From 33d9e1d5d7f3ba9a6826b45f80818d8094a5072b Mon Sep 17 00:00:00 2001
From: Alexandre Quesnel <131881+aquesnel@users.noreply.github.com>
Date: Sun, 23 Aug 2020 23:02:50 +0000
Subject: [PATCH] Adding checks to prevent buffer overruns during data chunk
 re-assembly

---
 libxrdp/xrdp_channel.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libxrdp/xrdp_channel.c b/libxrdp/xrdp_channel.c
index 9662582e..125ac085 100644
--- a/libxrdp/xrdp_channel.c
+++ b/libxrdp/xrdp_channel.c
@@ -463,6 +463,10 @@ xrdp_channel_process_drdynvc(struct xrdp_channel *self,
     {
         case 0:
             length = (int) (s->end - s->p);
+            if (!s_check_rem_out(self->s, length))
+            {
+                return 1;
+            }
             out_uint8a(self->s, s->p, length);
             in_uint8s(s, length);
             return 0;
@@ -471,11 +475,19 @@ xrdp_channel_process_drdynvc(struct xrdp_channel *self,
             make_stream(self->s);
             init_stream(self->s, total_length);
             length = (int) (s->end - s->p);
+            if (!s_check_rem_out(self->s, length))
+            {
+                return 1;
+            }
             out_uint8a(self->s, s->p, length);
             in_uint8s(s, length);
             return 0;
         case 2:
             length = (int) (s->end - s->p);
+            if (!s_check_rem_out(self->s, length))
+            {
+                return 1;
+            }
             out_uint8a(self->s, s->p, length);
             in_uint8s(s, length);
             ls = self->s;