{ "metadata": { "source_file": "primevul_valid_grouped.json", "filter_min_depth": 3, "filter_max_depth": 5, "original_groups": 4777, "filtered_groups": 198, "total_functions": 2181, "depth_distribution": { "25": 1, "1": 4057, "14": 3, "13": 1, "5": 13, "2": 489, "6": 16, "3": 135, "4": 50, "7": 6, "8": 2, "12": 2, "11": 1, "10": 1 } }, "groups": [ { "call_depth": 5, "longest_call_chain": [ "msusb_msconfig_read", "msusb_msinterface_read_list", "msusb_msinterface_read", "msusb_mspipes_read", "msusb_mspipe_new" ], "group_size": 14, "functions": [ { "func": "static MSUSB_PIPE_DESCRIPTOR** msusb_mspipes_read(wStream* s, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum;\n\tMSUSB_PIPE_DESCRIPTOR** MsPipes;\n\n\tif (Stream_GetRemainingCapacity(s) < 12 * NumberOfPipes)\n\t\treturn NULL;\n\n\tMsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(NumberOfPipes, sizeof(MSUSB_PIPE_DESCRIPTOR*));\n\n\tif (!MsPipes)\n\t\treturn NULL;\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t{\n\t\tMSUSB_PIPE_DESCRIPTOR* MsPipe = msusb_mspipe_new();\n\n\t\tif (!MsPipe)\n\t\t\tgoto out_error;\n\n\t\tStream_Read_UINT16(s, MsPipe->MaximumPacketSize);\n\t\tStream_Seek(s, 2);\n\t\tStream_Read_UINT32(s, MsPipe->MaximumTransferSize);\n\t\tStream_Read_UINT32(s, MsPipe->PipeFlags);\n\t\t/* Already set to zero by memset\n\t\t MsPipe->PipeHandle\t = 0;\n\t\t MsPipe->bEndpointAddress = 0;\n\t\t MsPipe->bInterval\t\t= 0;\n\t\t MsPipe->PipeType\t\t = 0;\n\t\t MsPipe->InitCompleted\t= 0;\n\t\t*/\n\t\tMsPipes[pnum] = MsPipe;\n\t}\n\n\treturn MsPipes;\nout_error:\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t\tfree(MsPipes[pnum]);\n\n\tfree(MsPipes);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 43522950749896036127664697861930743417, "size": 43, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 1, "dataset": "other", "idx": 205671 }, { "func": "static MSUSB_PIPE_DESCRIPTOR** msusb_mspipes_read(wStream* s, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum;\n\tMSUSB_PIPE_DESCRIPTOR** MsPipes;\n\n\tif (Stream_GetRemainingCapacity(s) / 12 < NumberOfPipes)\n\t\treturn NULL;\n\n\tMsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(NumberOfPipes, sizeof(MSUSB_PIPE_DESCRIPTOR*));\n\n\tif (!MsPipes)\n\t\treturn NULL;\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t{\n\t\tMSUSB_PIPE_DESCRIPTOR* MsPipe = msusb_mspipe_new();\n\n\t\tif (!MsPipe)\n\t\t\tgoto out_error;\n\n\t\tStream_Read_UINT16(s, MsPipe->MaximumPacketSize);\n\t\tStream_Seek(s, 2);\n\t\tStream_Read_UINT32(s, MsPipe->MaximumTransferSize);\n\t\tStream_Read_UINT32(s, MsPipe->PipeFlags);\n\t\t/* Already set to zero by memset\n\t\t MsPipe->PipeHandle\t = 0;\n\t\t MsPipe->bEndpointAddress = 0;\n\t\t MsPipe->bInterval\t\t= 0;\n\t\t MsPipe->PipeType\t\t = 0;\n\t\t MsPipe->InitCompleted\t= 0;\n\t\t*/\n\t\tMsPipes[pnum] = MsPipe;\n\t}\n\n\treturn MsPipes;\nout_error:\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t\tfree(MsPipes[pnum]);\n\n\tfree(MsPipes);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 327097256253608261746407166636662999864, "size": 43, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370198 }, { "func": "static void msusb_msinterface_free(MSUSB_INTERFACE_DESCRIPTOR* MsInterface)\n{\n\tif (MsInterface)\n\t{\n\t\tmsusb_mspipes_free(MsInterface->MsPipes, MsInterface->NumberOfPipes);\n\t\tMsInterface->MsPipes = NULL;\n\t\tfree(MsInterface);\n\t}\n}", "project": "FreeRDP", "hash": 111719313818634845962432534061650784720, "size": 9, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370195 }, { "func": "static MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_new()\n{\n\treturn (MSUSB_INTERFACE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_INTERFACE_DESCRIPTOR));\n}", "project": "FreeRDP", "hash": 195102358277270166636371095078324614685, "size": 4, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370190 }, { "func": "static MSUSB_PIPE_DESCRIPTOR* msusb_mspipe_new()\n{\n\treturn (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR));\n}", "project": "FreeRDP", "hash": 286269363881544208550715036997896416778, "size": 4, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370185 }, { "func": "static void msusb_mspipes_free(MSUSB_PIPE_DESCRIPTOR** MsPipes, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum = 0;\n\n\tif (MsPipes)\n\t{\n\t\tfor (pnum = 0; pnum < NumberOfPipes && MsPipes[pnum]; pnum++)\n\t\t\tfree(MsPipes[pnum]);\n\n\t\tfree(MsPipes);\n\t}\n}", "project": "FreeRDP", "hash": 298850235727179719739936200735090397102, "size": 12, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370194 }, { "func": "MSUSB_CONFIG_DESCRIPTOR* msusb_msconfig_new(void)\n{\n\treturn (MSUSB_CONFIG_DESCRIPTOR*)calloc(1, sizeof(MSUSB_CONFIG_DESCRIPTOR));\n}", "project": "FreeRDP", "hash": 116475666787466662372093513378582272026, "size": 4, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370189 }, { "func": "BOOL msusb_msinterface_replace(MSUSB_CONFIG_DESCRIPTOR* MsConfig, BYTE InterfaceNumber,\n MSUSB_INTERFACE_DESCRIPTOR* NewMsInterface)\n{\n\tif (!MsConfig || !MsConfig->MsInterfaces)\n\t\treturn FALSE;\n\n\tmsusb_msinterface_free(MsConfig->MsInterfaces[InterfaceNumber]);\n\tMsConfig->MsInterfaces[InterfaceNumber] = NewMsInterface;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 163043333955182832460253605601479340365, "size": 10, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370192 }, { "func": "static MSUSB_INTERFACE_DESCRIPTOR** msusb_msinterface_read_list(wStream* s, UINT32 NumInterfaces)\n{\n\tUINT32 inum;\n\tMSUSB_INTERFACE_DESCRIPTOR** MsInterfaces;\n\tMsInterfaces =\n\t (MSUSB_INTERFACE_DESCRIPTOR**)calloc(NumInterfaces, sizeof(MSUSB_INTERFACE_DESCRIPTOR*));\n\n\tif (!MsInterfaces)\n\t\treturn NULL;\n\n\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t{\n\t\tMsInterfaces[inum] = msusb_msinterface_read(s);\n\n\t\tif (!MsInterfaces[inum])\n\t\t\tgoto fail;\n\t}\n\n\treturn MsInterfaces;\nfail:\n\n\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t\tmsusb_msinterface_free(MsInterfaces[inum]);\n\n\tfree(MsInterfaces);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 301570211779473080394701095071166755889, "size": 27, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370184 }, { "func": "static void msusb_msinterface_free_list(MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces,\n UINT32 NumInterfaces)\n{\n\tUINT32 inum = 0;\n\n\tif (MsInterfaces)\n\t{\n\t\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t\t{\n\t\t\tmsusb_msinterface_free(MsInterfaces[inum]);\n\t\t}\n\n\t\tfree(MsInterfaces);\n\t}\n}", "project": "FreeRDP", "hash": 255545382072794521231443556625399604321, "size": 15, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370196 }, { "func": "void msusb_msconfig_free(MSUSB_CONFIG_DESCRIPTOR* MsConfig)\n{\n\tif (MsConfig)\n\t{\n\t\tmsusb_msinterface_free_list(MsConfig->MsInterfaces, MsConfig->NumInterfaces);\n\t\tMsConfig->MsInterfaces = NULL;\n\t\tfree(MsConfig);\n\t}\n}", "project": "FreeRDP", "hash": 247496999087104528986755682952452432422, "size": 9, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370186 }, { "func": "BOOL msusb_mspipes_replace(MSUSB_INTERFACE_DESCRIPTOR* MsInterface,\n MSUSB_PIPE_DESCRIPTOR** NewMsPipes, UINT32 NewNumberOfPipes)\n{\n\tif (!MsInterface || !NewMsPipes)\n\t\treturn FALSE;\n\n\t/* free orignal MsPipes */\n\tmsusb_mspipes_free(MsInterface->MsPipes, MsInterface->NumberOfPipes);\n\t/* And replace it */\n\tMsInterface->MsPipes = NewMsPipes;\n\tMsInterface->NumberOfPipes = NewNumberOfPipes;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 272826545862192184139368934588135834022, "size": 13, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370188 }, { "func": "MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* s)\n{\n\tMSUSB_INTERFACE_DESCRIPTOR* MsInterface;\n\n\tif (Stream_GetRemainingCapacity(s) < 12)\n\t\treturn NULL;\n\n\tMsInterface = msusb_msinterface_new();\n\n\tif (!MsInterface)\n\t\treturn NULL;\n\n\tStream_Read_UINT16(s, MsInterface->Length);\n\tStream_Read_UINT16(s, MsInterface->NumberOfPipesExpected);\n\tStream_Read_UINT8(s, MsInterface->InterfaceNumber);\n\tStream_Read_UINT8(s, MsInterface->AlternateSetting);\n\tStream_Seek(s, 2);\n\tStream_Read_UINT32(s, MsInterface->NumberOfPipes);\n\tMsInterface->InterfaceHandle = 0;\n\tMsInterface->bInterfaceClass = 0;\n\tMsInterface->bInterfaceSubClass = 0;\n\tMsInterface->bInterfaceProtocol = 0;\n\tMsInterface->InitCompleted = 0;\n\tMsInterface->MsPipes = NULL;\n\n\tif (MsInterface->NumberOfPipes > 0)\n\t{\n\t\tMsInterface->MsPipes = msusb_mspipes_read(s, MsInterface->NumberOfPipes);\n\n\t\tif (!MsInterface->MsPipes)\n\t\t\tgoto out_error;\n\t}\n\n\treturn MsInterface;\nout_error:\n\tmsusb_msinterface_free(MsInterface);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 315713004236029849064051996144827842346, "size": 38, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370197 }, { "func": "MSUSB_CONFIG_DESCRIPTOR* msusb_msconfig_read(wStream* s, UINT32 NumInterfaces)\n{\n\tMSUSB_CONFIG_DESCRIPTOR* MsConfig;\n\tBYTE lenConfiguration, typeConfiguration;\n\n\tif (Stream_GetRemainingCapacity(s) < 6ULL + NumInterfaces * 2ULL)\n\t\treturn NULL;\n\n\tMsConfig = msusb_msconfig_new();\n\n\tif (!MsConfig)\n\t\tgoto fail;\n\n\tMsConfig->MsInterfaces = msusb_msinterface_read_list(s, NumInterfaces);\n\n\tif (!MsConfig->MsInterfaces)\n\t\tgoto fail;\n\n\tStream_Read_UINT8(s, lenConfiguration);\n\tStream_Read_UINT8(s, typeConfiguration);\n\n\tif (lenConfiguration != 0x9 || typeConfiguration != 0x2)\n\t{\n\t\tWLog_ERR(TAG, \"len and type must be 0x9 and 0x2 , but it is 0x%\" PRIx8 \" and 0x%\" PRIx8 \"\",\n\t\t lenConfiguration, typeConfiguration);\n\t\tgoto fail;\n\t}\n\n\tStream_Read_UINT16(s, MsConfig->wTotalLength);\n\tStream_Seek(s, 1);\n\tStream_Read_UINT8(s, MsConfig->bConfigurationValue);\n\tMsConfig->NumInterfaces = NumInterfaces;\n\treturn MsConfig;\nfail:\n\tmsusb_msconfig_free(MsConfig);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 5241623909507677207100469971939005727, "size": 37, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370187 } ] }, { "call_depth": 5, "longest_call_chain": [ "rdp_send_confirm_active", "rdp_write_confirm_active", "rdp_print_capability_sets", "rdp_print_bitmap_codecs_capability_set", "rdp_read_bitmap_codec_guid" ], "group_size": 112, "functions": [ { "func": "static BOOL rdp_write_remote_programs_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 railSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\trailSupportLevel = RAIL_LEVEL_SUPPORTED;\n\n\tif (settings->RemoteApplicationSupportLevel & RAIL_LEVEL_DOCKED_LANGBAR_SUPPORTED)\n\t{\n\t\tif (settings->RemoteAppLanguageBarSupported)\n\t\t\trailSupportLevel |= RAIL_LEVEL_DOCKED_LANGBAR_SUPPORTED;\n\t}\n\n\trailSupportLevel |= RAIL_LEVEL_SHELL_INTEGRATION_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_LANGUAGE_IME_SYNC_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_SERVER_TO_CLIENT_IME_SYNC_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_HIDE_MINIMIZED_APPS_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_WINDOW_CLOAKING_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_HANDSHAKE_EX_SUPPORTED;\n\t/* Mask out everything the server does not support. */\n\trailSupportLevel &= settings->RemoteApplicationSupportLevel;\n\tStream_Write_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_RAIL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 193709063470865603451783243875991335784, "size": 29, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409659 }, { "func": "static BOOL rdp_print_font_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 fontSupportFlags = 0;\n\tUINT16 pad2Octets = 0;\n\tWLog_INFO(TAG, \"FontCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length > 4)\n\t\tStream_Read_UINT16(s, fontSupportFlags); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 6)\n\t\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\n\tWLog_INFO(TAG, \"\\tfontSupportFlags: 0x%04\" PRIX16 \"\", fontSupportFlags);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 287219390919017726670088650927058088376, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409619 }, { "func": "static BOOL rdp_read_glyph_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tif (length < 52)\n\t\treturn FALSE;\n\n\t/* glyphCache (40 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[0])); /* glyphCache0 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[1])); /* glyphCache1 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[2])); /* glyphCache2 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[3])); /* glyphCache3 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[4])); /* glyphCache4 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[5])); /* glyphCache5 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[6])); /* glyphCache6 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[7])); /* glyphCache7 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[8])); /* glyphCache8 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[9])); /* glyphCache9 (4 bytes) */\n\trdp_read_cache_definition(s, settings->FragCache); /* fragCache (4 bytes) */\n\tStream_Read_UINT16(s, settings->GlyphSupportLevel); /* glyphSupportLevel (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 290575542386525663549333405388088029038, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409625 }, { "func": "static BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCapabilities,\n UINT16 totalLength)\n{\n\tBOOL treated;\n\tsize_t start, end, len;\n\tUINT16 count = numberCapabilities;\n\n\tstart = Stream_GetPosition(s);\n\twhile (numberCapabilities > 0 && Stream_GetRemainingLength(s) >= 4)\n\t{\n\t\tUINT16 type;\n\t\tUINT16 length;\n\t\tBYTE* em;\n\t\tBYTE* bm = Stream_Pointer(s);\n\t\trdp_read_capability_set_header(s, &length, &type);\n\n\t\tif (type < 32)\n\t\t{\n\t\t\tsettings->ReceivedCapabilities[type] = TRUE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tWLog_WARN(TAG, \"not handling capability type %\" PRIu16 \" yet\", type);\n\t\t}\n\n\t\tem = bm + length;\n\n\t\tif (Stream_GetRemainingLength(s) + 4 < ((size_t)length))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"error processing stream\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\ttreated = TRUE;\n\n\t\tswitch (type)\n\t\t{\n\t\t\tcase CAPSET_TYPE_GENERAL:\n\t\t\t\tif (!rdp_read_general_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP:\n\t\t\t\tif (!rdp_read_bitmap_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ORDER:\n\t\t\t\tif (!rdp_read_order_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_POINTER:\n\t\t\t\tif (!rdp_read_pointer_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_INPUT:\n\t\t\t\tif (!rdp_read_input_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_VIRTUAL_CHANNEL:\n\t\t\t\tif (!rdp_read_virtual_channel_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SHARE:\n\t\t\t\tif (!rdp_read_share_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COLOR_CACHE:\n\t\t\t\tif (!rdp_read_color_cache_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FONT:\n\t\t\t\tif (!rdp_read_font_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_GDI_PLUS:\n\t\t\t\tif (!rdp_read_draw_gdiplus_cache_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_RAIL:\n\t\t\t\tif (!rdp_read_remote_programs_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_WINDOW:\n\t\t\t\tif (!rdp_read_window_list_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_MULTI_FRAGMENT_UPDATE:\n\t\t\t\tif (!rdp_read_multifragment_update_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_LARGE_POINTER:\n\t\t\t\tif (!rdp_read_large_pointer_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COMP_DESK:\n\t\t\t\tif (!rdp_read_desktop_composition_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SURFACE_COMMANDS:\n\t\t\t\tif (!rdp_read_surface_commands_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CODECS:\n\t\t\t\tif (!rdp_read_bitmap_codecs_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FRAME_ACKNOWLEDGE:\n\t\t\t\tif (!rdp_read_frame_acknowledge_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID:\n\t\t\t\tif (!rdp_read_bitmap_cache_v3_codec_id_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\ttreated = FALSE;\n\t\t\t\tbreak;\n\t\t}\n\n\t\tif (!treated)\n\t\t{\n\t\t\tif (settings->ServerMode)\n\t\t\t{\n\t\t\t\t/* treating capabilities that are supposed to be send only from the client */\n\t\t\t\tswitch (type)\n\t\t\t\t{\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V2:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_v2_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_BRUSH:\n\t\t\t\t\t\tif (!rdp_read_brush_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_GLYPH_CACHE:\n\t\t\t\t\t\tif (!rdp_read_glyph_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_OFFSCREEN_CACHE:\n\t\t\t\t\t\tif (!rdp_read_offscreen_bitmap_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_SOUND:\n\t\t\t\t\t\tif (!rdp_read_sound_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_CONTROL:\n\t\t\t\t\t\tif (!rdp_read_control_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_ACTIVATION:\n\t\t\t\t\t\tif (!rdp_read_window_activation_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_DRAW_NINE_GRID_CACHE:\n\t\t\t\t\t\tif (!rdp_read_draw_nine_grid_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tWLog_ERR(TAG, \"capability %s(%\" PRIu16 \") not expected from client\",\n\t\t\t\t\t\t get_capability_name(type), type);\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t/* treating capabilities that are supposed to be send only from the server */\n\t\t\t\tswitch (type)\n\t\t\t\t{\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_host_support_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tWLog_ERR(TAG, \"capability %s(%\" PRIu16 \") not expected from server\",\n\t\t\t\t\t\t get_capability_name(type), type);\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (Stream_Pointer(s) != em)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t \"incorrect offset, type:0x%04\" PRIX16 \" actual:%\" PRIuz \" expected:%\" PRIuz \"\",\n\t\t\t type, Stream_Pointer(s) - bm, em - bm);\n\t\t\tStream_SetPointer(s, em);\n\t\t}\n\n\t\tnumberCapabilities--;\n\t}\n\n\tend = Stream_GetPosition(s);\n\tlen = end - start;\n\n\tif (numberCapabilities)\n\t{\n\t\tWLog_ERR(TAG,\n\t\t \"strange we haven't read the number of announced capacity sets, read=%d \"\n\t\t \"expected=%\" PRIu16 \"\",\n\t\t count - numberCapabilities, count);\n\t}\n\n#ifdef WITH_DEBUG_CAPABILITIES\n\t{\n\t\tStream_SetPosition(s, start);\n\t\tnumberCapabilities = count;\n\t\trdp_print_capability_sets(s, numberCapabilities, TRUE);\n\t\tStream_SetPosition(s, end);\n\t}\n#endif\n\n\tif (len > totalLength)\n\t{\n\t\tWLog_ERR(TAG, \"Capability length expected %\" PRIu16 \", actual %\" PRIdz, totalLength, len);\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 67779701891338520668353647467913614405, "size": 280, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409685 }, { "func": "static BOOL rdp_read_color_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* colorTableCacheSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 170743954534991278023661558618450335809, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409683 }, { "func": "static void rdp_write_bitmap_cache_cell_info(wStream* s, BITMAP_CACHE_V2_CELL_INFO* cellInfo)\n{\n\tUINT32 info;\n\t/**\n\t * numEntries is in the first 31 bits, while the last bit (k)\n\t * is used to indicate a persistent bitmap cache.\n\t */\n\tinfo = (cellInfo->numEntries | (cellInfo->persistent << 31));\n\tStream_Write_UINT32(s, info);\n}", "project": "FreeRDP", "hash": 315141264147868383992564277570837036722, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409626 }, { "func": "static BOOL rdp_read_offscreen_bitmap_cache_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 offscreenSupportLevel;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, offscreenSupportLevel); /* offscreenSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, settings->OffscreenCacheSize); /* offscreenCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, settings->OffscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\n\tif (offscreenSupportLevel & TRUE)\n\t\tsettings->OffscreenSupportLevel = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 62983332440671309324742543335528050053, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409615 }, { "func": "static BOOL rdp_write_color_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 6); /* colorTableCacheSize (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_COLOR_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 278164959863837085932912697446259628534, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409652 }, { "func": "static BOOL rdp_print_window_activation_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 helpKeyFlag;\n\tUINT16 helpKeyIndexFlag;\n\tUINT16 helpExtendedKeyFlag;\n\tUINT16 windowManagerKeyFlag;\n\tWLog_INFO(TAG, \"WindowActivationCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, helpKeyFlag); /* helpKeyFlag (2 bytes) */\n\tStream_Read_UINT16(s, helpKeyIndexFlag); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Read_UINT16(s, helpExtendedKeyFlag); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Read_UINT16(s, windowManagerKeyFlag); /* windowManagerKeyFlag (2 bytes) */\n\tWLog_INFO(TAG, \"\\thelpKeyFlag: 0x%04\" PRIX16 \"\", helpKeyFlag);\n\tWLog_INFO(TAG, \"\\thelpKeyIndexFlag: 0x%04\" PRIX16 \"\", helpKeyIndexFlag);\n\tWLog_INFO(TAG, \"\\thelpExtendedKeyFlag: 0x%04\" PRIX16 \"\", helpExtendedKeyFlag);\n\tWLog_INFO(TAG, \"\\twindowManagerKeyFlag: 0x%04\" PRIX16 \"\", windowManagerKeyFlag);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 153479571757899139175602773326518312374, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409628 }, { "func": "static BOOL rdp_print_remote_programs_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 railSupportLevel;\n\tWLog_INFO(TAG, \"RemoteProgramsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\tWLog_INFO(TAG, \"\\trailSupportLevel: 0x%08\" PRIX32 \"\", railSupportLevel);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 72639172899165116266830345752544775949, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409587 }, { "func": "BOOL rdp_send_demand_active(rdpRdp* rdp)\n{\n\twStream* s = rdp_send_stream_pdu_init(rdp);\n\tBOOL status;\n\n\tif (!s)\n\t\treturn FALSE;\n\n\trdp->settings->ShareId = 0x10000 + rdp->mcs->userId;\n\tstatus = rdp_write_demand_active(s, rdp->settings) &&\n\t rdp_send_pdu(rdp, s, PDU_TYPE_DEMAND_ACTIVE, rdp->mcs->userId);\n\tStream_Release(s);\n\treturn status;\n}", "project": "FreeRDP", "hash": 205696353185449835056499661961516775413, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409586 }, { "func": "static BOOL rdp_read_window_list_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tif (length < 11)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, settings->RemoteWndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Read_UINT8(s, settings->RemoteAppNumIconCaches); /* numIconCaches (1 byte) */\n\tStream_Read_UINT16(s,\n\t settings->RemoteAppNumIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 67896909242570986520479535524505651635, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409665 }, { "func": "static BOOL rdp_write_rfx_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tUINT32 captureFlags;\n\tBYTE codecMode;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\tcaptureFlags = settings->RemoteFxOnly ? 