From 36c17767b7b40766f16db0e88dfbeaa9de77c565 Mon Sep 17 00:00:00 2001
From: speidy <speidy@gmail.com>
Date: Wed, 18 May 2016 00:20:41 -0400
Subject: [PATCH] libxrdp: in CS_MONITOR, validate virtual desktop size we got
 from client

---
 libxrdp/xrdp_sec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 3e9cef66..fd8dfa36 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -1969,6 +1969,13 @@ xrdp_sec_process_mcs_data_monitors(struct xrdp_sec *self, struct stream *s)
         client_info->width = (x2 - x1) + 1;
         client_info->height = (y2 - y1) + 1;
     }
+    /* make sure virtual desktop size is ok */
+    if ((client_info->width > 0x7FFE && client_info->width < 0xC8) ||
+        (client_info->height > 0x7FFE && client_info->height < 0xC8))
+    {
+        LLOGLN(0, ("[ERROR] xrdp_sec_process_mcs_data_monitors: error, virtual desktop width / height is too large"));
+        return 1; /* error */
+    }
 
     /* keep a copy of non negative monitor info values for xrdp_wm usage */
     for (index = 0; index < monitorCount; index++)