From 0fbbc47092e4e1f5965bb2056e86c51a709bc369 Mon Sep 17 00:00:00 2001
From: Jay Sorg <jay.sorg@gmail.com>
Date: Thu, 7 Nov 2019 02:03:57 +0000
Subject: [PATCH] cleanup refresh rect and check stream bounds

---
 common/xrdp_constants.h |  1 +
 libxrdp/xrdp_rdp.c      | 42 +++++++++++++++++++++++++++++------------
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/common/xrdp_constants.h b/common/xrdp_constants.h
index e3ae5517..28a2608e 100644
--- a/common/xrdp_constants.h
+++ b/common/xrdp_constants.h
@@ -543,6 +543,7 @@
 #define RDP_DATA_PDU_POINTER           27
 #define RDP_DATA_PDU_INPUT             28
 #define RDP_DATA_PDU_SYNCHRONISE       31
+#define PDUTYPE2_REFRESH_RECT          33
 #define RDP_DATA_PDU_PLAY_SOUND        34
 #define RDP_DATA_PDU_LOGON             38
 #define RDP_DATA_PDU_FONT2             39
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index 319bac23..351e3674 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -1044,9 +1044,12 @@ xrdp_rdp_process_data_sync(struct xrdp_rdp *self)
 }
 
 /*****************************************************************************/
+/* 2.2.11.2.1 Refresh Rect PDU Data (TS_REFRESH_RECT_PDU) */
 static int
 xrdp_rdp_process_screen_update(struct xrdp_rdp *self, struct stream *s)
 {
+    int index;
+    int num_rects;
     int left;
     int top;
     int right;
@@ -1054,19 +1057,34 @@ xrdp_rdp_process_screen_update(struct xrdp_rdp *self, struct stream *s)
     int cx;
     int cy;
 
-    in_uint8s(s, 4); /* op */
-    in_uint16_le(s, left);
-    in_uint16_le(s, top);
-    in_uint16_le(s, right);
-    in_uint16_le(s, bottom);
-    cx = (right - left) + 1;
-    cy = (bottom - top) + 1;
-
-    if (self->session->callback != 0)
+    if (!s_check_rem(s, 4))
     {
-        self->session->callback(self->session->id, 0x4444, left, top, cx, cy);
+        return 1;
+    }
+    in_uint8(s, num_rects);
+    in_uint8s(s, 3); /* pad */
+    g_writeln("xrdp_rdp_process_screen_update: num_rects %d", num_rects);
+    for (index = 0; index < num_rects; index++)
+    {
+        if (!s_check_rem(s, 8))
+        {
+            return 1;
+        }
+        /* Inclusive Rectangle (TS_RECTANGLE16) */
+        in_uint16_le(s, left);
+        in_uint16_le(s, top);
+        in_uint16_le(s, right);
+        in_uint16_le(s, bottom);
+        g_writeln("  left %d top %d right %d bottom %d",
+                  left, top, right, bottom);
+        cx = (right - left) + 1;
+        cy = (bottom - top) + 1;
+        if (self->session->callback != 0)
+        {
+            self->session->callback(self->session->id, 0x4444,
+                                    left, top, cx, cy);
+        }
     }
-
     return 0;
 }
 
@@ -1307,7 +1325,7 @@ xrdp_rdp_process_data(struct xrdp_rdp *self, struct stream *s)
         case RDP_DATA_PDU_SYNCHRONISE: /* 31(0x1f) */
             xrdp_rdp_process_data_sync(self);
             break;
-        case 33: /* 33(0x21) ?? Invalidate an area I think */
+        case PDUTYPE2_REFRESH_RECT:
             xrdp_rdp_process_screen_update(self, s);
             break;
         case 35: /* 35(0x23) PDUTYPE2_SUPPRESS_OUTPUT */