0 : CARDP_CAPS_CAPTURE_NON_CAC;\n\tcodecMode = settings->RemoteFxCodecMode;\n\tStream_Write_UINT16(s, 49); /* codecPropertiesLength */\n\t/* TS_RFX_CLNT_CAPS_CONTAINER */\n\tStream_Write_UINT32(s, 49); /* length */\n\tStream_Write_UINT32(s, captureFlags); /* captureFlags */\n\tStream_Write_UINT32(s, 37); /* capsLength */\n\t/* TS_RFX_CAPS */\n\tStream_Write_UINT16(s, CBY_CAPS); /* blockType */\n\tStream_Write_UINT32(s, 8); /* blockLen */\n\tStream_Write_UINT16(s, 1); /* numCapsets */\n\t/* TS_RFX_CAPSET */\n\tStream_Write_UINT16(s, CBY_CAPSET); /* blockType */\n\tStream_Write_UINT32(s, 29); /* blockLen */\n\tStream_Write_UINT8(s, 0x01); /* codecId (MUST be set to 0x01) */\n\tStream_Write_UINT16(s, CLY_CAPSET); /* capsetType */\n\tStream_Write_UINT16(s, 2); /* numIcaps */\n\tStream_Write_UINT16(s, 8); /* icapLen */\n\t/* TS_RFX_ICAP (RLGR1) */\n\tStream_Write_UINT16(s, CLW_VERSION_1_0); /* version */\n\tStream_Write_UINT16(s, CT_TILE_64x64); /* tileSize */\n\tStream_Write_UINT8(s, codecMode); /* flags */\n\tStream_Write_UINT8(s, CLW_COL_CONV_ICT); /* colConvBits */\n\tStream_Write_UINT8(s, CLW_XFORM_DWT_53_A); /* transformBits */\n\tStream_Write_UINT8(s, CLW_ENTROPY_RLGR1); /* entropyBits */\n\t/* TS_RFX_ICAP (RLGR3) */\n\tStream_Write_UINT16(s, CLW_VERSION_1_0); /* version */\n\tStream_Write_UINT16(s, CT_TILE_64x64); /* tileSize */\n\tStream_Write_UINT8(s, codecMode); /* flags */\n\tStream_Write_UINT8(s, CLW_COL_CONV_ICT); /* colConvBits */\n\tStream_Write_UINT8(s, CLW_XFORM_DWT_53_A); /* transformBits */\n\tStream_Write_UINT8(s, CLW_ENTROPY_RLGR3); /* entropyBits */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 200878113568940200705345537700818220319, "size": 42, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409602 }, { "func": "BOOL rdp_send_confirm_active(rdpRdp* rdp)\n{\n\twStream* s = rdp_send_stream_pdu_init(rdp);\n\tBOOL status;\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tstatus = rdp_write_confirm_active(s, rdp->settings) &&\n\t rdp_send_pdu(rdp, s, PDU_TYPE_CONFIRM_ACTIVE, rdp->mcs->userId);\n\tStream_Release(s);\n\treturn status;\n}", "project": "FreeRDP", "hash": 303361272103618703355733933078905733598, "size": 13, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409681 }, { "func": "static BOOL rdp_write_virtual_channel_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 flags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tflags = VCCAPS_NO_COMPR;\n\tStream_Write_UINT32(s, flags); /* flags (4 bytes) */\n\tStream_Write_UINT32(s, settings->VirtualChannelChunkSize); /* VCChunkSize (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_VIRTUAL_CHANNEL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 307084930192072983573817185031030778059, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409688 }, { "func": "BOOL rdp_recv_confirm_active(rdpRdp* rdp, wStream* s, UINT16 pduLength)\n{\n\trdpSettings* settings;\n\tUINT16 lengthSourceDescriptor;\n\tUINT16 lengthCombinedCapabilities;\n\tUINT16 numberCapabilities;\n\tsettings = rdp->settings;\n\n\tif (Stream_GetRemainingLength(s) < 10)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* shareId (4 bytes) */\n\tStream_Seek_UINT16(s); /* originatorId (2 bytes) */\n\tStream_Read_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */\n\tStream_Read_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\n\tif (Stream_GetRemainingLength(s) < lengthSourceDescriptor + 4U)\n\t\treturn FALSE;\n\n\tStream_Seek(s, lengthSourceDescriptor); /* sourceDescriptor */\n\tStream_Read_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n\tStream_Seek(s, 2); /* pad2Octets (2 bytes) */\n\tif (!rdp_read_capability_sets(s, rdp->settings, numberCapabilities, lengthCombinedCapabilities))\n\t\treturn FALSE;\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_SURFACE_COMMANDS])\n\t{\n\t\t/* client does not support surface commands */\n\t\tsettings->SurfaceCommandsEnabled = FALSE;\n\t\tsettings->SurfaceFrameMarkerEnabled = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_FRAME_ACKNOWLEDGE])\n\t{\n\t\t/* client does not support frame acks */\n\t\tsettings->FrameAcknowledge = 0;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID])\n\t{\n\t\t/* client does not support bitmap cache v3 */\n\t\tsettings->BitmapCacheV3Enabled = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CODECS])\n\t{\n\t\t/* client does not support bitmap codecs */\n\t\tsettings->RemoteFxCodec = FALSE;\n\t\tsettings->NSCodec = FALSE;\n\t\tsettings->JpegCodec = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_MULTI_FRAGMENT_UPDATE])\n\t{\n\t\t/* client does not support multi fragment updates - make sure packages are not fragmented */\n\t\tsettings->MultifragMaxRequestSize = FASTPATH_FRAGMENT_SAFE_SIZE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_LARGE_POINTER])\n\t{\n\t\t/* client does not support large pointers */\n\t\tsettings->LargePointerFlag = 0;\n\t}\n\n\treturn tpkt_ensure_stream_consumed(s, pduLength);\n}", "project": "FreeRDP", "hash": 91493289017108646570943692625390752372, "size": 66, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409640 }, { "func": "static BOOL rdp_write_large_pointer_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 largePointerSupportFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tlargePointerSupportFlags =\n\t settings->LargePointerFlag & (LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384);\n\tStream_Write_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_LARGE_POINTER);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 109685188564620579761907320676178023525, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409616 }, { "func": "static BOOL rdp_write_frame_acknowledge_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, settings->FrameAcknowledge); /* (4 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_FRAME_ACKNOWLEDGE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 191472304007744135114926456006727424452, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409591 }, { "func": "static BOOL rdp_print_sound_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 soundFlags;\n\tUINT16 pad2OctetsA;\n\tWLog_INFO(TAG, \"SoundCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tWLog_INFO(TAG, \"\\tsoundFlags: 0x%04\" PRIX16 \"\", soundFlags);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 270468318396106321627842466475171868710, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409690 }, { "func": "static BOOL rdp_print_offscreen_bitmap_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 offscreenSupportLevel;\n\tUINT16 offscreenCacheSize;\n\tUINT16 offscreenCacheEntries;\n\tWLog_INFO(TAG, \"OffscreenBitmapCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, offscreenSupportLevel); /* offscreenSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, offscreenCacheSize); /* offscreenCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, offscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\tWLog_INFO(TAG, \"\\toffscreenSupportLevel: 0x%08\" PRIX32 \"\", offscreenSupportLevel);\n\tWLog_INFO(TAG, \"\\toffscreenCacheSize: 0x%04\" PRIX16 \"\", offscreenCacheSize);\n\tWLog_INFO(TAG, \"\\toffscreenCacheEntries: 0x%04\" PRIX16 \"\", offscreenCacheEntries);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 52430610983265653194826083004421839498, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409663 }, { "func": "static void rdp_read_bitmap_codec_guid(wStream* s, GUID* guid)\n{\n\tBYTE g[16];\n\tStream_Read(s, g, 16);\n\tguid->Data1 = (g[3] << 24) | (g[2] << 16) | (g[1] << 8) | g[0];\n\tguid->Data2 = (g[5] << 8) | g[4];\n\tguid->Data3 = (g[7] << 8) | g[6];\n\tguid->Data4[0] = g[8];\n\tguid->Data4[1] = g[9];\n\tguid->Data4[2] = g[10];\n\tguid->Data4[3] = g[11];\n\tguid->Data4[4] = g[12];\n\tguid->Data4[5] = g[13];\n\tguid->Data4[6] = g[14];\n\tguid->Data4[7] = g[15];\n}", "project": "FreeRDP", "hash": 4886774312460546608647694875224936828, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409620 }, { "func": "static BOOL rdp_print_frame_acknowledge_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 frameAcknowledge;\n\tWLog_INFO(TAG, \"FrameAcknowledgeCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, frameAcknowledge); /* frameAcknowledge (4 bytes) */\n\tWLog_INFO(TAG, \"\\tframeAcknowledge: 0x%08\" PRIX32 \"\", frameAcknowledge);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 160917538292160124231779813896302866645, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409678 }, { "func": "static void rdp_write_cache_definition(wStream* s, GLYPH_CACHE_DEFINITION* cache_definition)\n{\n\tStream_Write_UINT16(s, cache_definition->cacheEntries); /* cacheEntries (2 bytes) */\n\tStream_Write_UINT16(\n\t s, cache_definition->cacheMaximumCellSize); /* cacheMaximumCellSize (2 bytes) */\n}", "project": "FreeRDP", "hash": 242617420166332381831381736771931983231, "size": 6, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409593 }, { "func": "static BOOL rdp_write_confirm_active(wStream* s, rdpSettings* settings)\n{\n\tsize_t bm, em, lm;\n\tUINT16 numberCapabilities;\n\tUINT16 lengthSourceDescriptor;\n\tsize_t lengthCombinedCapabilities;\n\tBOOL ret;\n\tlengthSourceDescriptor = sizeof(SOURCE_DESCRIPTOR);\n\tStream_Write_UINT32(s, settings->ShareId); /* shareId (4 bytes) */\n\tStream_Write_UINT16(s, 0x03EA); /* originatorId (2 bytes) */\n\tStream_Write_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */\n\tlm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_Write(s, SOURCE_DESCRIPTOR, lengthSourceDescriptor); /* sourceDescriptor */\n\tbm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* numberCapabilities (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\t/* Capability Sets */\n\tnumberCapabilities = 15;\n\n\tif (!rdp_write_general_capability_set(s, settings) ||\n\t !rdp_write_bitmap_capability_set(s, settings) ||\n\t !rdp_write_order_capability_set(s, settings))\n\t\treturn FALSE;\n\n\tif (settings->RdpVersion >= RDP_VERSION_5_PLUS)\n\t\tret = rdp_write_bitmap_cache_v2_capability_set(s, settings);\n\telse\n\t\tret = rdp_write_bitmap_cache_capability_set(s, settings);\n\n\tif (!ret)\n\t\treturn FALSE;\n\n\tif (!rdp_write_pointer_capability_set(s, settings) ||\n\t !rdp_write_input_capability_set(s, settings) ||\n\t !rdp_write_brush_capability_set(s, settings) ||\n\t !rdp_write_glyph_cache_capability_set(s, settings) ||\n\t !rdp_write_virtual_channel_capability_set(s, settings) ||\n\t !rdp_write_sound_capability_set(s, settings) ||\n\t !rdp_write_share_capability_set(s, settings) ||\n\t !rdp_write_font_capability_set(s, settings) ||\n\t !rdp_write_control_capability_set(s, settings) ||\n\t !rdp_write_color_cache_capability_set(s, settings) ||\n\t !rdp_write_window_activation_capability_set(s, settings))\n\t{\n\t\treturn FALSE;\n\t}\n\n\tif (settings->OffscreenSupportLevel)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_offscreen_bitmap_cache_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->DrawNineGridEnabled)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_draw_nine_grid_cache_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_LARGE_POINTER])\n\t{\n\t\tif (settings->LargePointerFlag)\n\t\t{\n\t\t\tnumberCapabilities++;\n\n\t\t\tif (!rdp_write_large_pointer_capability_set(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif (settings->RemoteApplicationMode)\n\t{\n\t\tnumberCapabilities += 2;\n\n\t\tif (!rdp_write_remote_programs_capability_set(s, settings) ||\n\t\t !rdp_write_window_list_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_MULTI_FRAGMENT_UPDATE])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_multifragment_update_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_SURFACE_COMMANDS])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_surface_commands_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CODECS])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_bitmap_codecs_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_FRAME_ACKNOWLEDGE])\n\t\tsettings->FrameAcknowledge = 0;\n\n\tif (settings->FrameAcknowledge)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_frame_acknowledge_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID])\n\t{\n\t\tif (settings->BitmapCacheV3CodecId != 0)\n\t\t{\n\t\t\tnumberCapabilities++;\n\n\t\t\tif (!rdp_write_bitmap_cache_v3_codec_id_capability_set(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tem = Stream_GetPosition(s);\n\tStream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */\n\tlengthCombinedCapabilities = (em - bm);\n\tif (lengthCombinedCapabilities > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(\n\t s, (UINT16)lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_SetPosition(s, bm); /* go back to numberCapabilities */\n\tStream_Write_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n#ifdef WITH_DEBUG_CAPABILITIES\n\tStream_Seek_UINT16(s);\n\trdp_print_capability_sets(s, numberCapabilities, FALSE);\n\tStream_SetPosition(s, bm);\n\tStream_Seek_UINT16(s);\n#endif\n\tStream_SetPosition(s, em);\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 327946317814750375154764007246473998380, "size": 149, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409592 }, { "func": "static BOOL rdp_write_surface_commands_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 cmdFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcmdFlags = SURFCMDS_SET_SURFACE_BITS | SURFCMDS_STREAM_SURFACE_BITS;\n\n\tif (settings->SurfaceFrameMarkerEnabled)\n\t\tcmdFlags |= SURFCMDS_FRAME_MARKER;\n\n\tStream_Write_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* reserved (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_SURFACE_COMMANDS);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 265887635769419825443180195929426885533, "size": 19, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409621 }, { "func": "static char* rdp_get_bitmap_codec_guid_name(const GUID* guid)\n{\n\tRPC_STATUS rpc_status;\n\n\tif (UuidEqual(guid, &CODEC_GUID_REMOTEFX, &rpc_status))\n\t\treturn \"CODEC_GUID_REMOTEFX\";\n\telse if (UuidEqual(guid, &CODEC_GUID_NSCODEC, &rpc_status))\n\t\treturn \"CODEC_GUID_NSCODEC\";\n\telse if (UuidEqual(guid, &CODEC_GUID_IGNORE, &rpc_status))\n\t\treturn \"CODEC_GUID_IGNORE\";\n\telse if (UuidEqual(guid, &CODEC_GUID_IMAGE_REMOTEFX, &rpc_status))\n\t\treturn \"CODEC_GUID_IMAGE_REMOTEFX\";\n\n#if defined(WITH_JPEG)\n\telse if (UuidEqual(guid, &CODEC_GUID_JPEG, &rpc_status))\n\t\treturn \"CODEC_GUID_JPEG\";\n\n#endif\n\treturn \"CODEC_GUID_UNKNOWN\";\n}", "project": "FreeRDP", "hash": 155254763281841975956016535383696375092, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409680 }, { "func": "static BOOL rdp_read_control_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* controlFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* remoteDetachFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* controlInterest (2 bytes) */\n\tStream_Seek_UINT16(s); /* detachInterest (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 246788064512336968283169931181073093043, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409614 }, { "func": "static BOOL rdp_print_draw_nine_grid_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 drawNineGridSupportLevel;\n\tUINT16 DrawNineGridCacheSize;\n\tUINT16 DrawNineGridCacheEntries;\n\tWLog_INFO(TAG, \"DrawNineGridCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 99697391840067480834853895868286238230, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409579 }, { "func": "static BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length > 4)\n\t\tStream_Seek_UINT16(s); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 6)\n\t\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 63945765978373457675419959857261610616, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 1, "dataset": "other", "idx": 208417 }, { "func": "static BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length > 5)\n\t\tStream_Seek_UINT16(s); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 7)\n\t\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 92561895110037279576315503246460434637, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409646 }, { "func": "static BOOL rdp_print_large_pointer_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 largePointerSupportFlags;\n\tWLog_INFO(TAG, \"LargePointerCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\tWLog_INFO(TAG, \"\\tlargePointerSupportFlags: 0x%04\" PRIX16 \"\", largePointerSupportFlags);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 339958623772639294175049811240387745622, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409623 }, { "func": "static BOOL rdp_read_window_activation_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* helpKeyFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* windowManagerKeyFlag (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 92929385624240835162166734974587379320, "size": 13, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409684 }, { "func": "static void rdp_print_bitmap_codec_guid(const GUID* guid)\n{\n\tWLog_INFO(TAG,\n\t \"%08\" PRIX32 \"%04\" PRIX16 \"%04\" PRIX16 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8\n\t \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"\",\n\t guid->Data1, guid->Data2, guid->Data3, guid->Data4[0], guid->Data4[1], guid->Data4[2],\n\t guid->Data4[3], guid->Data4[4], guid->Data4[5], guid->Data4[6], guid->Data4[7]);\n}", "project": "FreeRDP", "hash": 77099897294778299773712257711439024635, "size": 8, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409651 }, { "func": "static BOOL rdp_print_window_list_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 wndSupportLevel;\n\tBYTE numIconCaches;\n\tUINT16 numIconCacheEntries;\n\tWLog_INFO(TAG, \"WindowListCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 11)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, wndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Read_UINT8(s, numIconCaches); /* numIconCaches (1 byte) */\n\tStream_Read_UINT16(s, numIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\tWLog_INFO(TAG, \"\\twndSupportLevel: 0x%08\" PRIX32 \"\", wndSupportLevel);\n\tWLog_INFO(TAG, \"\\tnumIconCaches: 0x%02\" PRIX8 \"\", numIconCaches);\n\tWLog_INFO(TAG, \"\\tnumIconCacheEntries: 0x%04\" PRIX16 \"\", numIconCacheEntries);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 56084745407537054957836216665066621553, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409638 }, { "func": "static BOOL rdp_write_share_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 nodeId;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tnodeId = (settings->ServerMode) ? 0x03EA : 0;\n\tStream_Write_UINT16(s, nodeId); /* nodeId (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_SHARE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 26910384615262271113922396983420701080, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409596 }, { "func": "static BOOL rdp_print_brush_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 brushSupportLevel;\n\tWLog_INFO(TAG, \"BrushCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, brushSupportLevel); /* brushSupportLevel (4 bytes) */\n\tWLog_INFO(TAG, \"\\tbrushSupportLevel: 0x%08\" PRIX32 \"\", brushSupportLevel);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 285436586425045297137013893498254341233, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409581 }, { "func": "static BOOL rdp_read_desktop_composition_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* compDeskSupportLevel (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 257896305155583954962696210326662575434, "size": 9, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409612 }, { "func": "static BOOL rdp_write_offscreen_bitmap_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 offscreenSupportLevel = 0x00;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->OffscreenSupportLevel)\n\t{\n\t\toffscreenSupportLevel = 0x01;\n\t\tStream_Write_UINT32(s, offscreenSupportLevel); /* offscreenSupportLevel (4 bytes) */\n\t\tStream_Write_UINT16(s, settings->OffscreenCacheSize); /* offscreenCacheSize (2 bytes) */\n\t\tStream_Write_UINT16(s,\n\t\t settings->OffscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\t}\n\telse\n\t\tStream_Zero(s, 8);\n\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_OFFSCREEN_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 34976567181626346706020341189913124378, "size": 25, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409672 }, { "func": "static BOOL rdp_print_bitmap_cache_v2_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 cacheFlags;\n\tBYTE pad2;\n\tBYTE numCellCaches;\n\tBITMAP_CACHE_V2_CELL_INFO bitmapCacheV2CellInfo[5];\n\tWLog_INFO(TAG, \"BitmapCacheV2CapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, cacheFlags); /* cacheFlags (2 bytes) */\n\tStream_Read_UINT8(s, pad2); /* pad2 (1 byte) */\n\tStream_Read_UINT8(s, numCellCaches); /* numCellCaches (1 byte) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[0]); /* bitmapCache0CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[1]); /* bitmapCache1CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[2]); /* bitmapCache2CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[3]); /* bitmapCache3CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[4]); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Seek(s, 12); /* pad3 (12 bytes) */\n\tWLog_INFO(TAG, \"\\tcacheFlags: 0x%04\" PRIX16 \"\", cacheFlags);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%02\" PRIX8 \"\", pad2);\n\tWLog_INFO(TAG, \"\\tnumCellCaches: 0x%02\" PRIX8 \"\", numCellCaches);\n\tWLog_INFO(TAG, \"\\tbitmapCache0CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[0].numEntries, bitmapCacheV2CellInfo[0].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache1CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[1].numEntries, bitmapCacheV2CellInfo[1].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache2CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[2].numEntries, bitmapCacheV2CellInfo[2].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache3CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[3].numEntries, bitmapCacheV2CellInfo[3].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache4CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[4].numEntries, bitmapCacheV2CellInfo[4].persistent);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 296655781578711417366859937464765040063, "size": 40, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409608 }, { "func": "static BOOL rdp_read_general_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 extraFlags;\n\tBYTE refreshRectSupport;\n\tBYTE suppressOutputSupport;\n\n\tif (length < 24)\n\t\treturn FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT16(s, settings->OsMajorType); /* osMajorType (2 bytes) */\n\t\tStream_Read_UINT16(s, settings->OsMinorType); /* osMinorType (2 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT16(s); /* osMajorType (2 bytes) */\n\t\tStream_Seek_UINT16(s); /* osMinorType (2 bytes) */\n\t}\n\n\tStream_Seek_UINT16(s); /* protocolVersion (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\tStream_Seek_UINT16(s); /* generalCompressionTypes (2 bytes) */\n\tStream_Read_UINT16(s, extraFlags); /* extraFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* updateCapabilityFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* remoteUnshareFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* generalCompressionLevel (2 bytes) */\n\tStream_Read_UINT8(s, refreshRectSupport); /* refreshRectSupport (1 byte) */\n\tStream_Read_UINT8(s, suppressOutputSupport); /* suppressOutputSupport (1 byte) */\n\tsettings->NoBitmapCompressionHeader = (extraFlags & NO_BITMAP_COMPRESSION_HDR) ? TRUE : FALSE;\n\tsettings->LongCredentialsSupported = (extraFlags & LONG_CREDENTIALS_SUPPORTED) ? TRUE : FALSE;\n\n\tif (!