the existing 'x' and 'y'
protection is okay.
regards
Martin Wheatley
+-----------------------------------------------------------------------+
| Martin Wheatley | Voice : +44-(0)1235-464784 |
| CODAS & IT Department | FAX : +44-(0)1235-464404 |
| Culham Centre for Fusion Energy | E-mail : address@hidden |
| Culham Science Centre |-------------------------------------|
| Abingdon, Oxfordshire | |
| OX14 3DB | |
| United Kingdom | WWW.CCFE.AC.UK |
+-----------------------------------------------------------------------+
- rdesktop 1.8.1 Bugs,
Wheatley, Martin R <=