From 3c95a2aef2c7b9f3632df4229ce8b807aa79d8a7 Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Tue, 18 Oct 2016 11:09:09 -0700 Subject: [PATCH] rail, text length checks --- libxrdp/xrdp_orders_rail.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libxrdp/xrdp_orders_rail.c b/libxrdp/xrdp_orders_rail.c index 9bbd9e12..68a5d2fa 100644 --- a/libxrdp/xrdp_orders_rail.c +++ b/libxrdp/xrdp_orders_rail.c @@ -195,15 +195,18 @@ xrdp_orders_send_as_unicode(struct stream *s, const char *text) int str_chars; int index; int i32; - twchar wdst[256]; - - str_chars = g_mbstowcs(wdst, text, 255); + twchar *wdst; + wdst = (twchar *) g_malloc(sizeof(twchar) * 64 * 1024, 1); + if (wdst == 0) + { + return 1; + } + str_chars = g_mbstowcs(wdst, text, 2 * 1024); if (str_chars > 0) { i32 = str_chars * 2; out_uint16_le(s, i32); - for (index = 0; index < str_chars; index++) { i32 = wdst[index]; @@ -214,7 +217,7 @@ xrdp_orders_send_as_unicode(struct stream *s, const char *text) { out_uint16_le(s, 0); } - + g_free(wdst); return 0; } @@ -260,6 +263,7 @@ xrdp_orders_send_window_new_update(struct xrdp_orders *self, int window_id, { /* titleInfo */ num_chars = g_mbstowcs(0, window_state->title_info, 0); + num_chars = MIN(num_chars, 2 * 1024); order_size += 2 * num_chars + 2; } @@ -536,6 +540,7 @@ xrdp_orders_send_notify_new_update(struct xrdp_orders *self, { /* ToolTip (variable) UNICODE_STRING */ num_chars = g_mbstowcs(0, notify_state->tool_tip, 0); + num_chars = MIN(num_chars, 2 * 1024); order_size += 2 * num_chars + 2; } @@ -544,9 +549,11 @@ xrdp_orders_send_notify_new_update(struct xrdp_orders *self, /* InfoTip (variable) TS_NOTIFY_ICON_INFOTIP */ /* UNICODE_STRING */ num_chars = g_mbstowcs(0, notify_state->infotip.title, 0); + num_chars = MIN(num_chars, 2 * 1024); order_size += 2 * num_chars + 2; /* UNICODE_STRING */ num_chars = g_mbstowcs(0, notify_state->infotip.text, 0); + num_chars = MIN(num_chars, 2 * 1024); order_size += 2 * num_chars + 2; /* Timeout (4 bytes) */ /* InfoFlags (4 bytes) */