(extraFlags & FASTPATH_OUTPUT_SUPPORTED))\n\t\tsettings->FastPathOutput = FALSE;\n\n\tif (!(extraFlags & ENC_SALTED_CHECKSUM))\n\t\tsettings->SaltedChecksum = FALSE;\n\n\tif (!settings->ServerMode)\n\t{\n\t\t/**\n\t\t * Note: refreshRectSupport and suppressOutputSupport are\n\t\t * server-only flags indicating to the client weather the\n\t\t * respective PDUs are supported. See MS-RDPBCGR 2.2.7.1.1\n\t\t */\n\t\tif (!refreshRectSupport)\n\t\t\tsettings->RefreshRect = FALSE;\n\n\t\tif (!suppressOutputSupport)\n\t\t\tsettings->SuppressOutput = FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 849871180783904750462910493265742730, "size": 54, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409649 }, { "func": "static BOOL rdp_write_rfx_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 4); /* codecPropertiesLength */\n\tStream_Write_UINT32(s, 0); /* reserved */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 30381998541812809023414048959611680622, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409647 }, { "func": "static BOOL rdp_print_color_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 colorTableCacheSize;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"ColorCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, colorTableCacheSize); /* colorTableCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcolorTableCacheSize: 0x%04\" PRIX16 \"\", colorTableCacheSize);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 147412173596886311190003265789714347848, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409682 }, { "func": "static BOOL rdp_read_virtual_channel_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 flags;\n\tUINT32 VCChunkSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, flags); /* flags (4 bytes) */\n\n\tif (length > 8)\n\t\tStream_Read_UINT32(s, VCChunkSize); /* VCChunkSize (4 bytes) */\n\telse\n\t\tVCChunkSize = 1600;\n\n\tif (settings->ServerMode != TRUE)\n\t\tsettings->VirtualChannelChunkSize = VCChunkSize;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 290598108437996799579687211407031343101, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409597 }, { "func": "static BOOL rdp_read_order_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tint i;\n\tUINT16 orderFlags;\n\tBYTE orderSupport[32];\n\tUINT16 orderSupportExFlags;\n\tBOOL BitmapCacheV3Enabled = FALSE;\n\tBOOL FrameMarkerCommandEnabled = FALSE;\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Seek(s, 16); /* terminalDescriptor (16 bytes) */\n\tStream_Seek_UINT32(s); /* pad4OctetsA (4 bytes) */\n\tStream_Seek_UINT16(s); /* desktopSaveXGranularity (2 bytes) */\n\tStream_Seek_UINT16(s); /* desktopSaveYGranularity (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\tStream_Seek_UINT16(s); /* maximumOrderLevel (2 bytes) */\n\tStream_Seek_UINT16(s); /* numberFonts (2 bytes) */\n\tStream_Read_UINT16(s, orderFlags); /* orderFlags (2 bytes) */\n\tStream_Read(s, orderSupport, 32); /* orderSupport (32 bytes) */\n\tStream_Seek_UINT16(s); /* textFlags (2 bytes) */\n\tStream_Read_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Seek_UINT32(s); /* pad4OctetsB (4 bytes) */\n\tStream_Seek_UINT32(s); /* desktopSaveSize (4 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsC (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsD (2 bytes) */\n\tStream_Seek_UINT16(s); /* textANSICodePage (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsE (2 bytes) */\n\n\tfor (i = 0; i < 32; i++)\n\t{\n\t\tif (orderSupport[i] == FALSE)\n\t\t\tsettings->OrderSupport[i] = FALSE;\n\t}\n\n\tif (orderFlags & ORDER_FLAGS_EXTRA_SUPPORT)\n\t{\n\t\tif (orderSupportExFlags & CACHE_BITMAP_V3_SUPPORT)\n\t\t\tBitmapCacheV3Enabled = TRUE;\n\n\t\tif (orderSupportExFlags & ALTSEC_FRAME_MARKER_SUPPORT)\n\t\t\tFrameMarkerCommandEnabled = TRUE;\n\t}\n\n\tif (settings->BitmapCacheV3Enabled && BitmapCacheV3Enabled)\n\t\tsettings->BitmapCacheVersion = 3;\n\telse\n\t\tsettings->BitmapCacheV3Enabled = FALSE;\n\n\tif (settings->FrameMarkerCommandEnabled && !FrameMarkerCommandEnabled)\n\t\tsettings->FrameMarkerCommandEnabled = FALSE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 189672869918992028391314712470791613301, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409676 }, { "func": "static BOOL rdp_write_nsc_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 4); /* codecPropertiesLength */\n\tStream_Write_UINT32(s, 0); /* reserved */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 60725325689248985919258800414909485501, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409601 }, { "func": "static BOOL rdp_write_bitmap_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tUINT32 bpp;\n\tsize_t header;\n\tUINT32 size;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tbpp = (settings->ColorDepth + 7) / 8;\n\tif (bpp > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, 0); /* pad1 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad2 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad3 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad4 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad5 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad6 (4 bytes) */\n\tsize = bpp * 256;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 200); /* Cache0Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache0MaximumCellSize (2 bytes) */\n\tsize = bpp * 1024;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 600); /* Cache1Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache1MaximumCellSize (2 bytes) */\n\tsize = bpp * 4096;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 1000); /* Cache2Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache2MaximumCellSize (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 121157721180275409455921259823027389764, "size": 39, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409648 }, { "func": "static BOOL rdp_read_brush_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* brushSupportLevel (4 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 201932960273049902456905707665273606852, "size": 9, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409603 }, { "func": "static BOOL rdp_write_nsc_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tBYTE colorLossLevel;\n\tBYTE fAllowSubsampling;\n\tBYTE fAllowDynamicFidelity;\n\tfAllowDynamicFidelity = settings->NSCodecAllowDynamicColorFidelity;\n\tfAllowSubsampling = settings->NSCodecAllowSubsampling;\n\tcolorLossLevel = settings->NSCodecColorLossLevel;\n\n\tif (colorLossLevel < 1)\n\t\tcolorLossLevel = 1;\n\n\tif (colorLossLevel > 7)\n\t\tcolorLossLevel = 7;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 3); /* codecPropertiesLength */\n\t/* TS_NSCODEC_CAPABILITYSET */\n\tStream_Write_UINT8(s, fAllowDynamicFidelity); /* fAllowDynamicFidelity (1 byte) */\n\tStream_Write_UINT8(s, fAllowSubsampling); /* fAllowSubsampling (1 byte) */\n\tStream_Write_UINT8(s, colorLossLevel); /* colorLossLevel (1 byte) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 42897287390959164091468957982836296378, "size": 25, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409657 }, { "func": "static BOOL rdp_print_input_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 inputFlags;\n\tUINT16 pad2OctetsA;\n\tUINT32 keyboardLayout;\n\tUINT32 keyboardType;\n\tUINT32 keyboardSubType;\n\tUINT32 keyboardFunctionKey;\n\tWLog_INFO(TAG, \"InputCapabilitySet (length %\" PRIu16 \")\", length);\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, inputFlags); /* inputFlags (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT32(s, keyboardLayout); /* keyboardLayout (4 bytes) */\n\tStream_Read_UINT32(s, keyboardType); /* keyboardType (4 bytes) */\n\tStream_Read_UINT32(s, keyboardSubType); /* keyboardSubType (4 bytes) */\n\tStream_Read_UINT32(s, keyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\tStream_Seek(s, 64); /* imeFileName (64 bytes) */\n\tWLog_INFO(TAG, \"\\tinputFlags: 0x%04\" PRIX16 \"\", inputFlags);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tkeyboardLayout: 0x%08\" PRIX32 \"\", keyboardLayout);\n\tWLog_INFO(TAG, \"\\tkeyboardType: 0x%08\" PRIX32 \"\", keyboardType);\n\tWLog_INFO(TAG, \"\\tkeyboardSubType: 0x%08\" PRIX32 \"\", keyboardSubType);\n\tWLog_INFO(TAG, \"\\tkeyboardFunctionKey: 0x%08\" PRIX32 \"\", keyboardFunctionKey);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 92834056900707877098460532450876414616, "size": 28, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409650 }, { "func": "static BOOL rdp_write_pointer_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 colorPointerFlag;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->PointerCacheSize > UINT16_MAX)\n\t\treturn FALSE;\n\n\tcolorPointerFlag = (settings->ColorPointerFlag) ? 1 : 0;\n\tStream_Write_UINT16(s, colorPointerFlag); /* colorPointerFlag (2 bytes) */\n\tStream_Write_UINT16(s,\n\t (UINT16)settings->PointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\n\tif (settings->LargePointerFlag)\n\t{\n\t\tStream_Write_UINT16(s, (UINT16)settings->PointerCacheSize); /* pointerCacheSize (2 bytes) */\n\t}\n\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_POINTER);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 149417436358850467055827054446942927975, "size": 27, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409610 }, { "func": "static BOOL rdp_write_desktop_composition_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 compDeskSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcompDeskSupportLevel =\n\t (settings->AllowDesktopComposition) ? COMPDESK_SUPPORTED : COMPDESK_NOT_SUPPORTED;\n\tStream_Write_UINT16(s, compDeskSupportLevel); /* compDeskSupportLevel (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_COMP_DESK);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 273318921816338668560055755973757610116, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409643 }, { "func": "static BOOL rdp_write_bitmap_cache_host_support_capability_set(wStream* s,\n const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT8(s, BITMAP_CACHE_V2); /* cacheVersion (1 byte) */\n\tStream_Write_UINT8(s, 0); /* pad1 (1 byte) */\n\tStream_Write_UINT16(s, 0); /* pad2 (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 135633036669097795306427700527407315652, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409673 }, { "func": "static BOOL rdp_write_bitmap_cache_v3_codec_id_capability_set(wStream* s,\n const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->BitmapCacheV3CodecId > UINT8_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT8(s, (UINT8)settings->BitmapCacheV3CodecId);\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 10452923046637731164141377400720189331, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409624 }, { "func": "static BOOL rdp_read_bitmap_codecs_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tBYTE codecId;\n\tGUID codecGuid;\n\tRPC_STATUS rpc_status;\n\tBYTE bitmapCodecCount;\n\tUINT16 codecPropertiesLength;\n\tUINT16 remainingLength;\n\tBOOL guidNSCodec = FALSE;\n\tBOOL guidRemoteFx = FALSE;\n\tBOOL guidRemoteFxImage = FALSE;\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCodecCount); /* bitmapCodecCount (1 byte) */\n\tremainingLength = length - 5;\n\n\twhile (bitmapCodecCount > 0)\n\t{\n\t\tif (remainingLength < 19)\n\t\t\treturn FALSE;\n\n\t\trdp_read_bitmap_codec_guid(s, &codecGuid); /* codecGuid (16 bytes) */\n\t\tStream_Read_UINT8(s, codecId); /* codecId (1 byte) */\n\t\tStream_Read_UINT16(s, codecPropertiesLength); /* codecPropertiesLength (2 bytes) */\n\t\tremainingLength -= 19;\n\n\t\tif (remainingLength < codecPropertiesLength)\n\t\t\treturn FALSE;\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tUINT32 beg;\n\t\t\tUINT32 end;\n\t\t\tbeg = (UINT32)Stream_GetPosition(s);\n\t\t\tend = beg + codecPropertiesLength;\n\n\t\t\tif (UuidEqual(&codecGuid, &CODEC_GUID_REMOTEFX, &rpc_status))\n\t\t\t{\n\t\t\t\tUINT32 rfxCapsLength;\n\t\t\t\tUINT32 rfxPropsLength;\n\t\t\t\tUINT32 captureFlags;\n\t\t\t\tguidRemoteFx = TRUE;\n\t\t\t\tsettings->RemoteFxCodecId = codecId;\n\t\t\t\tStream_Read_UINT32(s, rfxPropsLength); /* length (4 bytes) */\n\t\t\t\tStream_Read_UINT32(s, captureFlags); /* captureFlags (4 bytes) */\n\t\t\t\tStream_Read_UINT32(s, rfxCapsLength); /* capsLength (4 bytes) */\n\t\t\t\tsettings->RemoteFxCaptureFlags = captureFlags;\n\t\t\t\tsettings->RemoteFxOnly = (captureFlags & CARDP_CAPS_CAPTURE_NON_CAC) ? TRUE : FALSE;\n\n\t\t\t\tif (rfxCapsLength)\n\t\t\t\t{\n\t\t\t\t\tUINT16 blockType;\n\t\t\t\t\tUINT32 blockLen;\n\t\t\t\t\tUINT16 numCapsets;\n\t\t\t\t\tBYTE rfxCodecId;\n\t\t\t\t\tUINT16 capsetType;\n\t\t\t\t\tUINT16 numIcaps;\n\t\t\t\t\tUINT16 icapLen;\n\t\t\t\t\t/* TS_RFX_CAPS */\n\t\t\t\t\tStream_Read_UINT16(s, blockType); /* blockType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT32(s, blockLen); /* blockLen (4 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, numCapsets); /* numCapsets (2 bytes) */\n\n\t\t\t\t\tif (blockType != 0xCBC0)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (blockLen != 8)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (numCapsets != 1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t/* TS_RFX_CAPSET */\n\t\t\t\t\tStream_Read_UINT16(s, blockType); /* blockType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT32(s, blockLen); /* blockLen (4 bytes) */\n\t\t\t\t\tStream_Read_UINT8(s, rfxCodecId); /* codecId (1 byte) */\n\t\t\t\t\tStream_Read_UINT16(s, capsetType); /* capsetType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, numIcaps); /* numIcaps (2 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, icapLen); /* icapLen (2 bytes) */\n\n\t\t\t\t\tif (blockType != 0xCBC1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (rfxCodecId != 1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (capsetType != 0xCFC0)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\twhile (numIcaps--)\n\t\t\t\t\t{\n\t\t\t\t\t\tUINT16 version;\n\t\t\t\t\t\tUINT16 tileSize;\n\t\t\t\t\t\tBYTE codecFlags;\n\t\t\t\t\t\tBYTE colConvBits;\n\t\t\t\t\t\tBYTE transformBits;\n\t\t\t\t\t\tBYTE entropyBits;\n\t\t\t\t\t\t/* TS_RFX_ICAP */\n\t\t\t\t\t\tStream_Read_UINT16(s, version); /* version (2 bytes) */\n\t\t\t\t\t\tStream_Read_UINT16(s, tileSize); /* tileSize (2 bytes) */\n\t\t\t\t\t\tStream_Read_UINT8(s, codecFlags); /* flags (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, colConvBits); /* colConvBits (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, transformBits); /* transformBits (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, entropyBits); /* entropyBits (1 byte) */\n\n\t\t\t\t\t\tif (version == 0x0009)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t/* Version 0.9 */\n\t\t\t\t\t\t\tif (tileSize != 0x0080)\n\t\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse if (version == 0x0100)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t/* Version 1.0 */\n\t\t\t\t\t\t\tif (tileSize != 0x0040)\n\t\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tif (colConvBits != 1)\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tif (transformBits != 1)\n\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_IMAGE_REMOTEFX, &rpc_status))\n\t\t\t{\n\t\t\t\t/* Microsoft RDP servers ignore CODEC_GUID_IMAGE_REMOTEFX codec properties */\n\t\t\t\tguidRemoteFxImage = TRUE;\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_NSCODEC, &rpc_status))\n\t\t\t{\n\t\t\t\tBYTE colorLossLevel;\n\t\t\t\tBYTE fAllowSubsampling;\n\t\t\t\tBYTE fAllowDynamicFidelity;\n\t\t\t\tguidNSCodec = TRUE;\n\t\t\t\tsettings->NSCodecId = codecId;\n\t\t\t\tStream_Read_UINT8(s, fAllowDynamicFidelity); /* fAllowDynamicFidelity (1 byte) */\n\t\t\t\tStream_Read_UINT8(s, fAllowSubsampling); /* fAllowSubsampling (1 byte) */\n\t\t\t\tStream_Read_UINT8(s, colorLossLevel); /* colorLossLevel (1 byte) */\n\n\t\t\t\tif (colorLossLevel < 1)\n\t\t\t\t\tcolorLossLevel = 1;\n\n\t\t\t\tif (colorLossLevel > 7)\n\t\t\t\t\tcolorLossLevel = 7;\n\n\t\t\t\tsettings->NSCodecAllowDynamicColorFidelity = fAllowDynamicFidelity;\n\t\t\t\tsettings->NSCodecAllowSubsampling = fAllowSubsampling;\n\t\t\t\tsettings->NSCodecColorLossLevel = colorLossLevel;\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_IGNORE, &rpc_status))\n\t\t\t{\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\n\t\t\tif (Stream_GetPosition(s) != end)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG,\n\t\t\t\t \"error while reading codec properties: actual offset: %\" PRIuz\n\t\t\t\t \" expected offset: %\" PRIu32 \"\",\n\t\t\t\t Stream_GetPosition(s), end);\n\t\t\t\tStream_SetPosition(s, end);\n\t\t\t}\n\n\t\t\tremainingLength -= codecPropertiesLength;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\tremainingLength -= codecPropertiesLength;\n\t\t}\n\n\t\tbitmapCodecCount--;\n\t}\n\n\tif (settings->ServerMode)\n\t{\n\t\t/* only enable a codec if we've announced/enabled it before */\n\t\tsettings->RemoteFxCodec = settings->RemoteFxCodec && guidRemoteFx;\n\t\tsettings->RemoteFxImageCodec = settings->RemoteFxImageCodec && guidRemoteFxImage;\n\t\tsettings->NSCodec = settings->NSCodec && guidNSCodec;\n\t\tsettings->JpegCodec = FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 211558337571308508511556254604496342865, "size": 197, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409580 }, { "func": "static BOOL rdp_write_input_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 inputFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 128))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tinputFlags = INPUT_FLAG_SCANCODES;\n\n\tif (settings->FastPathInput)\n\t{\n\t\tinputFlags |= INPUT_FLAG_FASTPATH_INPUT;\n\t\tinputFlags |= INPUT_FLAG_FASTPATH_INPUT2;\n\t}\n\n\tif (settings->HasHorizontalWheel)\n\t\tinputFlags |= TS_INPUT_FLAG_MOUSE_HWHEEL;\n\n\tif (settings->UnicodeInput)\n\t\tinputFlags |= INPUT_FLAG_UNICODE;\n\n\tif (settings->HasExtendedMouseEvent)\n\t\tinputFlags |= INPUT_FLAG_MOUSEX;\n\n\tStream_Write_UINT16(s, inputFlags); /* inputFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardLayout); /* keyboardLayout (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardType); /* keyboardType (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardSubType); /* keyboardSubType (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\tStream_Zero(s, 64); /* imeFileName (64 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_INPUT);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 338872550335327331413384147382884031144, "size": 38, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409679 }, { "func": "BOOL rdp_recv_get_active_header(rdpRdp* rdp, wStream* s, UINT16* pChannelId, UINT16* length)\n{\n\tUINT16 securityFlags = 0;\n\n\tif (!rdp_read_header(rdp, s, length, pChannelId))\n\t\treturn FALSE;\n\n\tif (freerdp_shall_disconnect(rdp->instance))\n\t\treturn TRUE;\n\n\tif (rdp->settings->UseRdpSecurityLayer)\n\t{\n\t\tif (!rdp_read_security_header(s, &securityFlags, length))\n\t\t\treturn FALSE;\n\n\t\tif (securityFlags & SEC_ENCRYPT)\n\t\t{\n\t\t\tif (!rdp_decrypt(rdp, s, length, securityFlags))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"rdp_decrypt failed\");\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (*pChannelId != MCS_GLOBAL_CHANNEL_ID)\n\t{\n\t\tUINT16 mcsMessageChannelId = rdp->mcs->messageChannelId;\n\n\t\tif ((mcsMessageChannelId == 0) || (*pChannelId != mcsMessageChannelId))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"unexpected MCS channel id %04\" PRIx16 \" received\", *pChannelId);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 69761426746625133711469800190507649484, "size": 38, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409606 }, { "func": "static BOOL rdp_print_bitmap_cache_v3_codec_id_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE bitmapCacheV3CodecId;\n\tWLog_INFO(TAG, \"BitmapCacheV3CodecIdCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCacheV3CodecId); /* bitmapCacheV3CodecId (1 byte) */\n\tWLog_INFO(TAG, \"\\tbitmapCacheV3CodecId: 0x%02\" PRIX8 \"\", bitmapCacheV3CodecId);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 200222901722079828895109214050225335139, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409618 }, { "func": "static BOOL rdp_read_surface_commands_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 cmdFlags;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Seek_UINT32(s); /* reserved (4 bytes) */\n\tsettings->SurfaceCommandsEnabled = TRUE;\n\tsettings->SurfaceFrameMarkerEnabled = (cmdFlags & SURFCMDS_FRAME_MARKER) ? TRUE : FALSE;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 63310942064729278467171666552306282666, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409656 }, { "func": "static BOOL rdp_write_window_list_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tStream_Write_UINT32(s, settings->RemoteWndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Write_UINT8(s, settings->RemoteAppNumIconCaches); /* numIconCaches (1 byte) */\n\tStream_Write_UINT16(s,\n\t settings->RemoteAppNumIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_WINDOW);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 269751178337665990773470592456743275364, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409675 }, { "func": "static BOOL rdp_read_bitmap_cache_v2_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* cacheFlags (2 bytes) */\n\tStream_Seek_UINT8(s); /* pad2 (1 byte) */\n\tStream_Seek_UINT8(s); /* numCellCaches (1 byte) */\n\tStream_Seek(s, 4); /* bitmapCache0CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache1CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache2CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache3CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Seek(s, 12); /* pad3 (12 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 263490146809338800269291031396967779750, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409636 }, { "func": "static BOOL rdp_write_sound_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 soundFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tsoundFlags = (settings->SoundBeepsEnabled) ? SOUND_BEEPS_FLAG : 0;\n\tStream_Write_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_SOUND);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 158780408568565551652650021789085155322, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409677 }, { "func": "static BOOL rdp_write_bitmap_cache_v2_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 cacheFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcacheFlags = ALLOW_CACHE_WAITING_LIST_FLAG;\n\n\tif (settings->BitmapCachePersistEnabled)\n\t\tcacheFlags |= PERSISTENT_KEYS_EXPECTED_FLAG;\n\n\tStream_Write_UINT16(s, cacheFlags); /* cacheFlags (2 bytes) */\n\tStream_Write_UINT8(s, 0); /* pad2 (1 byte) */\n\tStream_Write_UINT8(s, settings->BitmapCacheV2NumCells); /* numCellCaches (1 byte) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[0]); /* bitmapCache0CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[1]); /* bitmapCache1CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[2]); /* bitmapCache2CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[3]); /* bitmapCache3CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[4]); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Zero(s, 12); /* pad3 (12 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_BITMAP_CACHE_V2);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 7403566936328765357261527626239563020, "size": 31, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409671 }, { "func": "static BOOL rdp_write_control_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 0); /* controlFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* remoteDetachFlag (2 bytes) */\n\tStream_Write_UINT16(s, 2); /* controlInterest (2 bytes) */\n\tStream_Write_UINT16(s, 2); /* detachInterest (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_CONTROL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 135483827949982748357864462755091453961, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409645 }, { "func": "static BOOL rdp_read_frame_acknowledge_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT32(s, settings->FrameAcknowledge); /* (4 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT32(s); /* (4 bytes) */\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 284070112210894721326557355488230804603, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409627 }, { "func": "static BOOL rdp_write_brush_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, settings->BrushSupportLevel); /* brushSupportLevel (4 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BRUSH);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 93963722394653772517521252922174557981, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409599 }, { "func": "static BOOL rdp_read_multifragment_update_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 multifragMaxRequestSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, multifragMaxRequestSize); /* MaxRequestSize (4 bytes) */\n\n\tif (settings->ServerMode)\n\t{\n\t\t/*\n\t\t * Special case: The client announces multifragment update support but sets the maximum\n\t\t * request size to something smaller than maximum size for *one* fast-path PDU. In this case\n\t\t * behave like no multifragment updates were supported and make sure no fragmentation\n\t\t * happens by setting FASTPATH_FRAGMENT_SAFE_SIZE.\n\t\t *\n\t\t * This behaviour was observed with some windows ce rdp clients.\n\t\t */\n\t\tif (multifragMaxRequestSize < FASTPATH_MAX_PACKET_SIZE)\n\t\t\tmultifragMaxRequestSize = FASTPATH_FRAGMENT_SAFE_SIZE;\n\n\t\tif (settings->RemoteFxCodec)\n\t\t{\n\t\t\t/**\n\t\t\t * If we are using RemoteFX the client MUST use a value greater\n\t\t\t * than or equal to the value we've previously sent in the server to\n\t\t\t * client multi-fragment update capability set (MS-RDPRFX 1.5)\n\t\t\t */\n\t\t\tif (multifragMaxRequestSize < settings->MultifragMaxRequestSize)\n\t\t\t{\n\t\t\t\t/**\n\t\t\t\t * If it happens to be smaller we honor the client's value but\n\t\t\t\t * have to disable RemoteFX\n\t\t\t\t */\n\t\t\t\tsettings->RemoteFxCodec = FALSE;\n\t\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t/* no need to increase server's max request size setting here */\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t\t}\n\t}\n\telse\n\t{\n\t\t/**\n\t\t * In client mode we keep up with the server's capabilites.\n\t\t * In RemoteFX mode we MUST do this but it might also be useful to\n\t\t * receive larger related bitmap updates.\n\t\t */\n\t\tif (multifragMaxRequestSize > settings->MultifragMaxRequestSize)\n\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 37401917209807069896060133616819073503, "size": 62, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409584 }, { "func": "static const char* get_capability_name(UINT16 type)\n{\n\tif (type > CAPSET_TYPE_FRAME_ACKNOWLEDGE)\n\t\treturn \"\";\n\n\treturn CAPSET_TYPE_STRINGS[type];\n}", "project": "FreeRDP", "hash": 16777793439146057316455334333971045236, "size": 7, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409629 }, { "func": "static BOOL rdp_write_draw_nine_grid_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 drawNineGridSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tdrawNineGridSupportLevel =\n\t (settings->DrawNineGridEnabled) ? DRAW_NINEGRID_SUPPORTED_V2 : DRAW_NINEGRID_NO_SUPPORT;\n\tStream_Write_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Write_UINT16(s, settings->DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Write_UINT16(\n\t s, settings->DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_DRAW_NINE_GRID_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 35511811275078158737832815679711271274, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409674 }, { "func": "static BOOL rdp_write_demand_active(wStream* s, rdpSettings* settings)\n{\n\tsize_t bm, em, lm;\n\tUINT16 numberCapabilities;\n\tsize_t lengthCombinedCapabilities;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\tStream_Write_UINT32(s, settings->ShareId); /* shareId (4 bytes) */\n\tStream_Write_UINT16(s, 4); /* lengthSourceDescriptor (2 bytes) */\n\tlm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_Write(s, \"RDP\", 4); /* sourceDescriptor */\n\tbm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* numberCapabilities (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\tnumberCapabilities = 14;\n\n\tif (!rdp_write_general_capability_set(s, settings) ||\n\t !rdp_write_bitmap_capability_set(s, settings) ||\n\t !rdp_write_order_capability_set(s, settings) ||\n\t !rdp_write_pointer_capability_set(s, settings) ||\n\t !rdp_write_input_capability_set(s, settings) ||\n\t !rdp_write_virtual_channel_capability_set(s, settings) ||\n\t !rdp_write_share_capability_set(s, settings) ||\n\t !rdp_write_font_capability_set(s, settings) ||\n\t !rdp_write_multifragment_update_capability_set(s, settings) ||\n\t !rdp_write_large_pointer_capability_set(s, settings) ||\n\t !rdp_write_desktop_composition_capability_set(s, settings) ||\n\t !rdp_write_surface_commands_capability_set(s, settings) ||\n\t !rdp_write_bitmap_codecs_capability_set(s, settings) ||\n\t !rdp_write_frame_acknowledge_capability_set(s, settings))\n\t{\n\t\treturn FALSE;\n\t}\n\n\tif (settings->BitmapCachePersistEnabled)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_bitmap_cache_host_support_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->RemoteApplicationMode)\n\t{\n\t\tnumberCapabilities += 2;\n\n\t\tif (!rdp_write_remote_programs_capability_set(s, settings) ||\n\t\t !rdp_write_window_list_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tem = Stream_GetPosition(s);\n\tStream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */\n\tlengthCombinedCapabilities = (em - bm);\n\tif (lengthCombinedCapabilities > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(\n\t s, (UINT16)lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_SetPosition(s, bm); /* go back to numberCapabilities */\n\tStream_Write_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n#ifdef WITH_DEBUG_CAPABILITIES\n\tStream_Seek_UINT16(s);\n\trdp_print_capability_sets(s, numberCapabilities, FALSE);\n\tStream_SetPosition(s, bm);\n\tStream_Seek_UINT16(s);\n#endif\n\tStream_SetPosition(s, em);\n\tStream_Write_UINT32(s, 0); /* sessionId */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 200964485296716695117994736252941627244, "size": 73, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409689 }, { "func": "static BOOL rdp_read_bitmap_cache_host_support_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tBYTE cacheVersion;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, cacheVersion); /* cacheVersion (1 byte) */\n\tStream_Seek_UINT8(s); /* pad1 (1 byte) */\n\tStream_Seek_UINT16(s); /* pad2 (2 bytes) */\n\n\tif (cacheVersion & BITMAP_CACHE_V2)\n\t\tsettings->BitmapCachePersistEnabled = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 194862320568674981995591289915994818222, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409654 }, { "func": "static BOOL rdp_read_input_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 inputFlags;\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, inputFlags); /* inputFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT32(s, settings->KeyboardLayout); /* keyboardLayout (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardType); /* keyboardType (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardSubType); /* keyboardSubType (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT32(s); /* keyboardLayout (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardType (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardSubType (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardFunctionKeys (4 bytes) */\n\t}\n\n\tStream_Seek(s, 64); /* imeFileName (64 bytes) */\n\n\tif (!settings->ServerMode)\n\t{\n\t\tif (inputFlags & INPUT_FLAG_FASTPATH_INPUT)\n\t\t{\n\t\t\t/* advertised by RDP 5.0 and 5.1 servers */\n\t\t}\n\t\telse if (inputFlags & INPUT_FLAG_FASTPATH_INPUT2)\n\t\t{\n\t\t\t/* advertised by RDP 5.2, 6.0, 6.1 and 7.0 servers */\n\t\t}\n\t\telse\n\t\t{\n\t\t\t/* server does not support fastpath input */\n\t\t\tsettings->FastPathInput = FALSE;\n\t\t}\n\n\t\tif (inputFlags & TS_INPUT_FLAG_MOUSE_HWHEEL)\n\t\t\tsettings->HasHorizontalWheel = TRUE;\n\n\t\tif (inputFlags & INPUT_FLAG_UNICODE)\n\t\t\tsettings->UnicodeInput = TRUE;\n\n\t\tif (inputFlags & INPUT_FLAG_MOUSEX)\n\t\t\tsettings->HasExtendedMouseEvent = TRUE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 126033178202274719085086663919529272091, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409609 }, { "func": "static BOOL rdp_print_bitmap_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 preferredBitsPerPixel;\n\tUINT16 receive1BitPerPixel;\n\tUINT16 receive4BitsPerPixel;\n\tUINT16 receive8BitsPerPixel;\n\tUINT16 desktopWidth;\n\tUINT16 desktopHeight;\n\tUINT16 pad2Octets;\n\tUINT16 desktopResizeFlag;\n\tUINT16 bitmapCompressionFlag;\n\tBYTE highColorFlags;\n\tBYTE drawingFlags;\n\tUINT16 multipleRectangleSupport;\n\tUINT16 pad2OctetsB;\n\tWLog_INFO(TAG, \"BitmapCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 28)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, preferredBitsPerPixel); /* preferredBitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive1BitPerPixel); /* receive1BitPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive4BitsPerPixel); /* receive4BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive8BitsPerPixel); /* receive8BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, desktopWidth); /* desktopWidth (2 bytes) */\n\tStream_Read_UINT16(s, desktopHeight); /* desktopHeight (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tStream_Read_UINT16(s, desktopResizeFlag); /* desktopResizeFlag (2 bytes) */\n\tStream_Read_UINT16(s, bitmapCompressionFlag); /* bitmapCompressionFlag (2 bytes) */\n\tStream_Read_UINT8(s, highColorFlags); /* highColorFlags (1 byte) */\n\tStream_Read_UINT8(s, drawingFlags); /* drawingFlags (1 byte) */\n\tStream_Read_UINT16(s, multipleRectangleSupport); /* multipleRectangleSupport (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsB); /* pad2OctetsB (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpreferredBitsPerPixel: 0x%04\" PRIX16 \"\", preferredBitsPerPixel);\n\tWLog_INFO(TAG, \"\\treceive1BitPerPixel: 0x%04\" PRIX16 \"\", receive1BitPerPixel);\n\tWLog_INFO(TAG, \"\\treceive4BitsPerPixel: 0x%04\" PRIX16 \"\", receive4BitsPerPixel);\n\tWLog_INFO(TAG, \"\\treceive8BitsPerPixel: 0x%04\" PRIX16 \"\", receive8BitsPerPixel);\n\tWLog_INFO(TAG, \"\\tdesktopWidth: 0x%04\" PRIX16 \"\", desktopWidth);\n\tWLog_INFO(TAG, \"\\tdesktopHeight: 0x%04\" PRIX16 \"\", desktopHeight);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\tWLog_INFO(TAG, \"\\tdesktopResizeFlag: 0x%04\" PRIX16 \"\", desktopResizeFlag);\n\tWLog_INFO(TAG, \"\\tbitmapCompressionFlag: 0x%04\" PRIX16 \"\", bitmapCompressionFlag);\n\tWLog_INFO(TAG, \"\\thighColorFlags: 0x%02\" PRIX8 \"\", highColorFlags);\n\tWLog_INFO(TAG, \"\\tdrawingFlags: 0x%02\" PRIX8 \"\", drawingFlags);\n\tWLog_INFO(TAG, \"\\tmultipleRectangleSupport: 0x%04\" PRIX16 \"\", multipleRectangleSupport);\n\tWLog_INFO(TAG, \"\\tpad2OctetsB: 0x%04\" PRIX16 \"\", pad2OctetsB);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 126081365899131686923850704232043707399, "size": 48, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409585 }, { "func": "static BOOL rdp_print_capability_sets(wStream* s, UINT16 numberCapabilities, BOOL receiving)\n{\n\tUINT16 type;\n\tUINT16 length;\n\tBYTE *bm, *em;\n\n\twhile (numberCapabilities > 0)\n\t{\n\t\tStream_GetPointer(s, bm);\n\t\trdp_read_capability_set_header(s, &length, &type);\n\t\tWLog_INFO(TAG, \"%s \", receiving ? \"Receiving\" : \"Sending\");\n\t\tem = bm + length;\n\n\t\tif (Stream_GetRemainingLength(s) < (size_t)(length - 4))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"error processing stream\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tswitch (type)\n\t\t{\n\t\t\tcase CAPSET_TYPE_GENERAL:\n\t\t\t\tif (!rdp_print_general_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP:\n\t\t\t\tif (!rdp_print_bitmap_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ORDER:\n\t\t\t\tif (!rdp_print_order_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE:\n\t\t\t\tif (!rdp_print_bitmap_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_CONTROL:\n\t\t\t\tif (!rdp_print_control_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ACTIVATION:\n\t\t\t\tif (!rdp_print_window_activation_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_POINTER:\n\t\t\t\tif (!rdp_print_pointer_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SHARE:\n\t\t\t\tif (!rdp_print_share_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COLOR_CACHE:\n\t\t\t\tif (!rdp_print_color_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SOUND:\n\t\t\t\tif (!rdp_print_sound_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_INPUT:\n\t\t\t\tif (!rdp_print_input_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FONT:\n\t\t\t\tif (!rdp_print_font_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BRUSH:\n\t\t\t\tif (!rdp_print_brush_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_GLYPH_CACHE:\n\t\t\t\tif (!rdp_print_glyph_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_OFFSCREEN_CACHE:\n\t\t\t\tif (!rdp_print_offscreen_bitmap_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT:\n\t\t\t\tif (!rdp_print_bitmap_cache_host_support_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V2:\n\t\t\t\tif (!rdp_print_bitmap_cache_v2_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_VIRTUAL_CHANNEL:\n\t\t\t\tif (!rdp_print_virtual_channel_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_NINE_GRID_CACHE:\n\t\t\t\tif (!rdp_print_draw_nine_grid_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_GDI_PLUS:\n\t\t\t\tif (!rdp_print_draw_gdiplus_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_RAIL:\n\t\t\t\tif (!rdp_print_remote_programs_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_WINDOW:\n\t\t\t\tif (!rdp_print_window_list_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COMP_DESK:\n\t\t\t\tif (!rdp_print_desktop_composition_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_MULTI_FRAGMENT_UPDATE:\n\t\t\t\tif (!rdp_print_multifragment_update_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_LARGE_POINTER:\n\t\t\t\tif (!rdp_print_large_pointer_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SURFACE_COMMANDS:\n\t\t\t\tif (!rdp_print_surface_commands_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CODECS:\n\t\t\t\tif (!rdp_print_bitmap_codecs_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FRAME_ACKNOWLEDGE:\n\t\t\t\tif (!rdp_print_frame_acknowledge_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID:\n\t\t\t\tif (!rdp_print_bitmap_cache_v3_codec_id_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tWLog_ERR(TAG, \"unknown capability type %\" PRIu16 \"\", type);\n\t\t\t\tbreak;\n\t\t}\n\n\t\tif (Stream_Pointer(s) != em)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t \"incorrect offset, type:0x%04\" PRIX16 \" actual:%\" PRIuz \" expected:%\" PRIuz \"\",\n\t\t\t type, Stream_Pointer(s) - bm, em - bm);\n\t\t}\n\n\t\tStream_SetPointer(s, em);\n\t\tnumberCapabilities--;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 105372768838707288001971402184306047802, "size": 213, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409611 }, { "func": "static BOOL rdp_print_share_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 nodeId;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"ShareCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, nodeId); /* nodeId (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tnodeId: 0x%04\" PRIX16 \"\", nodeId);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 82707890459590975223038772323618896983, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409635 }, { "func": "static BOOL rdp_write_order_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 orderFlags;\n\tUINT16 orderSupportExFlags;\n\tUINT16 textANSICodePage = 0;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\t/* see [MSDN-CP]: http://msdn.microsoft.com/en-us/library/dd317756 */\n\tif (!settings->ServerMode)\n\t\ttextANSICodePage = CP_UTF8; /* Unicode (UTF-8) */\n\n\torderSupportExFlags = 0;\n\torderFlags = NEGOTIATE_ORDER_SUPPORT | ZERO_BOUNDS_DELTA_SUPPORT | COLOR_INDEX_SUPPORT;\n\n\tif (settings->BitmapCacheV3Enabled)\n\t{\n\t\torderSupportExFlags |= CACHE_BITMAP_V3_SUPPORT;\n\t\torderFlags |= ORDER_FLAGS_EXTRA_SUPPORT;\n\t}\n\n\tif (settings->FrameMarkerCommandEnabled)\n\t{\n\t\torderSupportExFlags |= ALTSEC_FRAME_MARKER_SUPPORT;\n\t\torderFlags |= ORDER_FLAGS_EXTRA_SUPPORT;\n\t}\n\n\tStream_Zero(s, 16); /* terminalDescriptor (16 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad4OctetsA (4 bytes) */\n\tStream_Write_UINT16(s, 1); /* desktopSaveXGranularity (2 bytes) */\n\tStream_Write_UINT16(s, 20); /* desktopSaveYGranularity (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* maximumOrderLevel (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* numberFonts (2 bytes) */\n\tStream_Write_UINT16(s, orderFlags); /* orderFlags (2 bytes) */\n\tStream_Write(s, settings->OrderSupport, 32); /* orderSupport (32 bytes) */\n\tStream_Write_UINT16(s, 0); /* textFlags (2 bytes) */\n\tStream_Write_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad4OctetsB (4 bytes) */\n\tStream_Write_UINT32(s, 230400); /* desktopSaveSize (4 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsC (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsD (2 bytes) */\n\tStream_Write_UINT16(s, textANSICodePage); /* textANSICodePage (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsE (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_ORDER);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 62966291564570637375163967456258879772, "size": 52, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409577 }, { "func": "static BOOL rdp_write_general_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 extraFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\textraFlags = 0;\n\n\tif (settings->LongCredentialsSupported)\n\t\textraFlags |= LONG_CREDENTIALS_SUPPORTED;\n\n\tif (settings->NoBitmapCompressionHeader)\n\t\textraFlags |= NO_BITMAP_COMPRESSION_HDR;\n\n\tif (settings->AutoReconnectionEnabled)\n\t\textraFlags |= AUTORECONNECT_SUPPORTED;\n\n\tif (settings->FastPathOutput)\n\t\textraFlags |= FASTPATH_OUTPUT_SUPPORTED;\n\n\tif (settings->SaltedChecksum)\n\t\textraFlags |= ENC_SALTED_CHECKSUM;\n\n\tif ((settings->OsMajorType > UINT16_MAX) || (settings->OsMinorType > UINT16_MAX))\n\t{\n\t\tWLog_ERR(TAG,\n\t\t \"OsMajorType=%08\" PRIx32 \", OsMinorType=%08\" PRIx32\n\t\t \" they need to be smaller %04\" PRIx16,\n\t\t settings->OsMajorType, settings->OsMinorType, UINT16_MAX);\n\t\treturn FALSE;\n\t}\n\tStream_Write_UINT16(s, (UINT16)settings->OsMajorType); /* osMajorType (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->OsMinorType); /* osMinorType (2 bytes) */\n\tStream_Write_UINT16(s, CAPS_PROTOCOL_VERSION); /* protocolVersion (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* generalCompressionTypes (2 bytes) */\n\tStream_Write_UINT16(s, extraFlags); /* extraFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* updateCapabilityFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* remoteUnshareFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* generalCompressionLevel (2 bytes) */\n\tStream_Write_UINT8(s, settings->RefreshRect ? 1 : 0); /* refreshRectSupport (1 byte) */\n\tStream_Write_UINT8(s, settings->SuppressOutput ? 1 : 0); /* suppressOutputSupport (1 byte) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_GENERAL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 73312758503643501467084662633560847526, "size": 50, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409637 }, { "func": "static BOOL rdp_print_bitmap_cache_host_support_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE cacheVersion;\n\tBYTE pad1;\n\tUINT16 pad2;\n\tWLog_INFO(TAG, \"BitmapCacheHostSupportCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, cacheVersion); /* cacheVersion (1 byte) */\n\tStream_Read_UINT8(s, pad1); /* pad1 (1 byte) */\n\tStream_Read_UINT16(s, pad2); /* pad2 (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcacheVersion: 0x%02\" PRIX8 \"\", cacheVersion);\n\tWLog_INFO(TAG, \"\\tpad1: 0x%02\" PRIX8 \"\", pad1);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%04\" PRIX16 \"\", pad2);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 160808522847092520296495320523643539377, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409575 }, { "func": "static BOOL rdp_write_jpeg_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 1); /* codecPropertiesLength */\n\tStream_Write_UINT8(s, 75);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 333617504875696343154040639255234735592, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409600 }, { "func": "static BOOL rdp_read_sound_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 soundFlags;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\tsettings->SoundBeepsEnabled = (soundFlags & SOUND_BEEPS_FLAG) ? TRUE : FALSE;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 168130594877741834723027781386436848480, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409613 }, { "func": "static BOOL rdp_write_window_activation_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 0); /* helpKeyFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* windowManagerKeyFlag (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_ACTIVATION);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 39519253932521963435868974399763685508, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409639 }, { "func": "static BOOL rdp_print_general_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 osMajorType;\n\tUINT16 osMinorType;\n\tUINT16 protocolVersion;\n\tUINT16 pad2OctetsA;\n\tUINT16 generalCompressionTypes;\n\tUINT16 extraFlags;\n\tUINT16 updateCapabilityFlag;\n\tUINT16 remoteUnshareFlag;\n\tUINT16 generalCompressionLevel;\n\tBYTE refreshRectSupport;\n\tBYTE suppressOutputSupport;\n\n\tif (length < 24)\n\t\treturn FALSE;\n\n\tWLog_INFO(TAG, \"GeneralCapabilitySet (length %\" PRIu16 \"):\", length);\n\tStream_Read_UINT16(s, osMajorType); /* osMajorType (2 bytes) */\n\tStream_Read_UINT16(s, osMinorType); /* osMinorType (2 bytes) */\n\tStream_Read_UINT16(s, protocolVersion); /* protocolVersion (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, generalCompressionTypes); /* generalCompressionTypes (2 bytes) */\n\tStream_Read_UINT16(s, extraFlags); /* extraFlags (2 bytes) */\n\tStream_Read_UINT16(s, updateCapabilityFlag); /* updateCapabilityFlag (2 bytes) */\n\tStream_Read_UINT16(s, remoteUnshareFlag); /* remoteUnshareFlag (2 bytes) */\n\tStream_Read_UINT16(s, generalCompressionLevel); /* generalCompressionLevel (2 bytes) */\n\tStream_Read_UINT8(s, refreshRectSupport); /* refreshRectSupport (1 byte) */\n\tStream_Read_UINT8(s, suppressOutputSupport); /* suppressOutputSupport (1 byte) */\n\tWLog_INFO(TAG, \"\\tosMajorType: 0x%04\" PRIX16 \"\", osMajorType);\n\tWLog_INFO(TAG, \"\\tosMinorType: 0x%04\" PRIX16 \"\", osMinorType);\n\tWLog_INFO(TAG, \"\\tprotocolVersion: 0x%04\" PRIX16 \"\", protocolVersion);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tgeneralCompressionTypes: 0x%04\" PRIX16 \"\", generalCompressionTypes);\n\tWLog_INFO(TAG, \"\\textraFlags: 0x%04\" PRIX16 \"\", extraFlags);\n\tWLog_INFO(TAG, \"\\tupdateCapabilityFlag: 0x%04\" PRIX16 \"\", updateCapabilityFlag);\n\tWLog_INFO(TAG, \"\\tremoteUnshareFlag: 0x%04\" PRIX16 \"\", remoteUnshareFlag);\n\tWLog_INFO(TAG, \"\\tgeneralCompressionLevel: 0x%04\" PRIX16 \"\", generalCompressionLevel);\n\tWLog_INFO(TAG, \"\\trefreshRectSupport: 0x%02\" PRIX8 \"\", refreshRectSupport);\n\tWLog_INFO(TAG, \"\\tsuppressOutputSupport: 0x%02\" PRIX8 \"\", suppressOutputSupport);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 5500072580712139778494173931145880946, "size": 42, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409631 }, { "func": "static BOOL rdp_read_remote_programs_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 railSupportLevel;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\n\tif ((railSupportLevel & RAIL_LEVEL_SUPPORTED) == 0)\n\t{\n\t\tif (settings->RemoteApplicationMode == TRUE)\n\t\t{\n\t\t\t/* RemoteApp Failure! */\n\t\t\tsettings->RemoteApplicationMode = FALSE;\n\t\t}\n\t}\n\n\t/* 2.2.2.2.3 HandshakeEx PDU (TS_RAIL_ORDER_HANDSHAKE_EX)\n\t * the handshake ex pdu is supported when both, client and server announce\n\t * it OR if we are ready to begin enhanced remoteAPP mode. */\n\tif (settings->RemoteApplicationMode)\n\t\trailSupportLevel |= RAIL_LEVEL_HANDSHAKE_EX_SUPPORTED;\n\n\tsettings->RemoteApplicationSupportLevel =\n\t railSupportLevel & settings->RemoteApplicationSupportMask;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 133850945589594759190444119473191077444, "size": 29, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409595 }, { "func": "static BOOL rdp_print_multifragment_update_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 maxRequestSize;\n\tWLog_INFO(TAG, \"MultifragmentUpdateCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, maxRequestSize); /* maxRequestSize (4 bytes) */\n\tWLog_INFO(TAG, \"\\tmaxRequestSize: 0x%08\" PRIX32 \"\", maxRequestSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 249919513915138150249317489840873024684, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409691 }, { "func": "static BOOL rdp_print_bitmap_codecs_capability_set(wStream* s, UINT16 length)\n{\n\tGUID codecGuid;\n\tBYTE bitmapCodecCount;\n\tBYTE codecId;\n\tUINT16 codecPropertiesLength;\n\tUINT16 remainingLength;\n\tWLog_INFO(TAG, \"BitmapCodecsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCodecCount); /* bitmapCodecCount (1 byte) */\n\tremainingLength = length - 5;\n\tWLog_INFO(TAG, \"\\tbitmapCodecCount: %\" PRIu8 \"\", bitmapCodecCount);\n\n\twhile (bitmapCodecCount > 0)\n\t{\n\t\tif (remainingLength < 19)\n\t\t\treturn FALSE;\n\n\t\trdp_read_bitmap_codec_guid(s, &codecGuid); /* codecGuid (16 bytes) */\n\t\tStream_Read_UINT8(s, codecId); /* codecId (1 byte) */\n\t\tWLog_INFO(TAG, \"\\tcodecGuid: 0x\");\n\t\trdp_print_bitmap_codec_guid(&codecGuid);\n\t\tWLog_INFO(TAG, \" (%s)\", rdp_get_bitmap_codec_guid_name(&codecGuid));\n\t\tWLog_INFO(TAG, \"\\tcodecId: %\" PRIu8 \"\", codecId);\n\t\tStream_Read_UINT16(s, codecPropertiesLength); /* codecPropertiesLength (2 bytes) */\n\t\tWLog_INFO(TAG, \"\\tcodecPropertiesLength: %\" PRIu16 \"\", codecPropertiesLength);\n\t\tremainingLength -= 19;\n\n\t\tif (remainingLength < codecPropertiesLength)\n\t\t\treturn FALSE;\n\n\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\tremainingLength -= codecPropertiesLength;\n\t\tbitmapCodecCount--;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 24114546032535399803500638112004720719, "size": 41, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409582 }, { "func": "static BOOL rdp_print_order_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE terminalDescriptor[16];\n\tUINT32 pad4OctetsA;\n\tUINT16 desktopSaveXGranularity;\n\tUINT16 desktopSaveYGranularity;\n\tUINT16 pad2OctetsA;\n\tUINT16 maximumOrderLevel;\n\tUINT16 numberFonts;\n\tUINT16 orderFlags;\n\tBYTE orderSupport[32];\n\tUINT16 textFlags;\n\tUINT16 orderSupportExFlags;\n\tUINT32 pad4OctetsB;\n\tUINT32 desktopSaveSize;\n\tUINT16 pad2OctetsC;\n\tUINT16 pad2OctetsD;\n\tUINT16 textANSICodePage;\n\tUINT16 pad2OctetsE;\n\tWLog_INFO(TAG, \"OrderCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read(s, terminalDescriptor, 16); /* terminalDescriptor (16 bytes) */\n\tStream_Read_UINT32(s, pad4OctetsA); /* pad4OctetsA (4 bytes) */\n\tStream_Read_UINT16(s, desktopSaveXGranularity); /* desktopSaveXGranularity (2 bytes) */\n\tStream_Read_UINT16(s, desktopSaveYGranularity); /* desktopSaveYGranularity (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, maximumOrderLevel); /* maximumOrderLevel (2 bytes) */\n\tStream_Read_UINT16(s, numberFonts); /* numberFonts (2 bytes) */\n\tStream_Read_UINT16(s, orderFlags); /* orderFlags (2 bytes) */\n\tStream_Read(s, orderSupport, 32); /* orderSupport (32 bytes) */\n\tStream_Read_UINT16(s, textFlags); /* textFlags (2 bytes) */\n\tStream_Read_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Read_UINT32(s, pad4OctetsB); /* pad4OctetsB (4 bytes) */\n\tStream_Read_UINT32(s, desktopSaveSize); /* desktopSaveSize (4 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsC); /* pad2OctetsC (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsD); /* pad2OctetsD (2 bytes) */\n\tStream_Read_UINT16(s, textANSICodePage); /* textANSICodePage (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsE); /* pad2OctetsE (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpad4OctetsA: 0x%08\" PRIX32 \"\", pad4OctetsA);\n\tWLog_INFO(TAG, \"\\tdesktopSaveXGranularity: 0x%04\" PRIX16 \"\", desktopSaveXGranularity);\n\tWLog_INFO(TAG, \"\\tdesktopSaveYGranularity: 0x%04\" PRIX16 \"\", desktopSaveYGranularity);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tmaximumOrderLevel: 0x%04\" PRIX16 \"\", maximumOrderLevel);\n\tWLog_INFO(TAG, \"\\tnumberFonts: 0x%04\" PRIX16 \"\", numberFonts);\n\tWLog_INFO(TAG, \"\\torderFlags: 0x%04\" PRIX16 \"\", orderFlags);\n\tWLog_INFO(TAG, \"\\torderSupport:\");\n\tWLog_INFO(TAG, \"\\t\\tDSTBLT: %\" PRIu8 \"\", orderSupport[NEG_DSTBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPATBLT: %\" PRIu8 \"\", orderSupport[NEG_PATBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tSCRBLT: %\" PRIu8 \"\", orderSupport[NEG_SCRBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEMBLT: %\" PRIu8 \"\", orderSupport[NEG_MEMBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEM3BLT: %\" PRIu8 \"\", orderSupport[NEG_MEM3BLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tATEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_ATEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tAEXTTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_AEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tDRAWNINEGRID: %\" PRIu8 \"\", orderSupport[NEG_DRAWNINEGRID_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tLINETO: %\" PRIu8 \"\", orderSupport[NEG_LINETO_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTI_DRAWNINEGRID: %\" PRIu8 \"\",\n\t orderSupport[NEG_MULTI_DRAWNINEGRID_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tOPAQUE_RECT: %\" PRIu8 \"\", orderSupport[NEG_OPAQUE_RECT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tSAVEBITMAP: %\" PRIu8 \"\", orderSupport[NEG_SAVEBITMAP_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tWTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_WTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEMBLT_V2: %\" PRIu8 \"\", orderSupport[NEG_MEMBLT_V2_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEM3BLT_V2: %\" PRIu8 \"\", orderSupport[NEG_MEM3BLT_V2_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIDSTBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTIDSTBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIPATBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTIPATBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTISCRBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTISCRBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIOPAQUERECT: %\" PRIu8 \"\", orderSupport[NEG_MULTIOPAQUERECT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tFAST_INDEX: %\" PRIu8 \"\", orderSupport[NEG_FAST_INDEX_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYGON_SC: %\" PRIu8 \"\", orderSupport[NEG_POLYGON_SC_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYGON_CB: %\" PRIu8 \"\", orderSupport[NEG_POLYGON_CB_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYLINE: %\" PRIu8 \"\", orderSupport[NEG_POLYLINE_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tUNUSED23: %\" PRIu8 \"\", orderSupport[NEG_UNUSED23_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tFAST_GLYPH: %\" PRIu8 \"\", orderSupport[NEG_FAST_GLYPH_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tELLIPSE_SC: %\" PRIu8 \"\", orderSupport[NEG_ELLIPSE_SC_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tELLIPSE_CB: %\" PRIu8 \"\", orderSupport[NEG_ELLIPSE_CB_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_INDEX: %\" PRIu8 \"\", orderSupport[NEG_GLYPH_INDEX_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WEXTTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_GLYPH_WEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WLONGTEXTOUT: %\" PRIu8 \"\",\n\t orderSupport[NEG_GLYPH_WLONGTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WLONGEXTTEXTOUT: %\" PRIu8 \"\",\n\t orderSupport[NEG_GLYPH_WLONGEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tUNUSED31: %\" PRIu8 \"\", orderSupport[NEG_UNUSED31_INDEX]);\n\tWLog_INFO(TAG, \"\\ttextFlags: 0x%04\" PRIX16 \"\", textFlags);\n\tWLog_INFO(TAG, \"\\torderSupportExFlags: 0x%04\" PRIX16 \"\", orderSupportExFlags);\n\tWLog_INFO(TAG, \"\\tpad4OctetsB: 0x%08\" PRIX32 \"\", pad4OctetsB);\n\tWLog_INFO(TAG, \"\\tdesktopSaveSize: 0x%08\" PRIX32 \"\", desktopSaveSize);\n\tWLog_INFO(TAG, \"\\tpad2OctetsC: 0x%04\" PRIX16 \"\", pad2OctetsC);\n\tWLog_INFO(TAG, \"\\tpad2OctetsD: 0x%04\" PRIX16 \"\", pad2OctetsD);\n\tWLog_INFO(TAG, \"\\ttextANSICodePage: 0x%04\" PRIX16 \"\", textANSICodePage);\n\tWLog_INFO(TAG, \"\\tpad2OctetsE: 0x%04\" PRIX16 \"\", pad2OctetsE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 314984488369612595242281546417973409324, "size": 94, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409634 }, { "func": "static BOOL rdp_write_bitmap_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tBYTE drawingFlags = 0;\n\tUINT16 preferredBitsPerPixel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->DrawAllowSkipAlpha)\n\t\tdrawingFlags |= DRAW_ALLOW_SKIP_ALPHA;\n\n\tif (settings->DrawAllowDynamicColorFidelity)\n\t\tdrawingFlags |= DRAW_ALLOW_DYNAMIC_COLOR_FIDELITY;\n\n\tif (settings->DrawAllowColorSubsampling)\n\t\tdrawingFlags |= DRAW_ALLOW_COLOR_SUBSAMPLING; /* currently unimplemented */\n\n\t/* While bitmap_decode.c now implements YCoCg, in turning it\n\t * on we have found Microsoft is inconsistent on whether to invert R & B.\n\t * And it's not only from one server to another; on Win7/2008R2, it appears\n\t * to send the main content with a different inversion than the Windows\n\t * button! So... don't advertise that we support YCoCg and the server\n\t * will not send it. YCoCg is still needed for EGFX, but it at least\n\t * appears consistent in its use.\n\t */\n\n\tif ((settings->ColorDepth > UINT16_MAX) || (settings->DesktopWidth > UINT16_MAX) ||\n\t (settings->DesktopHeight > UINT16_MAX) || (settings->DesktopResize > UINT16_MAX))\n\t\treturn FALSE;\n\n\tif (settings->RdpVersion >= RDP_VERSION_5_PLUS)\n\t\tpreferredBitsPerPixel = (UINT16)settings->ColorDepth;\n\telse\n\t\tpreferredBitsPerPixel = 8;\n\n\tStream_Write_UINT16(s, preferredBitsPerPixel); /* preferredBitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* receive1BitPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* receive4BitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* receive8BitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopWidth); /* desktopWidth (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopHeight); /* desktopHeight (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopResize); /* desktopResizeFlag (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* bitmapCompressionFlag (2 bytes) */\n\tStream_Write_UINT8(s, 0); /* highColorFlags (1 byte) */\n\tStream_Write_UINT8(s, drawingFlags); /* drawingFlags (1 byte) */\n\tStream_Write_UINT16(s, 1); /* multipleRectangleSupport (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsB (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 214825058683404299590112235974415655493, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409633 }, { "func": "static void rdp_read_capability_set_header(wStream* s, UINT16* length, UINT16* type)\n{\n\tStream_Read_UINT16(s, *type); /* capabilitySetType */\n\tStream_Read_UINT16(s, *length); /* lengthCapability */\n}", "project": "FreeRDP", "hash": 80707266597010700872327549120082707400, "size": 5, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409594 }, { "func": "static BOOL rdp_write_bitmap_codecs_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tBYTE bitmapCodecCount;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tbitmapCodecCount = 0;\n\n\tif (settings->RemoteFxCodec)\n\t\tbitmapCodecCount++;\n\n\tif (settings->NSCodec)\n\t\tbitmapCodecCount++;\n\n#if defined(WITH_JPEG)\n\n\tif (settings->JpegCodec)\n\t\tbitmapCodecCount++;\n\n#endif\n\n\tif (settings->RemoteFxImageCodec)\n\t\tbitmapCodecCount++;\n\n\tStream_Write_UINT8(s, bitmapCodecCount);\n\n\tif (settings->RemoteFxCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_REMOTEFX); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_rfx_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_REMOTEFX); /* codecID */\n\n\t\t\tif (!rdp_write_rfx_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif (settings->NSCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_NSCODEC); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_nsc_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_NSCODEC); /* codecID */\n\n\t\t\tif (!rdp_write_nsc_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n#if defined(WITH_JPEG)\n\n\tif (settings->JpegCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_JPEG); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_jpeg_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_JPEG); /* codecID */\n\n\t\t\tif (!rdp_write_jpeg_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n#endif\n\n\tif (settings->RemoteFxImageCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_IMAGE_REMOTEFX); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_rfx_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_IMAGE_REMOTEFX); /* codecID */\n\n\t\t\tif (!rdp_write_rfx_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_BITMAP_CODECS);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 332928462654213428990596858954074010072, "size": 116, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409660 }, { "func": "static BOOL rdp_write_jpeg_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 1); /* codecPropertiesLength */\n\tStream_Write_UINT8(s, settings->JpegQuality);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 230066296694265455843662918473236864709, "size": 9, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409664 }, { "func": "static void rdp_read_cache_definition(wStream* s, GLYPH_CACHE_DEFINITION* cache_definition)\n{\n\tStream_Read_UINT16(s, cache_definition->cacheEntries); /* cacheEntries (2 bytes) */\n\tStream_Read_UINT16(s,\n\t cache_definition->cacheMaximumCellSize); /* cacheMaximumCellSize (2 bytes) */\n}", "project": "FreeRDP", "hash": 45805913852648643995751491508146469984, "size": 6, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409666 }, { "func": "static BOOL rdp_read_draw_nine_grid_cache_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 drawNineGridSupportLevel;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, settings->DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Read_UINT16(s,\n\t settings->DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\n\tif ((drawNineGridSupportLevel & DRAW_NINEGRID_SUPPORTED) ||\n\t (drawNineGridSupportLevel & DRAW_NINEGRID_SUPPORTED_V2))\n\t\tsettings->DrawNineGridEnabled = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 40633978534520824703644583410869744929, "size": 19, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409632 }, { "func": "static BOOL rdp_print_desktop_composition_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 compDeskSupportLevel;\n\tWLog_INFO(TAG, \"DesktopCompositionCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, compDeskSupportLevel); /* compDeskSupportLevel (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcompDeskSupportLevel: 0x%04\" PRIX16 \"\", compDeskSupportLevel);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 210379168711159173994520293055281545595, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409641 }, { "func": "static void rdp_write_bitmap_codec_guid(wStream* s, const GUID* guid)\n{\n\tBYTE g[16];\n\tg[0] = guid->Data1 & 0xFF;\n\tg[1] = (guid->Data1 >> 8) & 0xFF;\n\tg[2] = (guid->Data1 >> 16) & 0xFF;\n\tg[3] = (guid->Data1 >> 24) & 0xFF;\n\tg[4] = (guid->Data2) & 0xFF;\n\tg[5] = (guid->Data2 >> 8) & 0xFF;\n\tg[6] = (guid->Data3) & 0xFF;\n\tg[7] = (guid->Data3 >> 8) & 0xFF;\n\tg[8] = guid->Data4[0];\n\tg[9] = guid->Data4[1];\n\tg[10] = guid->Data4[2];\n\tg[11] = guid->Data4[3];\n\tg[12] = guid->Data4[4];\n\tg[13] = guid->Data4[5];\n\tg[14] = guid->Data4[6];\n\tg[15] = guid->Data4[7];\n\tStream_Write(s, g, 16);\n}", "project": "FreeRDP", "hash": 325767040754059587070181348175035488638, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409668 }, { "func": "static BOOL rdp_print_draw_gdiplus_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 drawGdiPlusSupportLevel;\n\tUINT32 GdipVersion;\n\tUINT32 drawGdiplusCacheLevel;\n\tWLog_INFO(TAG, \"DrawGdiPlusCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawGdiPlusSupportLevel); /* drawGdiPlusSupportLevel (4 bytes) */\n\tStream_Read_UINT32(s, GdipVersion); /* GdipVersion (4 bytes) */\n\tStream_Read_UINT32(s, drawGdiplusCacheLevel); /* drawGdiPlusCacheLevel (4 bytes) */\n\tStream_Seek(s, 10); /* GdipCacheEntries (10 bytes) */\n\tStream_Seek(s, 8); /* GdipCacheChunkSize (8 bytes) */\n\tStream_Seek(s, 6); /* GdipImageCacheProperties (6 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 2012687523423089845955647994143606739, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409644 }, { "func": "static BOOL rdp_write_glyph_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->GlyphSupportLevel > UINT16_MAX)\n\t\treturn FALSE;\n\t/* glyphCache (40 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[0])); /* glyphCache0 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[1])); /* glyphCache1 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[2])); /* glyphCache2 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[3])); /* glyphCache3 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[4])); /* glyphCache4 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[5])); /* glyphCache5 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[6])); /* glyphCache6 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[7])); /* glyphCache7 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[8])); /* glyphCache8 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[9])); /* glyphCache9 (4 bytes) */\n\trdp_write_cache_definition(s, settings->FragCache); /* fragCache (4 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->GlyphSupportLevel); /* glyphSupportLevel (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_GLYPH_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 147467838726629004619531519247747352656, "size": 29, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409653 }, { "func": "BOOL rdp_recv_demand_active(rdpRdp* rdp, wStream* s)\n{\n\tUINT16 channelId;\n\tUINT16 pduType;\n\tUINT16 pduLength;\n\tUINT16 pduSource;\n\tUINT16 length;\n\tUINT16 numberCapabilities;\n\tUINT16 lengthSourceDescriptor;\n\tUINT16 lengthCombinedCapabilities;\n\n\tif (!rdp_recv_get_active_header(rdp, s, &channelId, &length))\n\t\treturn FALSE;\n\n\tif (freerdp_shall_disconnect(rdp->instance))\n\t\treturn TRUE;\n\n\tif (!rdp_read_share_control_header(s, &pduLength, &pduType, &pduSource))\n\t{\n\t\tWLog_ERR(TAG, \"rdp_read_share_control_header failed\");\n\t\treturn FALSE;\n\t}\n\n\tif (pduType == PDU_TYPE_DATA)\n\t{\n\t\t/**\n\t\t * We can receive a Save Session Info Data PDU containing a LogonErrorInfo\n\t\t * structure at this point from the server to indicate a connection error.\n\t\t */\n\t\tif (rdp_recv_data_pdu(rdp, s) < 0)\n\t\t\treturn FALSE;\n\n\t\treturn FALSE;\n\t}\n\n\tif (pduType != PDU_TYPE_DEMAND_ACTIVE)\n\t{\n\t\tif (pduType != PDU_TYPE_SERVER_REDIRECTION)\n\t\t\tWLog_ERR(TAG, \"expected PDU_TYPE_DEMAND_ACTIVE %04x, got %04\" PRIx16 \"\",\n\t\t\t PDU_TYPE_DEMAND_ACTIVE, pduType);\n\n\t\treturn FALSE;\n\t}\n\n\trdp->settings->PduSource = pduSource;\n\n\tif (Stream_GetRemainingLength(s) < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, rdp->settings->ShareId); /* shareId (4 bytes) */\n\tStream_Read_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */\n\tStream_Read_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\n\tif (!Stream_SafeSeek(s, lengthSourceDescriptor) ||\n\t Stream_GetRemainingLength(s) < 4) /* sourceDescriptor */\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n\tStream_Seek(s, 2); /* pad2Octets (2 bytes) */\n\n\t/* capabilitySets */\n\tif (!rdp_read_capability_sets(s, rdp->settings, numberCapabilities, lengthCombinedCapabilities))\n\t{\n\t\tWLog_ERR(TAG, \"rdp_read_capability_sets failed\");\n\t\treturn FALSE;\n\t}\n\n\tif (!Stream_SafeSeek(s, 4)) /* SessionId */\n\t\treturn FALSE;\n\n\trdp->update->secondary->glyph_v2 = (rdp->settings->GlyphSupportLevel > GLYPH_SUPPORT_FULL);\n\treturn tpkt_ensure_stream_consumed(s, length);\n}", "project": "FreeRDP", "hash": 44339431169826735119172547471406906347, "size": 73, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409604 }, { "func": "static BOOL rdp_read_bitmap_cache_v3_codec_id_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tBYTE bitmapCacheV3CodecId;\n\n\tWINPR_UNUSED(settings);\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCacheV3CodecId); /* bitmapCacheV3CodecId (1 byte) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 86826559054972396148544906904831060639, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409658 }, { "func": "static BOOL rdp_print_glyph_cache_capability_set(wStream* s, UINT16 length)\n{\n\tGLYPH_CACHE_DEFINITION glyphCache[10];\n\tGLYPH_CACHE_DEFINITION fragCache;\n\tUINT16 glyphSupportLevel;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"GlyphCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 52)\n\t\treturn FALSE;\n\n\t/* glyphCache (40 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[0]); /* glyphCache0 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[1]); /* glyphCache1 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[2]); /* glyphCache2 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[3]); /* glyphCache3 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[4]); /* glyphCache4 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[5]); /* glyphCache5 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[6]); /* glyphCache6 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[7]); /* glyphCache7 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[8]); /* glyphCache8 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[9]); /* glyphCache9 (4 bytes) */\n\trdp_read_cache_definition(s, &fragCache); /* fragCache (4 bytes) */\n\tStream_Read_UINT16(s, glyphSupportLevel); /* glyphSupportLevel (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tglyphCache0: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[0].cacheEntries, glyphCache[0].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache1: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[1].cacheEntries, glyphCache[1].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache2: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[2].cacheEntries, glyphCache[2].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache3: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[3].cacheEntries, glyphCache[3].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache4: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[4].cacheEntries, glyphCache[4].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache5: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[5].cacheEntries, glyphCache[5].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache6: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[6].cacheEntries, glyphCache[6].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache7: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[7].cacheEntries, glyphCache[7].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache8: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[8].cacheEntries, glyphCache[8].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache9: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[9].cacheEntries, glyphCache[9].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tfragCache: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t fragCache.cacheEntries, fragCache.cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphSupportLevel: 0x%04\" PRIX16 \"\", glyphSupportLevel);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 327012898936376103726124817366633874691, "size": 51, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409630 }, { "func": "static BOOL rdp_print_pointer_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 colorPointerFlag;\n\tUINT16 colorPointerCacheSize;\n\tUINT16 pointerCacheSize;\n\n\tif (length < 10)\n\t\treturn FALSE;\n\n\tWLog_INFO(TAG, \"PointerCapabilitySet (length %\" PRIu16 \"):\", length);\n\tStream_Read_UINT16(s, colorPointerFlag); /* colorPointerFlag (2 bytes) */\n\tStream_Read_UINT16(s, colorPointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, pointerCacheSize); /* pointerCacheSize (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcolorPointerFlag: 0x%04\" PRIX16 \"\", colorPointerFlag);\n\tWLog_INFO(TAG, \"\\tcolorPointerCacheSize: 0x%04\" PRIX16 \"\", colorPointerCacheSize);\n\tWLog_INFO(TAG, \"\\tpointerCacheSize: 0x%04\" PRIX16 \"\", pointerCacheSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 303759523317706528285641459907488762007, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409662 }, { "func": "static BOOL rdp_write_font_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, FONTSUPPORT_FONTLIST); /* fontSupportFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_FONT);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 77739938369199003807908763104333147952, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409669 }, { "func": "static BOOL rdp_read_share_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* nodeId (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 110630546321384895699149838140537479494, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409686 }, { "func": "static void rdp_read_bitmap_cache_cell_info(wStream* s, BITMAP_CACHE_V2_CELL_INFO* cellInfo)\n{\n\tUINT32 info;\n\t/**\n\t * numEntries is in the first 31 bits, while the last bit (k)\n\t * is used to indicate a persistent bitmap cache.\n\t */\n\tStream_Read_UINT32(s, info);\n\tcellInfo->numEntries = (info & 0x7FFFFFFF);\n\tcellInfo->persistent = (info & 0x80000000) ? 1 : 0;\n}", "project": "FreeRDP", "hash": 243003567530089132513265118318891886949, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409578 }, { "func": "static BOOL rdp_print_control_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 controlFlags;\n\tUINT16 remoteDetachFlag;\n\tUINT16 controlInterest;\n\tUINT16 detachInterest;\n\tWLog_INFO(TAG, \"ControlCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, controlFlags); /* controlFlags (2 bytes) */\n\tStream_Read_UINT16(s, remoteDetachFlag); /* remoteDetachFlag (2 bytes) */\n\tStream_Read_UINT16(s, controlInterest); /* controlInterest (2 bytes) */\n\tStream_Read_UINT16(s, detachInterest); /* detachInterest (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcontrolFlags: 0x%04\" PRIX16 \"\", controlFlags);\n\tWLog_INFO(TAG, \"\\tremoteDetachFlag: 0x%04\" PRIX16 \"\", remoteDetachFlag);\n\tWLog_INFO(TAG, \"\\tcontrolInterest: 0x%04\" PRIX16 \"\", controlInterest);\n\tWLog_INFO(TAG, \"\\tdetachInterest: 0x%04\" PRIX16 \"\", detachInterest);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 112568296590823747751147846820589701696, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409670 }, { "func": "static BOOL rdp_write_multifragment_update_capability_set(wStream* s, rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\tif (settings->ServerMode && settings->MultifragMaxRequestSize == 0)\n\t{\n\t\t/**\n\t\t * In server mode we prefer to use the highest useful request size that\n\t\t * will allow us to pack a complete screen update into a single fast\n\t\t * path PDU using any of the supported codecs.\n\t\t * However, the client is completely free to accept our proposed\n\t\t * max request size or send a different value in the client-to-server\n\t\t * multi-fragment update capability set and we have to accept that,\n\t\t * unless we are using RemoteFX where the client MUST announce a value\n\t\t * greater than or equal to the value we're sending here.\n\t\t * See [MS-RDPRFX 1.5 capability #2]\n\t\t */\n\t\tUINT32 tileNumX = (settings->DesktopWidth + 63) / 64;\n\t\tUINT32 tileNumY = (settings->DesktopHeight + 63) / 64;\n\t\tsettings->MultifragMaxRequestSize = tileNumX * tileNumY * 16384;\n\t\t/* and add room for headers, regions, frame markers, etc. */\n\t\tsettings->MultifragMaxRequestSize += 16384;\n\t}\n\n\theader = rdp_capability_set_start(s);\n\tStream_Write_UINT32(s, settings->MultifragMaxRequestSize); /* MaxRequestSize (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_MULTI_FRAGMENT_UPDATE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 284673504598250299343184535298414746342, "size": 32, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409667 }, { "func": "static BOOL rdp_read_draw_gdiplus_cache_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 drawGDIPlusSupportLevel;\n\tUINT32 drawGdiplusCacheLevel;\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawGDIPlusSupportLevel); /* drawGDIPlusSupportLevel (4 bytes) */\n\tStream_Seek_UINT32(s); /* GdipVersion (4 bytes) */\n\tStream_Read_UINT32(s, drawGdiplusCacheLevel); /* drawGdiplusCacheLevel (4 bytes) */\n\tStream_Seek(s, 10); /* GdipCacheEntries (10 bytes) */\n\tStream_Seek(s, 8); /* GdipCacheChunkSize (8 bytes) */\n\tStream_Seek(s, 6); /* GdipImageCacheProperties (6 bytes) */\n\n\tif (drawGDIPlusSupportLevel & DRAW_GDIPLUS_SUPPORTED)\n\t\tsettings->DrawGdiPlusEnabled = TRUE;\n\n\tif (drawGdiplusCacheLevel & DRAW_GDIPLUS_CACHE_LEVEL_ONE)\n\t\tsettings->DrawGdiPlusCacheEnabled = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 234991757575908276803722590129707796626, "size": 24, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409590 }, { "func": "static BOOL rdp_print_bitmap_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 pad1, pad2, pad3;\n\tUINT32 pad4, pad5, pad6;\n\tUINT16 Cache0Entries;\n\tUINT16 Cache0MaximumCellSize;\n\tUINT16 Cache1Entries;\n\tUINT16 Cache1MaximumCellSize;\n\tUINT16 Cache2Entries;\n\tUINT16 Cache2MaximumCellSize;\n\tWLog_INFO(TAG, \"BitmapCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, pad1); /* pad1 (4 bytes) */\n\tStream_Read_UINT32(s, pad2); /* pad2 (4 bytes) */\n\tStream_Read_UINT32(s, pad3); /* pad3 (4 bytes) */\n\tStream_Read_UINT32(s, pad4); /* pad4 (4 bytes) */\n\tStream_Read_UINT32(s, pad5); /* pad5 (4 bytes) */\n\tStream_Read_UINT32(s, pad6); /* pad6 (4 bytes) */\n\tStream_Read_UINT16(s, Cache0Entries); /* Cache0Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache0MaximumCellSize); /* Cache0MaximumCellSize (2 bytes) */\n\tStream_Read_UINT16(s, Cache1Entries); /* Cache1Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache1MaximumCellSize); /* Cache1MaximumCellSize (2 bytes) */\n\tStream_Read_UINT16(s, Cache2Entries); /* Cache2Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache2MaximumCellSize); /* Cache2MaximumCellSize (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpad1: 0x%08\" PRIX32 \"\", pad1);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%08\" PRIX32 \"\", pad2);\n\tWLog_INFO(TAG, \"\\tpad3: 0x%08\" PRIX32 \"\", pad3);\n\tWLog_INFO(TAG, \"\\tpad4: 0x%08\" PRIX32 \"\", pad4);\n\tWLog_INFO(TAG, \"\\tpad5: 0x%08\" PRIX32 \"\", pad5);\n\tWLog_INFO(TAG, \"\\tpad6: 0x%08\" PRIX32 \"\", pad6);\n\tWLog_INFO(TAG, \"\\tCache0Entries: 0x%04\" PRIX16 \"\", Cache0Entries);\n\tWLog_INFO(TAG, \"\\tCache0MaximumCellSize: 0x%04\" PRIX16 \"\", Cache0MaximumCellSize);\n\tWLog_INFO(TAG, \"\\tCache1Entries: 0x%04\" PRIX16 \"\", Cache1Entries);\n\tWLog_INFO(TAG, \"\\tCache1MaximumCellSize: 0x%04\" PRIX16 \"\", Cache1MaximumCellSize);\n\tWLog_INFO(TAG, \"\\tCache2Entries: 0x%04\" PRIX16 \"\", Cache2Entries);\n\tWLog_INFO(TAG, \"\\tCache2MaximumCellSize: 0x%04\" PRIX16 \"\", Cache2MaximumCellSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 263214705750533080366269336572526014100, "size": 41, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409574 }, { "func": "static BOOL rdp_read_bitmap_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tBYTE drawingFlags;\n\tUINT16 desktopWidth;\n\tUINT16 desktopHeight;\n\tUINT16 desktopResizeFlag;\n\tUINT16 preferredBitsPerPixel;\n\n\tif (length < 28)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, preferredBitsPerPixel); /* preferredBitsPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s); /* receive1BitPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s); /* receive4BitsPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s); /* receive8BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, desktopWidth); /* desktopWidth (2 bytes) */\n\tStream_Read_UINT16(s, desktopHeight); /* desktopHeight (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\tStream_Read_UINT16(s, desktopResizeFlag); /* desktopResizeFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* bitmapCompressionFlag (2 bytes) */\n\tStream_Seek_UINT8(s); /* highColorFlags (1 byte) */\n\tStream_Read_UINT8(s, drawingFlags); /* drawingFlags (1 byte) */\n\tStream_Seek_UINT16(s); /* multipleRectangleSupport (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsB (2 bytes) */\n\n\tif (!settings->ServerMode && (preferredBitsPerPixel != settings->ColorDepth))\n\t{\n\t\t/* The client must respect the actual color depth used by the server */\n\t\tsettings->ColorDepth = preferredBitsPerPixel;\n\t}\n\n\tif (desktopResizeFlag == FALSE)\n\t\tsettings->DesktopResize = FALSE;\n\n\tif (!settings->ServerMode && settings->DesktopResize)\n\t{\n\t\t/* The server may request a different desktop size during Deactivation-Reactivation sequence\n\t\t */\n\t\tsettings->DesktopWidth = desktopWidth;\n\t\tsettings->DesktopHeight = desktopHeight;\n\t}\n\n\tif (settings->DrawAllowSkipAlpha)\n\t\tsettings->DrawAllowSkipAlpha = (drawingFlags & DRAW_ALLOW_SKIP_ALPHA) ? TRUE : FALSE;\n\n\tif (settings->DrawAllowDynamicColorFidelity)\n\t\tsettings->DrawAllowDynamicColorFidelity =\n\t\t (drawingFlags & DRAW_ALLOW_DYNAMIC_COLOR_FIDELITY) ? TRUE : FALSE;\n\n\tif (settings->DrawAllowColorSubsampling)\n\t\tsettings->DrawAllowColorSubsampling =\n\t\t (drawingFlags & DRAW_ALLOW_COLOR_SUBSAMPLING) ? TRUE : FALSE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 32241820168842739652588766287689298066, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409605 }, { "func": "static BOOL rdp_read_large_pointer_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 largePointerSupportFlags;\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\tsettings->LargePointerFlag =\n\t largePointerSupportFlags & (LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384);\n\tif ((largePointerSupportFlags & ~(LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384)) != 0)\n\t{\n\t\tWLog_WARN(\n\t\t TAG,\n\t\t \"TS_LARGE_POINTER_CAPABILITYSET with unsupported flags %04X (all flags %04X) received\",\n\t\t largePointerSupportFlags & ~(LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384),\n\t\t largePointerSupportFlags);\n\t}\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 31411261199554286081134639045069445801, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409617 }, { "func": "static BOOL rdp_print_virtual_channel_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 flags;\n\tUINT32 VCChunkSize;\n\tWLog_INFO(TAG, \"VirtualChannelCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, flags); /* flags (4 bytes) */\n\n\tif (length > 8)\n\t\tStream_Read_UINT32(s, VCChunkSize); /* VCChunkSize (4 bytes) */\n\telse\n\t\tVCChunkSize = 1600;\n\n\tWLog_INFO(TAG, \"\\tflags: 0x%08\" PRIX32 \"\", flags);\n\tWLog_INFO(TAG, \"\\tVCChunkSize: 0x%08\" PRIX32 \"\", VCChunkSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 284706245349848953715070998125660485821, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409583 }, { "func": "static BOOL rdp_print_surface_commands_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 cmdFlags;\n\tUINT32 reserved;\n\tWLog_INFO(TAG, \"SurfaceCommandsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Read_UINT32(s, reserved); /* reserved (4 bytes) */\n\tWLog_INFO(TAG, \"\\tcmdFlags: 0x%08\" PRIX32 \"\", cmdFlags);\n\tWLog_INFO(TAG, \"\\treserved: 0x%08\" PRIX32 \"\", reserved);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 201233689125804826922744190824697797071, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409607 }, { "func": "static BOOL rdp_read_pointer_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 colorPointerFlag;\n\tUINT16 colorPointerCacheSize;\n\tUINT16 pointerCacheSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, colorPointerFlag); /* colorPointerFlag (2 bytes) */\n\tStream_Read_UINT16(s, colorPointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\n\t/* pointerCacheSize is optional */\n\tif (length >= 10)\n\t\tStream_Read_UINT16(s, pointerCacheSize); /* pointerCacheSize (2 bytes) */\n\telse\n\t\tpointerCacheSize = 0;\n\n\tif (colorPointerFlag == FALSE)\n\t\tsettings->ColorPointerFlag = FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tsettings->PointerCacheSize = pointerCacheSize;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 298168098402171989438387105409127129458, "size": 28, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409622 }, { "func": "static BOOL rdp_read_bitmap_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* pad1 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad2 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad3 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad4 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad5 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad6 (4 bytes) */\n\tStream_Seek_UINT16(s); /* Cache0Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache0MaximumCellSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache1Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache1MaximumCellSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache2Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache2MaximumCellSize (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 126632303879958348471370508278569584777, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409687 } ] }, { "call_depth": 3, "longest_call_chain": [ "irda_connect", "irda_discover_daddr_and_lsap_sel", "irda_find_lsap_sel" ], "group_size": 3, "functions": [ { "func": "static int irda_connect(struct socket *sock, struct sockaddr *uaddr,\n\t\t\tint addr_len, int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sockaddr_irda *addr = (struct sockaddr_irda *) uaddr;\n\tstruct irda_sock *self = irda_sk(sk);\n\tint err;\n\n\tIRDA_DEBUG(2, \"%s(%p)\\n\", __func__, self);\n\n\t/* Don't allow connect for Ultra sockets */\n\tif ((sk->sk_type == SOCK_DGRAM) && (sk->sk_protocol == IRDAPROTO_ULTRA))\n\t\treturn -ESOCKTNOSUPPORT;\n\n\tif (sk->sk_state == TCP_ESTABLISHED && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_CONNECTED;\n\t\treturn 0; /* Connect completed during a ERESTARTSYS event */\n\t}\n\n\tif (sk->sk_state == TCP_CLOSE && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_UNCONNECTED;\n\t\treturn -ECONNREFUSED;\n\t}\n\n\tif (sk->sk_state == TCP_ESTABLISHED)\n\t\treturn -EISCONN; /* No reconnect on a seqpacket socket */\n\n\tsk->sk_state = TCP_CLOSE;\n\tsock->state = SS_UNCONNECTED;\n\n\tif (addr_len != sizeof(struct sockaddr_irda))\n\t\treturn -EINVAL;\n\n\t/* Check if user supplied any destination device address */\n\tif ((!addr->sir_addr) || (addr->sir_addr == DEV_ADDR_ANY)) {\n\t\t/* Try to find one suitable */\n\t\terr = irda_discover_daddr_and_lsap_sel(self, addr->sir_name);\n\t\tif (err) {\n\t\t\tIRDA_DEBUG(0, \"%s(), auto-connect failed!\\n\", __func__);\n\t\t\treturn err;\n\t\t}\n\t} else {\n\t\t/* Use the one provided by the user */\n\t\tself->daddr = addr->sir_addr;\n\t\tIRDA_DEBUG(1, \"%s(), daddr = %08x\\n\", __func__, self->daddr);\n\n\t\t/* If we don't have a valid service name, we assume the\n\t\t * user want to connect on a specific LSAP. Prevent\n\t\t * the use of invalid LSAPs (IrLMP 1.1 p10). Jean II */\n\t\tif((addr->sir_name[0] != '\\0') ||\n\t\t (addr->sir_lsap_sel >= 0x70)) {\n\t\t\t/* Query remote LM-IAS using service name */\n\t\t\terr = irda_find_lsap_sel(self, addr->sir_name);\n\t\t\tif (err) {\n\t\t\t\tIRDA_DEBUG(0, \"%s(), connect failed!\\n\", __func__);\n\t\t\t\treturn err;\n\t\t\t}\n\t\t} else {\n\t\t\t/* Directly connect to the remote LSAP\n\t\t\t * specified by the sir_lsap field.\n\t\t\t * Please use with caution, in IrDA LSAPs are\n\t\t\t * dynamic and there is no \"well-known\" LSAP. */\n\t\t\tself->dtsap_sel = addr->sir_lsap_sel;\n\t\t}\n\t}\n\n\t/* Check if we have opened a local TSAP */\n\tif (!self->tsap)\n\t\tirda_open_tsap(self, LSAP_ANY, addr->sir_name);\n\n\t/* Move to connecting socket, start sending Connect Requests */\n\tsock->state = SS_CONNECTING;\n\tsk->sk_state = TCP_SYN_SENT;\n\n\t/* Connect to remote device */\n\terr = irttp_connect_request(self->tsap, self->dtsap_sel,\n\t\t\t\t self->saddr, self->daddr, NULL,\n\t\t\t\t self->max_sdu_size_rx, NULL);\n\tif (err) {\n\t\tIRDA_DEBUG(0, \"%s(), connect failed!\\n\", __func__);\n\t\treturn err;\n\t}\n\n\t/* Now the loop */\n\tif (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))\n\t\treturn -EINPROGRESS;\n\n\tif (wait_event_interruptible(*(sk->sk_sleep),\n\t\t\t\t (sk->sk_state != TCP_SYN_SENT)))\n\t\treturn -ERESTARTSYS;\n\n\tif (sk->sk_state != TCP_ESTABLISHED) {\n\t\tsock->state = SS_UNCONNECTED;\n\t\terr = sock_error(sk);\n\t\treturn err? err : -ECONNRESET;\n\t}\n\n\tsock->state = SS_CONNECTED;\n\n\t/* At this point, IrLMP has assigned our source address */\n\tself->saddr = irttp_get_saddr(self->tsap);\n\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 178099908447917320051948600173125641407, "size": 104, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490851 }, { "func": "static int irda_discover_daddr_and_lsap_sel(struct irda_sock *self, char *name)\n{\n\tdiscinfo_t *discoveries;\t/* Copy of the discovery log */\n\tint\tnumber;\t\t\t/* Number of nodes in the log */\n\tint\ti;\n\tint\terr = -ENETUNREACH;\n\t__u32\tdaddr = DEV_ADDR_ANY;\t/* Address we found the service on */\n\t__u8\tdtsap_sel = 0x0;\t/* TSAP associated with it */\n\n\tIRDA_DEBUG(2, \"%s(), name=%s\\n\", __func__, name);\n\n\t/* Ask lmp for the current discovery log\n\t * Note : we have to use irlmp_get_discoveries(), as opposed\n\t * to play with the cachelog directly, because while we are\n\t * making our ias query, le log might change... */\n\tdiscoveries = irlmp_get_discoveries(&number, self->mask.word,\n\t\t\t\t\t self->nslots);\n\t/* Check if the we got some results */\n\tif (discoveries == NULL)\n\t\treturn -ENETUNREACH;\t/* No nodes discovered */\n\n\t/*\n\t * Now, check all discovered devices (if any), and connect\n\t * client only about the services that the client is\n\t * interested in...\n\t */\n\tfor(i = 0; i < number; i++) {\n\t\t/* Try the address in the log */\n\t\tself->daddr = discoveries[i].daddr;\n\t\tself->saddr = 0x0;\n\t\tIRDA_DEBUG(1, \"%s(), trying daddr = %08x\\n\",\n\t\t\t __func__, self->daddr);\n\n\t\t/* Query remote LM-IAS for this service */\n\t\terr = irda_find_lsap_sel(self, name);\n\t\tswitch (err) {\n\t\tcase 0:\n\t\t\t/* We found the requested service */\n\t\t\tif(daddr != DEV_ADDR_ANY) {\n\t\t\t\tIRDA_DEBUG(1, \"%s(), discovered service ''%s'' in two different devices !!!\\n\",\n\t\t\t\t\t __func__, name);\n\t\t\t\tself->daddr = DEV_ADDR_ANY;\n\t\t\t\tkfree(discoveries);\n\t\t\t\treturn(-ENOTUNIQ);\n\t\t\t}\n\t\t\t/* First time we found that one, save it ! */\n\t\t\tdaddr = self->daddr;\n\t\t\tdtsap_sel = self->dtsap_sel;\n\t\t\tbreak;\n\t\tcase -EADDRNOTAVAIL:\n\t\t\t/* Requested service simply doesn't exist on this node */\n\t\t\tbreak;\n\t\tdefault:\n\t\t\t/* Something bad did happen :-( */\n\t\t\tIRDA_DEBUG(0, \"%s(), unexpected IAS query failure\\n\", __func__);\n\t\t\tself->daddr = DEV_ADDR_ANY;\n\t\t\tkfree(discoveries);\n\t\t\treturn(-EHOSTUNREACH);\n\t\t\tbreak;\n\t\t}\n\t}\n\t/* Cleanup our copy of the discovery log */\n\tkfree(discoveries);\n\n\t/* Check out what we found */\n\tif(daddr == DEV_ADDR_ANY) {\n\t\tIRDA_DEBUG(1, \"%s(), cannot discover service ''%s'' in any device !!!\\n\",\n\t\t\t __func__, name);\n\t\tself->daddr = DEV_ADDR_ANY;\n\t\treturn(-EADDRNOTAVAIL);\n\t}\n\n\t/* Revert back to discovered device & service */\n\tself->daddr = daddr;\n\tself->saddr = 0x0;\n\tself->dtsap_sel = dtsap_sel;\n\n\tIRDA_DEBUG(1, \"%s(), discovered requested service ''%s'' at address %08x\\n\",\n\t\t __func__, name, self->daddr);\n\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 318581748965276480005084377565136724550, "size": 82, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490850 }, { "func": "static int irda_find_lsap_sel(struct irda_sock *self, char *name)\n{\n\tIRDA_DEBUG(2, \"%s(%p, %s)\\n\", __func__, self, name);\n\n\tif (self->iriap) {\n\t\tIRDA_WARNING(\"%s(): busy with a previous query\\n\",\n\t\t\t __func__);\n\t\treturn -EBUSY;\n\t}\n\n\tself->iriap = iriap_open(LSAP_ANY, IAS_CLIENT, self,\n\t\t\t\t irda_getvalue_confirm);\n\tif(self->iriap == NULL)\n\t\treturn -ENOMEM;\n\n\t/* Treat unexpected wakeup as disconnect */\n\tself->errno = -EHOSTUNREACH;\n\n\t/* Query remote LM-IAS */\n\tiriap_getvaluebyclass_request(self->iriap, self->saddr, self->daddr,\n\t\t\t\t name, \"IrDA:TinyTP:LsapSel\");\n\n\t/* Wait for answer, if not yet finished (or failed) */\n\tif (wait_event_interruptible(self->query_wait, (self->iriap==NULL)))\n\t\t/* Treat signals as disconnect */\n\t\treturn -EHOSTUNREACH;\n\n\t/* Check what happened */\n\tif (self->errno)\n\t{\n\t\t/* Requested object/attribute doesn't exist */\n\t\tif((self->errno == IAS_CLASS_UNKNOWN) ||\n\t\t (self->errno == IAS_ATTRIB_UNKNOWN))\n\t\t\treturn (-EADDRNOTAVAIL);\n\t\telse\n\t\t\treturn (-EHOSTUNREACH);\n\t}\n\n\t/* Get the remote TSAP selector */\n\tswitch (self->ias_result->type) {\n\tcase IAS_INTEGER:\n\t\tIRDA_DEBUG(4, \"%s() int=%d\\n\",\n\t\t\t __func__, self->ias_result->t.integer);\n\n\t\tif (self->ias_result->t.integer != -1)\n\t\t\tself->dtsap_sel = self->ias_result->t.integer;\n\t\telse\n\t\t\tself->dtsap_sel = 0;\n\t\tbreak;\n\tdefault:\n\t\tself->dtsap_sel = 0;\n\t\tIRDA_DEBUG(0, \"%s(), bad type!\\n\", __func__);\n\t\tbreak;\n\t}\n\tif (self->ias_result)\n\t\tirias_delete_value(self->ias_result);\n\n\tif (self->dtsap_sel)\n\t\treturn 0;\n\n\treturn -EADDRNOTAVAIL;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 165698805698786493552979841809667640579, "size": 62, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490844 } ] }, { "call_depth": 3, "longest_call_chain": [ "php_openssl_csr_free", "X509_REQ_free", "CSRequest" ], "group_size": 3, "functions": [ { "func": "static void php_openssl_csr_free(zend_resource *rsrc)\n{\n\tX509_REQ * csr = (X509_REQ*)rsrc->ptr;\n\tX509_REQ_free(csr);\n}", "project": "php-src", "hash": 203588433657896308178929799818659920108, "size": 5, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291401 }, { "func": " explicit CSRequest(X509_REQ *csr) : m_csr(csr) {\n assertx(m_csr);\n }", "project": "hhvm", "hash": 185152408263537532527205151501544474583, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219423 }, { "func": " ~CSRequest() override {\n // X509_REQ_free(nullptr) is a no-op\n X509_REQ_free(m_csr);\n }", "project": "hhvm", "hash": 172788866518608369448304811034265826884, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219893 } ] }, { "call_depth": 4, "longest_call_chain": [ "crypto_get_certificate_data", "crypto_cert_fingerprint", "crypto_cert_fingerprint_by_hash", "crypto_cert_hash" ], "group_size": 9, "functions": [ { "func": "char* crypto_cert_issuer(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_issuer_name(xcert));\n}", "project": "FreeRDP", "hash": 205497471462573990909815156371579244197, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473452 }, { "func": "char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)\n{\n\tUINT32 fp_len, i;\n\tBYTE* fp;\n\tchar* p;\n\tchar* fp_buffer;\n\n\tfp = crypto_cert_hash(xcert, hash, &fp_len);\n\tif (!fp)\n\t\treturn NULL;\n\n\tfp_buffer = calloc(fp_len * 3 + 1, sizeof(char));\n\tif (!fp_buffer)\n\t\tgoto fail;\n\n\tp = fp_buffer;\n\n\tfor (i = 0; i < (fp_len - 1); i++)\n\t{\n\t\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \":\", fp[i]);\n\t\tp = &fp_buffer[(i + 1) * 3];\n\t}\n\n\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \"\", fp[i]);\nfail:\n\tfree(fp);\n\n\treturn fp_buffer;\n}", "project": "FreeRDP", "hash": 137722397787957957021174819917513700282, "size": 29, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473456 }, { "func": "char* crypto_cert_fingerprint(X509* xcert)\n{\n\treturn crypto_cert_fingerprint_by_hash(xcert, \"sha256\");\n}", "project": "FreeRDP", "hash": 115650122252764947943603801708902861010, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473462 }, { "func": "static int verify_cb(int ok, X509_STORE_CTX* csc)\n{\n\tif (ok != 1)\n\t{\n\t\tint err = X509_STORE_CTX_get_error(csc);\n\t\tint derr = X509_STORE_CTX_get_error_depth(csc);\n\t\tX509* where = X509_STORE_CTX_get_current_cert(csc);\n\t\tconst char* what = X509_verify_cert_error_string(err);\n\t\tchar* name = crypto_cert_subject(where);\n\n\t\tWLog_WARN(TAG, \"Certificate verification failure '%s (%d)' at stack position %d\", what, err,\n\t\t derr);\n\t\tWLog_WARN(TAG, \"%s\", name);\n\n\t\tfree(name);\n\t}\n\treturn ok;\n}", "project": "FreeRDP", "hash": 75265801506247543146779012995879849204, "size": 18, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473427 }, { "func": "void crypto_cert_print_info(X509* xcert)\n{\n\tchar* fp;\n\tchar* issuer;\n\tchar* subject;\n\tsubject = crypto_cert_subject(xcert);\n\tissuer = crypto_cert_issuer(xcert);\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t{\n\t\tWLog_ERR(TAG, \"error computing fingerprint\");\n\t\tgoto out_free_issuer;\n\t}\n\n\tWLog_INFO(TAG, \"Certificate details:\");\n\tWLog_INFO(TAG, \"\\tSubject: %s\", subject);\n\tWLog_INFO(TAG, \"\\tIssuer: %s\", issuer);\n\tWLog_INFO(TAG, \"\\tThumbprint: %s\", fp);\n\tWLog_INFO(TAG,\n\t \"The above X.509 certificate could not be verified, possibly because you do not have \"\n\t \"the CA certificate in your certificate store, or the certificate has expired. \"\n\t \"Please look at the OpenSSL documentation on how to add a private CA to the store.\");\n\tfree(fp);\nout_free_issuer:\n\tfree(issuer);\n\tfree(subject);\n}", "project": "FreeRDP", "hash": 64076208521481089131010558823372035251, "size": 28, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473432 }, { "func": "char* crypto_cert_subject(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_subject_name(xcert));\n}", "project": "FreeRDP", "hash": 177180604460491566370377171358096486095, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473454 }, { "func": "rdpCertificateData* crypto_get_certificate_data(X509* xcert, const char* hostname, UINT16 port)\n{\n\tchar* issuer;\n\tchar* subject;\n\tchar* fp;\n\trdpCertificateData* certdata;\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t\treturn NULL;\n\n\tissuer = crypto_cert_issuer(xcert);\n\tsubject = crypto_cert_subject(xcert);\n\tcertdata = certificate_data_new(hostname, port, issuer, subject, fp);\n\tfree(subject);\n\tfree(issuer);\n\tfree(fp);\n\treturn certdata;\n}", "project": "FreeRDP", "hash": 170554719668291881438898249097327745004, "size": 19, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473455 }, { "func": "BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length)\n{\n\tUINT32 fp_len = EVP_MAX_MD_SIZE;\n\tBYTE* fp;\n\tconst EVP_MD* md = EVP_get_digestbyname(hash);\n\tif (!md)\n\t\treturn NULL;\n\tif (!length)\n\t\treturn NULL;\n\tif (!xcert)\n\t\treturn NULL;\n\n\tfp = calloc(fp_len, sizeof(BYTE));\n\tif (!fp)\n\t\treturn NULL;\n\n\tif (X509_digest(xcert, md, fp, &fp_len) != 1)\n\t{\n\t\tfree(fp);\n\t\treturn NULL;\n\t}\n\n\t*length = fp_len;\n\treturn fp;\n}", "project": "FreeRDP", "hash": 258407869867369743474326334091914072928, "size": 25, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473451 }, { "func": "static char* crypto_print_name(X509_NAME* name)\n{\n\tchar* buffer = NULL;\n\tBIO* outBIO = BIO_new(BIO_s_mem());\n\n\tif (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)\n\t{\n\t\tunsigned long size = BIO_number_written(outBIO);\n\t\tbuffer = calloc(1, size + 1);\n\n\t\tif (!buffer)\n\t\t\treturn NULL;\n\n\t\tBIO_read(outBIO, buffer, size);\n\t}\n\n\tBIO_free_all(outBIO);\n\treturn buffer;\n}", "project": "FreeRDP", "hash": 89260255256165807681288006501973762861, "size": 19, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473437 } ] }, { "call_depth": 3, "longest_call_chain": [ "parallel_thread_func", "parallel_process_irp", "parallel_process_irp_close" ], "group_size": 8, "functions": [ { "func": "static UINT parallel_process_irp_device_control(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tStream_Write_UINT32(irp->output, 0); /* OutputBufferLength */\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 50777945177459684828193623428436628095, "size": 5, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403463 }, { "func": "static UINT parallel_process_irp_close(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tif (close(parallel->file) < 0)\n\t{\n\t}\n\telse\n\t{\n\t}\n\n\tStream_Zero(irp->output, 5); /* Padding(5) */\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 229960397322034469489633522376896104471, "size": 12, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403460 }, { "func": "static UINT parallel_process_irp_create(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tchar* path = NULL;\n\tint status;\n\tUINT32 PathLength;\n\tStream_Seek(irp->input, 28);\n\t/* DesiredAccess(4) AllocationSize(8), FileAttributes(4) */\n\t/* SharedAccess(4) CreateDisposition(4), CreateOptions(4) */\n\tStream_Read_UINT32(irp->input, PathLength);\n\tstatus = ConvertFromUnicode(CP_UTF8, 0, (WCHAR*)Stream_Pointer(irp->input), PathLength / 2,\n\t &path, 0, NULL, NULL);\n\n\tif (status < 1)\n\t\tif (!(path = (char*)calloc(1, 1)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\tparallel->id = irp->devman->id_sequence++;\n\tparallel->file = open(parallel->path, O_RDWR);\n\n\tif (parallel->file < 0)\n\t{\n\t\tirp->IoStatus = STATUS_ACCESS_DENIED;\n\t\tparallel->id = 0;\n\t}\n\telse\n\t{\n\t\t/* all read and write operations should be non-blocking */\n\t\tif (fcntl(parallel->file, F_SETFL, O_NONBLOCK) == -1)\n\t\t{\n\t\t}\n\t}\n\n\tStream_Write_UINT32(irp->output, parallel->id);\n\tStream_Write_UINT8(irp->output, 0);\n\tfree(path);\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 91654068438972054959889615095747233707, "size": 40, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 1, "dataset": "other", "idx": 207960 }, { "func": "static UINT parallel_process_irp_create(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tchar* path = NULL;\n\tint status;\n\tWCHAR* ptr;\n\tUINT32 PathLength;\n\tif (!Stream_SafeSeek(irp->input, 28))\n\t\treturn ERROR_INVALID_DATA;\n\t/* DesiredAccess(4) AllocationSize(8), FileAttributes(4) */\n\t/* SharedAccess(4) CreateDisposition(4), CreateOptions(4) */\n\tif (Stream_GetRemainingLength(irp->input) < 4)\n\t\treturn ERROR_INVALID_DATA;\n\tStream_Read_UINT32(irp->input, PathLength);\n\tptr = (WCHAR*)Stream_Pointer(irp->input);\n\tif (!Stream_SafeSeek(irp->input, PathLength))\n\t\treturn ERROR_INVALID_DATA;\n\tstatus = ConvertFromUnicode(CP_UTF8, 0, ptr, PathLength / 2, &path, 0, NULL, NULL);\n\n\tif (status < 1)\n\t\tif (!(path = (char*)calloc(1, 1)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\tparallel->id = irp->devman->id_sequence++;\n\tparallel->file = open(parallel->path, O_RDWR);\n\n\tif (parallel->file < 0)\n\t{\n\t\tirp->IoStatus = STATUS_ACCESS_DENIED;\n\t\tparallel->id = 0;\n\t}\n\telse\n\t{\n\t\t/* all read and write operations should be non-blocking */\n\t\tif (fcntl(parallel->file, F_SETFL, O_NONBLOCK) == -1)\n\t\t{\n\t\t}\n\t}\n\n\tStream_Write_UINT32(irp->output, parallel->id);\n\tStream_Write_UINT8(irp->output, 0);\n\tfree(path);\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 213401734041482676778583216895571372326, "size": 46, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403469 }, { "func": "static UINT parallel_process_irp_write(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT32 len;\n\tUINT32 Length;\n\tUINT64 Offset;\n\tssize_t status;\n\tvoid* ptr;\n\tif (Stream_GetRemainingLength(irp->input) > 12)\n\t\treturn ERROR_INVALID_DATA;\n\n\tStream_Read_UINT32(irp->input, Length);\n\tStream_Read_UINT64(irp->input, Offset);\n\tif (!Stream_SafeSeek(irp->input, 20)) /* Padding */\n\t\treturn ERROR_INVALID_DATA;\n\tptr = Stream_Pointer(irp->input);\n\tif (!Stream_SafeSeek(irp->input, Length))\n\t\treturn ERROR_INVALID_DATA;\n\tlen = Length;\n\n\twhile (len > 0)\n\t{\n\t\tstatus = write(parallel->file, ptr, len);\n\n\t\tif (status < 0)\n\t\t{\n\t\t\tirp->IoStatus = STATUS_UNSUCCESSFUL;\n\t\t\tLength = 0;\n\t\t\tbreak;\n\t\t}\n\n\t\tStream_Seek(irp->input, status);\n\t\tlen -= status;\n\t}\n\n\tStream_Write_UINT32(irp->output, Length);\n\tStream_Write_UINT8(irp->output, 0); /* Padding */\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 124029001936116716333431833342807537455, "size": 38, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403462 }, { "func": "static DWORD WINAPI parallel_thread_func(LPVOID arg)\n{\n\tIRP* irp;\n\twMessage message;\n\tPARALLEL_DEVICE* parallel = (PARALLEL_DEVICE*)arg;\n\tUINT error = CHANNEL_RC_OK;\n\n\twhile (1)\n\t{\n\t\tif (!MessageQueue_Wait(parallel->queue))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"MessageQueue_Wait failed!\");\n\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!MessageQueue_Peek(parallel->queue, &message, TRUE))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"MessageQueue_Peek failed!\");\n\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (message.id == WMQ_QUIT)\n\t\t\tbreak;\n\n\t\tirp = (IRP*)message.wParam;\n\n\t\tif ((error = parallel_process_irp(parallel, irp)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"parallel_process_irp failed with error %\" PRIu32 \"!\", error);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (error && parallel->rdpcontext)\n\t\tsetChannelError(parallel->rdpcontext, error, \"parallel_thread_func reported an error\");\n\n\tExitThread(error);\n\treturn error;\n}", "project": "FreeRDP", "hash": 175202737362833470892243463098338728512, "size": 41, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403464 }, { "func": "static UINT parallel_process_irp(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT error;\n\n\tswitch (irp->MajorFunction)\n\t{\n\t\tcase IRP_MJ_CREATE:\n\t\t\tif ((error = parallel_process_irp_create(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_create failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_CLOSE:\n\t\t\tif ((error = parallel_process_irp_close(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_close failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_READ:\n\t\t\tif ((error = parallel_process_irp_read(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_read failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_WRITE:\n\t\t\tif ((error = parallel_process_irp_write(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_write failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_DEVICE_CONTROL:\n\t\t\tif ((error = parallel_process_irp_device_control(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_device_control failed with error %\" PRIu32 \"!\",\n\t\t\t\t error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tirp->IoStatus = STATUS_NOT_SUPPORTED;\n\t\t\treturn irp->Complete(irp);\n\t\t\tbreak;\n\t}\n\n\treturn CHANNEL_RC_OK;\n}", "project": "FreeRDP", "hash": 152328085319883643300033889459899429830, "size": 60, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403465 }, { "func": "static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT32 Length;\n\tUINT64 Offset;\n\tssize_t status;\n\tBYTE* buffer = NULL;\n\tif (Stream_GetRemainingLength(irp->input) < 12)\n\t\treturn ERROR_INVALID_DATA;\n\tStream_Read_UINT32(irp->input, Length);\n\tStream_Read_UINT64(irp->input, Offset);\n\tbuffer = (BYTE*)malloc(Length);\n\n\tif (!buffer)\n\t{\n\t\tWLog_ERR(TAG, \"malloc failed!\");\n\t\treturn CHANNEL_RC_NO_MEMORY;\n\t}\n\n\tstatus = read(parallel->file, buffer, Length);\n\n\tif (status < 0)\n\t{\n\t\tirp->IoStatus = STATUS_UNSUCCESSFUL;\n\t\tfree(buffer);\n\t\tbuffer = NULL;\n\t\tLength = 0;\n\t}\n\telse\n\t{\n\t}\n\n\tStream_Write_UINT32(irp->output, Length);\n\n\tif (Length > 0)\n\t{\n\t\tif (!Stream_EnsureRemainingCapacity(irp->output, Length))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"Stream_EnsureRemainingCapacity failed!\");\n\t\t\tfree(buffer);\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tStream_Write(irp->output, buffer, Length);\n\t}\n\n\tfree(buffer);\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 325410391065857413900691400019655670752, "size": 48, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403468 } ] }, { "call_depth": 3, "longest_call_chain": [ "rsi_indicate_pkt_to_os", "rsi_fill_rx_status", "rsi_perform_cqm" ], "group_size": 4, "functions": [ { "func": "static void rsi_perform_cqm(struct rsi_common *common,\n\t\t\t u8 *bssid,\n\t\t\t s8 rssi,\n\t\t\t struct ieee80211_vif *vif)\n{\n\ts8 last_event = common->cqm_info.last_cqm_event_rssi;\n\tint thold = common->cqm_info.rssi_thold;\n\tu32 hyst = common->cqm_info.rssi_hyst;\n\tenum nl80211_cqm_rssi_threshold_event event;\n\n\tif (rssi < thold && (last_event == 0 || rssi < (last_event - hyst)))\n\t\tevent = NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW;\n\telse if (rssi > thold &&\n\t\t (last_event == 0 || rssi > (last_event + hyst)))\n\t\tevent = NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH;\n\telse\n\t\treturn;\n\n\tcommon->cqm_info.last_cqm_event_rssi = rssi;\n\trsi_dbg(INFO_ZONE, \"CQM: Notifying event: %d\\n\", event);\n\tieee80211_cqm_rssi_notify(vif, event, rssi, GFP_KERNEL);\n\n\treturn;\n}", "project": "linux", "hash": 114860442925680819795552771010927514880, "size": 24, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461645 }, { "func": "bool rsi_is_cipher_wep(struct rsi_common *common)\n{\n\tif (((common->secinfo.gtk_cipher == WLAN_CIPHER_SUITE_WEP104) ||\n\t (common->secinfo.gtk_cipher == WLAN_CIPHER_SUITE_WEP40)) &&\n\t (!common->secinfo.ptk_cipher))\n\t\treturn true;\n\telse\n\t\treturn false;\n}", "project": "linux", "hash": 338508583178677526423454936430516132884, "size": 9, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461648 }, { "func": "static void rsi_fill_rx_status(struct ieee80211_hw *hw,\n\t\t\t struct sk_buff *skb,\n\t\t\t struct rsi_common *common,\n\t\t\t struct ieee80211_rx_status *rxs)\n{\n\tstruct rsi_hw *adapter = common->priv;\n\tstruct ieee80211_vif *vif;\n\tstruct ieee80211_bss_conf *bss = NULL;\n\tstruct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);\n\tstruct skb_info *rx_params = (struct skb_info *)info->driver_data;\n\tstruct ieee80211_hdr *hdr;\n\tchar rssi = rx_params->rssi;\n\tu8 hdrlen = 0;\n\tu8 channel = rx_params->channel;\n\ts32 freq;\n\tint i;\n\n\thdr = ((struct ieee80211_hdr *)(skb->data));\n\thdrlen = ieee80211_hdrlen(hdr->frame_control);\n\n\tmemset(info, 0, sizeof(struct ieee80211_tx_info));\n\n\trxs->signal = -(rssi);\n\n\trxs->band = common->band;\n\n\tfreq = ieee80211_channel_to_frequency(channel, rxs->band);\n\n\tif (freq)\n\t\trxs->freq = freq;\n\n\tif (ieee80211_has_protected(hdr->frame_control)) {\n\t\tif (rsi_is_cipher_wep(common)) {\n\t\t\tmemmove(skb->data + 4, skb->data, hdrlen);\n\t\t\tskb_pull(skb, 4);\n\t\t} else {\n\t\t\tmemmove(skb->data + 8, skb->data, hdrlen);\n\t\t\tskb_pull(skb, 8);\n\t\t\trxs->flag |= RX_FLAG_MMIC_STRIPPED;\n\t\t}\n\t\trxs->flag |= RX_FLAG_DECRYPTED;\n\t\trxs->flag |= RX_FLAG_IV_STRIPPED;\n\t}\n\n\tfor (i = 0; i < RSI_MAX_VIFS; i++) {\n\t\tvif = adapter->vifs[i];\n\t\tif (!vif)\n\t\t\tcontinue;\n\t\tif (vif->type == NL80211_IFTYPE_STATION) {\n\t\t\tbss = &vif->bss_conf;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (!bss)\n\t\treturn;\n\t/* CQM only for connected AP beacons, the RSSI is a weighted avg */\n\tif (bss->assoc && !(memcmp(bss->bssid, hdr->addr2, ETH_ALEN))) {\n\t\tif (ieee80211_is_beacon(hdr->frame_control))\n\t\t\trsi_perform_cqm(common, hdr->addr2, rxs->signal, vif);\n\t}\n\n\treturn;\n}", "project": "linux", "hash": 233364692912996660136397716324401509067, "size": 63, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461634 }, { "func": "void rsi_indicate_pkt_to_os(struct rsi_common *common,\n\t\t\t struct sk_buff *skb)\n{\n\tstruct rsi_hw *adapter = common->priv;\n\tstruct ieee80211_hw *hw = adapter->hw;\n\tstruct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);\n\n\tif ((common->iface_down) || (!adapter->sc_nvifs)) {\n\t\tdev_kfree_skb(skb);\n\t\treturn;\n\t}\n\n\t/* filling in the ieee80211_rx_status flags */\n\trsi_fill_rx_status(hw, skb, common, rx_status);\n\n\tieee80211_rx_irqsafe(hw, skb);\n}", "project": "linux", "hash": 258292985604746670436233766317101138975, "size": 17, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461655 } ] }, { "call_depth": 5, "longest_call_chain": [ "usb_host_handle_packet", "do_token_in", "usb_host_handle_control", "usb_host_set_config", "usb_host_claim_interfaces" ], "group_size": 24, "functions": [ { "func": "static int usb_linux_update_endp_table(USBHostDevice *s)\n{\n uint8_t *descriptors;\n uint8_t devep, type, configuration, alt_interface;\n struct usb_ctrltransfer ct;\n int interface, ret, length, i;\n\n ct.bRequestType = USB_DIR_IN;\n ct.bRequest = USB_REQ_GET_CONFIGURATION;\n ct.wValue = 0;\n ct.wIndex = 0;\n ct.wLength = 1;\n ct.data = &configuration;\n ct.timeout = 50;\n\n ret = ioctl(s->fd, USBDEVFS_CONTROL, &ct);\n if (ret < 0) {\n perror(\"usb_linux_update_endp_table\");\n return 1;\n }\n\n /* in address state */\n if (configuration == 0)\n return 1;\n\n /* get the desired configuration, interface, and endpoint descriptors\n * from device description */\n descriptors = &s->descr[18];\n length = s->descr_len - 18;\n i = 0;\n\n if (descriptors[i + 1] != USB_DT_CONFIG ||\n descriptors[i + 5] != configuration) {\n dprintf(\"invalid descriptor data - configuration\\n\");\n return 1;\n }\n i += descriptors[i];\n\n while (i < length) {\n if (descriptors[i + 1] != USB_DT_INTERFACE ||\n (descriptors[i + 1] == USB_DT_INTERFACE &&\n descriptors[i + 4] == 0)) {\n i += descriptors[i];\n continue;\n }\n\n interface = descriptors[i + 2];\n\n ct.bRequestType = USB_DIR_IN | USB_RECIP_INTERFACE;\n ct.bRequest = USB_REQ_GET_INTERFACE;\n ct.wValue = 0;\n ct.wIndex = interface;\n ct.wLength = 1;\n ct.data = &alt_interface;\n ct.timeout = 50;\n\n ret = ioctl(s->fd, USBDEVFS_CONTROL, &ct);\n if (ret < 0) {\n alt_interface = interface;\n }\n\n /* the current interface descriptor is the active interface\n * and has endpoints */\n if (descriptors[i + 3] != alt_interface) {\n i += descriptors[i];\n continue;\n }\n\n /* advance to the endpoints */\n while (i < length && descriptors[i +1] != USB_DT_ENDPOINT)\n i += descriptors[i];\n\n if (i >= length)\n break;\n\n while (i < length) {\n if (descriptors[i + 1] != USB_DT_ENDPOINT)\n break;\n\n devep = descriptors[i + 2];\n switch (descriptors[i + 3] & 0x3) {\n case 0x00:\n type = USBDEVFS_URB_TYPE_CONTROL;\n break;\n case 0x01:\n type = USBDEVFS_URB_TYPE_ISO;\n break;\n case 0x02:\n type = USBDEVFS_URB_TYPE_BULK;\n break;\n case 0x03:\n type = USBDEVFS_URB_TYPE_INTERRUPT;\n break;\n default:\n dprintf(\"usb_host: malformed endpoint type\\n\");\n type = USBDEVFS_URB_TYPE_BULK;\n }\n s->endp_table[(devep & 0xf) - 1].type = type;\n s->endp_table[(devep & 0xf) - 1].halted = 0;\n\n i += descriptors[i];\n }\n }\n return 0;\n}", "project": "qemu", "hash": 294133560509132520784444631812479704822, "size": 105, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346310 }, { "func": "static int usb_host_claim_interfaces(USBHostDevice *dev, int configuration)\n{\n int dev_descr_len, config_descr_len;\n int interface, nb_interfaces, nb_configurations;\n int ret, i;\n\n if (configuration == 0) /* address state - ignore */\n return 1;\n\n dprintf(\"husb: claiming interfaces. config %d\\n\", configuration);\n\n i = 0;\n dev_descr_len = dev->descr[0];\n if (dev_descr_len > dev->descr_len)\n goto fail;\n nb_configurations = dev->descr[17];\n\n i += dev_descr_len;\n while (i < dev->descr_len) {\n dprintf(\"husb: i is %d, descr_len is %d, dl %d, dt %d\\n\", i, dev->descr_len,\n dev->descr[i], dev->descr[i+1]);\n\n if (dev->descr[i+1] != USB_DT_CONFIG) {\n i += dev->descr[i];\n continue;\n }\n config_descr_len = dev->descr[i];\n\n\tprintf(\"husb: config #%d need %d\\n\", dev->descr[i + 5], configuration); \n\n if (configuration < 0 || configuration == dev->descr[i + 5]) {\n configuration = dev->descr[i + 5];\n break;\n }\n\n i += config_descr_len;\n }\n\n if (i >= dev->descr_len) {\n fprintf(stderr, \"husb: update iface failed. no matching configuration\\n\");\n goto fail;\n }\n nb_interfaces = dev->descr[i + 4];\n\n#ifdef USBDEVFS_DISCONNECT\n /* earlier Linux 2.4 do not support that */\n {\n struct usbdevfs_ioctl ctrl;\n for (interface = 0; interface < nb_interfaces; interface++) {\n ctrl.ioctl_code = USBDEVFS_DISCONNECT;\n ctrl.ifno = interface;\n ret = ioctl(dev->fd, USBDEVFS_IOCTL, &ctrl);\n if (ret < 0 && errno != ENODATA) {\n perror(\"USBDEVFS_DISCONNECT\");\n goto fail;\n }\n }\n }\n#endif\n\n /* XXX: only grab if all interfaces are free */\n for (interface = 0; interface < nb_interfaces; interface++) {\n ret = ioctl(dev->fd, USBDEVFS_CLAIMINTERFACE, &interface);\n if (ret < 0) {\n if (errno == EBUSY) {\n printf(\"husb: update iface. device already grabbed\\n\");\n } else {\n perror(\"husb: failed to claim interface\");\n }\n fail:\n return 0;\n }\n }\n\n printf(\"husb: %d interfaces claimed for configuration %d\\n\",\n nb_interfaces, configuration);\n\n dev->ninterfaces = nb_interfaces;\n dev->configuration = configuration;\n return 1;\n}", "project": "qemu", "hash": 153735582378435081792665043612689386780, "size": 81, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346283 }, { "func": "static void set_halt(USBHostDevice *s, int ep)\n{\n s->endp_table[ep - 1].halted = 1;\n}", "project": "qemu", "hash": 247708798741636311330547718736677043664, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346295 }, { "func": "static int usb_host_handle_packet(USBDevice *s, USBPacket *p)\n{\n switch(p->pid) {\n case USB_MSG_ATTACH:\n s->state = USB_STATE_ATTACHED;\n return 0;\n\n case USB_MSG_DETACH:\n s->state = USB_STATE_NOTATTACHED;\n return 0;\n\n case USB_MSG_RESET:\n s->remote_wakeup = 0;\n s->addr = 0;\n s->state = USB_STATE_DEFAULT;\n s->handle_reset(s);\n return 0;\n }\n\n /* Rest of the PIDs must match our address */\n if (s->state < USB_STATE_DEFAULT || p->devaddr != s->addr)\n return USB_RET_NODEV;\n\n switch (p->pid) {\n case USB_TOKEN_SETUP:\n return do_token_setup(s, p);\n\n case USB_TOKEN_IN:\n return do_token_in(s, p);\n\n case USB_TOKEN_OUT:\n return do_token_out(s, p);\n \n default:\n return USB_RET_STALL;\n }\n}", "project": "qemu", "hash": 337945081411076701300585326701484725167, "size": 37, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346317 }, { "func": "static int do_token_setup(USBDevice *dev, USBPacket *p)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n int ret = 0;\n\n if (p->len != 8)\n return USB_RET_STALL;\n \n memcpy(&s->ctrl.req, p->data, 8);\n s->ctrl.len = le16_to_cpu(s->ctrl.req.wLength);\n s->ctrl.offset = 0;\n s->ctrl.state = CTRL_STATE_SETUP;\n\n if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n ret = usb_host_handle_control(s, p);\n if (ret < 0)\n return ret;\n\n if (ret < s->ctrl.len)\n s->ctrl.len = ret;\n s->ctrl.state = CTRL_STATE_DATA;\n } else {\n if (s->ctrl.len == 0)\n s->ctrl.state = CTRL_STATE_ACK;\n else\n s->ctrl.state = CTRL_STATE_DATA;\n }\n\n return ret;\n}", "project": "qemu", "hash": 183077943275491077374975960370940318614, "size": 30, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346300 }, { "func": "static void async_complete(void *opaque)\n{\n USBHostDevice *s = opaque;\n AsyncURB *aurb;\n\n while (1) {\n \tUSBPacket *p;\n\n\tint r = ioctl(s->fd, USBDEVFS_REAPURBNDELAY, &aurb);\n if (r < 0) {\n if (errno == EAGAIN)\n return;\n\n if (errno == ENODEV && !s->closing) {\n printf(\"husb: device %d.%d disconnected\\n\", s->bus_num, s->addr);\n\t usb_device_del_addr(0, s->dev.addr);\n return;\n }\n\n dprintf(\"husb: async. reap urb failed errno %d\\n\", errno);\n return;\n }\n\n p = aurb->packet;\n\n\tdprintf(\"husb: async completed. aurb %p status %d alen %d\\n\", \n aurb, aurb->urb.status, aurb->urb.actual_length);\n\n\tif (p) {\n switch (aurb->urb.status) {\n case 0:\n p->len = aurb->urb.actual_length;\n if (aurb->urb.type == USBDEVFS_URB_TYPE_CONTROL)\n async_complete_ctrl(s, p);\n break;\n\n case -EPIPE:\n set_halt(s, p->devep);\n /* fall through */\n default:\n p->len = USB_RET_NAK;\n break;\n }\n\n usb_packet_complete(p);\n\t}\n\n async_free(aurb);\n }\n}", "project": "qemu", "hash": 307285342249293311693830213041718549309, "size": 50, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346323 }, { "func": "static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)\n{\n struct usbdevfs_urb *urb;\n AsyncURB *aurb;\n int ret, value, index;\n\n /* \n * Process certain standard device requests.\n * These are infrequent and are processed synchronously.\n */\n value = le16_to_cpu(s->ctrl.req.wValue);\n index = le16_to_cpu(s->ctrl.req.wIndex);\n\n dprintf(\"husb: ctrl type 0x%x req 0x%x val 0x%x index %u len %u\\n\",\n s->ctrl.req.bRequestType, s->ctrl.req.bRequest, value, index, \n s->ctrl.len);\n\n if (s->ctrl.req.bRequestType == 0) {\n switch (s->ctrl.req.bRequest) {\n case USB_REQ_SET_ADDRESS:\n return usb_host_set_address(s, value);\n\n case USB_REQ_SET_CONFIGURATION:\n return usb_host_set_config(s, value & 0xff);\n }\n }\n\n if (s->ctrl.req.bRequestType == 1 &&\n s->ctrl.req.bRequest == USB_REQ_SET_INTERFACE)\n return usb_host_set_interface(s, index, value);\n\n /* The rest are asynchronous */\n\n aurb = async_alloc();\n aurb->hdev = s;\n aurb->packet = p;\n\n /* \n * Setup ctrl transfer.\n *\n * s->ctrl is layed out such that data buffer immediately follows\n * 'req' struct which is exactly what usbdevfs expects.\n */ \n urb = &aurb->urb;\n\n urb->type = USBDEVFS_URB_TYPE_CONTROL;\n urb->endpoint = p->devep;\n\n urb->buffer = &s->ctrl.req;\n urb->buffer_length = 8 + s->ctrl.len;\n\n urb->usercontext = s;\n\n ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n dprintf(\"husb: submit ctrl. len %u aurb %p\\n\", urb->buffer_length, aurb);\n\n if (ret < 0) {\n dprintf(\"husb: submit failed. errno %d\\n\", errno);\n async_free(aurb);\n\n switch(errno) {\n case ETIMEDOUT:\n return USB_RET_NAK;\n case EPIPE:\n default:\n return USB_RET_STALL;\n }\n }\n\n usb_defer_packet(p, async_cancel, aurb);\n return USB_RET_ASYNC;\n}", "project": "qemu", "hash": 312416163750000928776897162836846138475, "size": 73, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 1, "dataset": "other", "idx": 203887 }, { "func": "static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)\n{\n struct usbdevfs_urb *urb;\n AsyncURB *aurb;\n int ret, value, index;\n int buffer_len;\n\n /* \n * Process certain standard device requests.\n * These are infrequent and are processed synchronously.\n */\n value = le16_to_cpu(s->ctrl.req.wValue);\n index = le16_to_cpu(s->ctrl.req.wIndex);\n\n dprintf(\"husb: ctrl type 0x%x req 0x%x val 0x%x index %u len %u\\n\",\n s->ctrl.req.bRequestType, s->ctrl.req.bRequest, value, index, \n s->ctrl.len);\n\n if (s->ctrl.req.bRequestType == 0) {\n switch (s->ctrl.req.bRequest) {\n case USB_REQ_SET_ADDRESS:\n return usb_host_set_address(s, value);\n\n case USB_REQ_SET_CONFIGURATION:\n return usb_host_set_config(s, value & 0xff);\n }\n }\n\n if (s->ctrl.req.bRequestType == 1 &&\n s->ctrl.req.bRequest == USB_REQ_SET_INTERFACE)\n return usb_host_set_interface(s, index, value);\n\n /* The rest are asynchronous */\n\n buffer_len = 8 + s->ctrl.len;\n if (buffer_len > sizeof(s->ctrl.buffer)) {\n\t fprintf(stderr, \"husb: ctrl buffer too small (%u > %lu)\\n\",\n\t\t buffer_len, sizeof(s->ctrl.buffer));\n\t return USB_RET_STALL;\n }\n\n aurb = async_alloc();\n aurb->hdev = s;\n aurb->packet = p;\n\n /* \n * Setup ctrl transfer.\n *\n * s->ctrl is layed out such that data buffer immediately follows\n * 'req' struct which is exactly what usbdevfs expects.\n */ \n urb = &aurb->urb;\n\n urb->type = USBDEVFS_URB_TYPE_CONTROL;\n urb->endpoint = p->devep;\n\n urb->buffer = &s->ctrl.req;\n urb->buffer_length = buffer_len;\n\n urb->usercontext = s;\n\n ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n dprintf(\"husb: submit ctrl. len %u aurb %p\\n\", urb->buffer_length, aurb);\n\n if (ret < 0) {\n dprintf(\"husb: submit failed. errno %d\\n\", errno);\n async_free(aurb);\n\n switch(errno) {\n case ETIMEDOUT:\n return USB_RET_NAK;\n case EPIPE:\n default:\n return USB_RET_STALL;\n }\n }\n\n usb_defer_packet(p, async_cancel, aurb);\n return USB_RET_ASYNC;\n}", "project": "qemu", "hash": 135771876040172573855391231658010318081, "size": 81, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346299 }, { "func": "static int usb_host_set_address(USBHostDevice *s, int addr)\n{\n dprintf(\"husb: ctrl set addr %u\\n\", addr);\n s->dev.addr = addr;\n return 0;\n}", "project": "qemu", "hash": 113370853030229899911807824336189717767, "size": 6, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346285 }, { "func": "static int is_isoc(USBHostDevice *s, int ep)\n{\n return s->endp_table[ep - 1].type == USBDEVFS_URB_TYPE_ISO;\n}", "project": "qemu", "hash": 245743564542705731360863902738396199787, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346309 }, { "func": "static void clear_halt(USBHostDevice *s, int ep)\n{\n s->endp_table[ep - 1].halted = 0;\n}", "project": "qemu", "hash": 155880021257183729490116277729697816473, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346297 }, { "func": "static int is_halted(USBHostDevice *s, int ep)\n{\n return s->endp_table[ep - 1].halted;\n}", "project": "qemu", "hash": 11767855805536563648164313742639211905, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346305 }, { "func": "static int ctrl_error(void)\n{\n if (errno == ETIMEDOUT)\n return USB_RET_NAK;\n else \n return USB_RET_STALL;\n}", "project": "qemu", "hash": 272773737625285826548635814501419541680, "size": 7, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346301 }, { "func": "static void async_free(AsyncURB *aurb)\n{\n qemu_free(aurb);\n}", "project": "qemu", "hash": 89699221103379724954608670537657524735, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346313 }, { "func": "static void usb_host_handle_reset(USBDevice *dev)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n\n dprintf(\"husb: reset device %u.%u\\n\", s->bus_num, s->addr);\n\n ioctl(s->fd, USBDEVFS_RESET);\n\n usb_host_claim_interfaces(s, s->configuration);\n}", "project": "qemu", "hash": 302977581251084120225864181457936049770, "size": 10, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346298 }, { "func": "static int usb_host_set_interface(USBHostDevice *s, int iface, int alt)\n{\n struct usbdevfs_setinterface si;\n int ret;\n\n si.interface = iface;\n si.altsetting = alt;\n ret = ioctl(s->fd, USBDEVFS_SETINTERFACE, &si);\n \n dprintf(\"husb: ctrl set iface %d altset %d ret %d errno %d\\n\", \n \tiface, alt, ret, errno);\n \n if (ret < 0)\n return ctrl_error();\n\n usb_linux_update_endp_table(s);\n return 0;\n}", "project": "qemu", "hash": 230817216566451332220731094414568773639, "size": 18, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346306 }, { "func": "static int do_token_in(USBDevice *dev, USBPacket *p)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n int ret = 0;\n\n if (p->devep != 0)\n return usb_host_handle_data(s, p);\n\n switch(s->ctrl.state) {\n case CTRL_STATE_ACK:\n if (!(s->ctrl.req.bRequestType & USB_DIR_IN)) {\n ret = usb_host_handle_control(s, p);\n if (ret == USB_RET_ASYNC)\n return USB_RET_ASYNC;\n\n s->ctrl.state = CTRL_STATE_IDLE;\n return ret > 0 ? 0 : ret;\n }\n\n return 0;\n\n case CTRL_STATE_DATA:\n if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n int len = s->ctrl.len - s->ctrl.offset;\n if (len > p->len)\n len = p->len;\n memcpy(p->data, s->ctrl.buffer + s->ctrl.offset, len);\n s->ctrl.offset += len;\n if (s->ctrl.offset >= s->ctrl.len)\n s->ctrl.state = CTRL_STATE_ACK;\n return len;\n }\n\n s->ctrl.state = CTRL_STATE_IDLE;\n return USB_RET_STALL;\n\n default:\n return USB_RET_STALL;\n }\n}", "project": "qemu", "hash": 274624244059630894410186848673918387785, "size": 40, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346280 }, { "func": "static void async_complete_ctrl(USBHostDevice *s, USBPacket *p)\n{\n switch(s->ctrl.state) {\n case CTRL_STATE_SETUP:\n if (p->len < s->ctrl.len)\n s->ctrl.len = p->len;\n s->ctrl.state = CTRL_STATE_DATA;\n p->len = 8;\n break;\n\n case CTRL_STATE_ACK:\n s->ctrl.state = CTRL_STATE_IDLE;\n p->len = 0;\n break;\n\n default:\n break;\n }\n}", "project": "qemu", "hash": 87659848107630241316717948393842358765, "size": 19, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346321 }, { "func": "static int usb_host_release_interfaces(USBHostDevice *s)\n{\n int ret, i;\n\n dprintf(\"husb: releasing interfaces\\n\");\n\n for (i = 0; i < s->ninterfaces; i++) {\n ret = ioctl(s->fd, USBDEVFS_RELEASEINTERFACE, &i);\n if (ret < 0) {\n perror(\"husb: failed to release interface\");\n return 0;\n }\n }\n\n return 1;\n}", "project": "qemu", "hash": 265975219865408593507728601152949169306, "size": 16, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346312 }, { "func": "static void hostdev_unlink(USBHostDevice *dev)\n{\n USBHostDevice *pdev = hostdev_list;\n USBHostDevice **prev = &hostdev_list;\n\n while (pdev) {\n\tif (pdev == dev) {\n *prev = dev->next;\n return;\n }\n\n prev = &pdev->next;\n pdev = pdev->next;\n }\n}", "project": "qemu", "hash": 77907681220802418117040092144753015476, "size": 15, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346302 }, { "func": "static int usb_host_set_config(USBHostDevice *s, int config)\n{\n usb_host_release_interfaces(s);\n\n int ret = ioctl(s->fd, USBDEVFS_SETCONFIGURATION, &config);\n \n dprintf(\"husb: ctrl set config %d ret %d errno %d\\n\", config, ret, errno);\n \n if (ret < 0)\n return ctrl_error();\n \n usb_host_claim_interfaces(s, config);\n return 0;\n}", "project": "qemu", "hash": 77581754423656411130094475642397550764, "size": 14, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346294 }, { "func": "static int usb_host_handle_data(USBHostDevice *s, USBPacket *p)\n{\n struct usbdevfs_urb *urb;\n AsyncURB *aurb;\n int ret;\n\n aurb = async_alloc();\n aurb->hdev = s;\n aurb->packet = p;\n\n urb = &aurb->urb;\n\n if (p->pid == USB_TOKEN_IN)\n \turb->endpoint = p->devep | 0x80;\n else\n \turb->endpoint = p->devep;\n\n if (is_halted(s, p->devep)) {\n\tret = ioctl(s->fd, USBDEVFS_CLEAR_HALT, &urb->endpoint);\n if (ret < 0) {\n dprintf(\"husb: failed to clear halt. ep 0x%x errno %d\\n\", \n urb->endpoint, errno);\n return USB_RET_NAK;\n }\n clear_halt(s, p->devep);\n }\n\n urb->buffer = p->data;\n urb->buffer_length = p->len;\n\n if (is_isoc(s, p->devep)) {\n /* Setup ISOC transfer */\n urb->type = USBDEVFS_URB_TYPE_ISO;\n urb->flags = USBDEVFS_URB_ISO_ASAP;\n urb->number_of_packets = 1;\n urb->iso_frame_desc[0].length = p->len;\n } else {\n /* Setup bulk transfer */\n urb->type = USBDEVFS_URB_TYPE_BULK;\n }\n\n urb->usercontext = s;\n\n ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n dprintf(\"husb: data submit. ep 0x%x len %u aurb %p\\n\", urb->endpoint, p->len, aurb);\n\n if (ret < 0) {\n dprintf(\"husb: submit failed. errno %d\\n\", errno);\n async_free(aurb);\n\n switch(errno) {\n case ETIMEDOUT:\n return USB_RET_NAK;\n case EPIPE:\n default:\n return USB_RET_STALL;\n }\n }\n\n usb_defer_packet(p, async_cancel, aurb);\n return USB_RET_ASYNC;\n}", "project": "qemu", "hash": 260559233680984221214785940519308902612, "size": 63, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346278 }, { "func": "static void usb_host_handle_destroy(USBDevice *dev)\n{\n USBHostDevice *s = (USBHostDevice *)dev;\n\n s->closing = 1;\n\n qemu_set_fd_handler(s->fd, NULL, NULL, NULL);\n\n hostdev_unlink(s);\n\n async_complete(s);\n\n if (s->fd >= 0)\n close(s->fd);\n\n qemu_free(s);\n}", "project": "qemu", "hash": 331783873263838536495355729159893109559, "size": 17, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346276 }, { "func": "static int do_token_out(USBDevice *dev, USBPacket *p)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n\n if (p->devep != 0)\n return usb_host_handle_data(s, p);\n\n switch(s->ctrl.state) {\n case CTRL_STATE_ACK:\n if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n s->ctrl.state = CTRL_STATE_IDLE;\n /* transfer OK */\n } else {\n /* ignore additional output */\n }\n return 0;\n\n case CTRL_STATE_DATA:\n if (!(s->ctrl.req.bRequestType & USB_DIR_IN)) {\n int len = s->ctrl.len - s->ctrl.offset;\n if (len > p->len)\n len = p->len;\n memcpy(s->ctrl.buffer + s->ctrl.offset, p->data, len);\n s->ctrl.offset += len;\n if (s->ctrl.offset >= s->ctrl.len)\n s->ctrl.state = CTRL_STATE_ACK;\n return len;\n }\n\n s->ctrl.state = CTRL_STATE_IDLE;\n return USB_RET_STALL;\n\n default:\n return USB_RET_STALL;\n }\n}", "project": "qemu", "hash": 102876530187197055695706708439996412226, "size": 36, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346282 } ] }, { "call_depth": 3, "longest_call_chain": [ "log", "active", "isXenonActive" ], "group_size": 6, "functions": [ { "func": "void onStrobelightSignal(int signo) {\n if (!RuntimeOption::StrobelightEnabled) {\n // Handle the signal so we don't crash, but do nothing.\n return;\n }\n\n if (signo == strobelight::kSignumCurrent) {\n // sets on only current thread\n if (rds::isFullyInitialized()) {\n // Ignore threads that are not serving requests, otherwise this segfaults\n if (!Strobelight::isXenonActive()) {\n // Do not set the flag if Xenon is actively profiling this request\n setSurpriseFlag(XenonSignalFlag);\n }\n }\n }\n\n // surpriseAll currently has an issue where the isXenonActive() check will\n // try to access s_xenonData->getIsProfiledRequest() to check if the current\n // request is profiling. The problem is that you really want to check if the\n // request t is profiling. The current thread may not even be a request thread.\n // If we ever want to start using this signal for profiling,\n // we will need to figure out how to work around that problem.\n // if (signo == strobelight::kSignumAll) {\n // // sets on ALL threads\n // Strobelight::getInstance().surpriseAll();\n // }\n}", "project": "hhvm", "hash": 275356761552801735383089492999709697288, "size": 28, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219168 }, { "func": "void Strobelight::surpriseAll() {\n RequestInfo::ExecutePerRequest(\n [] (RequestInfo* t) {\n // TODO: get a dedicated surprise flag to avoid colliding with xenon\n // Set the strobelight flag to collect a sample\n // TODO: isXenonActive() needs to check the request thread and not the\n // current thread (which may not even be a request)\n if (!isXenonActive()) {\n // Xenon has first crack at profiling requests. If a request\n // is marked as being profiled, we do not allow strobelight to\n // interfere with Xenon's profiling. In practice, collisions\n // should be extremely rare.\n t->m_reqInjectionData.setFlag(XenonSignalFlag);\n }\n }\n );\n}", "project": "hhvm", "hash": 297838356118481566379107800693703058065, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219308 }, { "func": "bool Strobelight::isXenonActive() {\n if (RuntimeOption::XenonForceAlwaysOn) {\n return true;\n }\n\n bool xenonProfiled = Xenon::getInstance().getIsProfiledRequest();\n if (xenonProfiled) {\n return true;\n }\n\n return false;\n}", "project": "hhvm", "hash": 297123363444453326010313011470616629324, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219684 }, { "func": "void Strobelight::log(c_WaitableWaitHandle* wh) const {\n if (RuntimeOption::XenonForceAlwaysOn) {\n // Disable strobelight if Xenon forced on\n // TODO remove this when strobelight has its own surpriseFlag\n return;\n }\n\n if (getSurpriseFlag(XenonSignalFlag)) {\n // TODO remove this when strobelight has its own surpriseFlag\n clearSurpriseFlag(XenonSignalFlag);\n }\n\n TRACE(1, \"Strobelight::log\\n\");\n if (active()) {\n // TODO We should filter only to hhvm samples which directly\n // caused a PMU event to fire. This is doable by storing hhvm\n // request IDs in a bpf map and checking for an entry here.\n auto bt = createBacktrace(BacktraceArgs()\n .fromWaitHandle(wh)\n // TODO\n // .withMetadata()\n .ignoreArgs());\n logToUSDT(bt);\n }\n}", "project": "hhvm", "hash": 65802561629527027805702110319424733976, "size": 25, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219486 }, { "func": "bool Strobelight::active() {\n if (rds::isFullyInitialized() && isXenonActive()) {\n // if Xenon owns this request, back off\n return false;\n }\n\n // return true if a USDT probe function is listening\n return FOLLY_SDT_IS_ENABLED(hhvm, hhvm_stack);\n}", "project": "hhvm", "hash": 237208956696650508551097277908650710808, "size": 9, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219288 }, { "func": "bool logToUSDT(const Array& bt) {\n std::lock_guard lock(usdt_mutex);\n\n memset(&bt_slab, 0, sizeof(bt_slab));\n\n int i = 0;\n IterateVNoInc(\n bt.get(),\n [&](TypedValue tv) -> bool {\n\n if (i >= strobelight::kMaxStackframes) {\n return true;\n }\n\n assertx(isArrayLikeType(type(tv)));\n ArrayData* bt_frame = val(tv).parr;\n strobelight::backtrace_frame_t* frame = &bt_slab.frames[i];\n\n auto const line = bt_frame->get(s_line.get());\n if (line.is_init()) {\n assertx(isIntType(type(line)));\n frame->line = val(line).num;\n }\n\n auto const file_name = bt_frame->get(s_file.get());\n if (file_name.is_init()) {\n assertx(isStringType(type(file_name)));\n strncpy(frame->file_name,\n val(file_name).pstr->data(),\n std::min(\n val(file_name).pstr->size(),\n strobelight::kFileNameMax\n ));\n frame->file_name[strobelight::kFileNameMax - 1] = '\\0';\n }\n\n auto const class_name = bt_frame->get(s_class.get());\n if (class_name.is_init()) {\n assertx(isStringType(type(class_name)));\n strncpy(frame->class_name,\n val(class_name).pstr->data(),\n std::min(\n val(class_name).pstr->size(),\n strobelight::kClassNameMax\n ));\n frame->class_name[strobelight::kClassNameMax - 1] = '\\0';\n }\n\n auto const function_name = bt_frame->get(s_function.get());\n if (function_name.is_init()) {\n assertx(isStringType(type(function_name)));\n strncpy(frame->function,\n val(function_name).pstr->data(),\n std::min(\n val(function_name).pstr->size(),\n strobelight::kFunctionMax\n ));\n frame->function[strobelight::kFunctionMax - 1] = '\\0';\n }\n\n i++;\n return false;\n }\n );\n bt_slab.len = i;\n\n // Allow BPF to read the now-formatted stacktrace\n FOLLY_SDT_WITH_SEMAPHORE(hhvm, hhvm_stack, &bt_slab);\n\n return true;\n}", "project": "hhvm", "hash": 255038990099362447895056929601605394109, "size": 71, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219687 } ] }, { "call_depth": 4, "longest_call_chain": [ "zend_throw_exception_object", "zend_throw_exception_internal", "zend_exception_error", "zend_error_va" ], "group_size": 7, "functions": [ { "func": "ZEND_API void zend_exception_error(zval *exception, int severity TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *ce_exception = Z_OBJCE_P(exception);\n\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\tzval *str, *file, *line;\n\n\t\tEG(exception) = NULL;\n\n\t\tzend_call_method_with_0_params(&exception, ce_exception, NULL, \"__tostring\", &str);\n\t\tif (!EG(exception)) {\n\t\t\tif (Z_TYPE_P(str) != IS_STRING) {\n\t\t\t\tzend_error(E_WARNING, \"%s::__toString() must return a string\", ce_exception->name);\n\t\t\t} else {\n\t\t\t\tzend_update_property_string(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, EG(exception) ? ce_exception->name : Z_STRVAL_P(str) TSRMLS_CC);\n\t\t\t}\n\t\t}\n\t\tzval_ptr_dtor(&str);\n\n\t\tif (EG(exception)) {\n\t\t\t/* do the best we can to inform about the inner exception */\n\t\t\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\t\t\tfile = zend_read_property(default_exception_ce, EG(exception), \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\t\t\tline = zend_read_property(default_exception_ce, EG(exception), \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\t\t\tconvert_to_string(file);\n\t\t\t\tfile = (Z_STRLEN_P(file) > 0) ? file : NULL;\n\t\t\t\tline = (Z_TYPE_P(line) == IS_LONG) ? line : NULL;\n\t\t\t} else {\n\t\t\t\tfile = NULL;\n\t\t\t\tline = NULL;\n\t\t\t}\n\t\t\tzend_error_va(E_WARNING, file ? Z_STRVAL_P(file) : NULL, line ? Z_LVAL_P(line) : 0, \"Uncaught %s in exception handling during call to %s::__tostring()\", Z_OBJCE_P(EG(exception))->name, ce_exception->name);\n\t\t}\n\n\t\tstr = zend_read_property(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, 1 TSRMLS_CC);\n\t\tfile = zend_read_property(default_exception_ce, exception, \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\tline = zend_read_property(default_exception_ce, exception, \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\tconvert_to_string(str);\n\t\tconvert_to_string(file);\n\t\tconvert_to_long(line);\n\n\t\tzend_error_va(severity, (Z_STRLEN_P(file) > 0) ? Z_STRVAL_P(file) : NULL, Z_LVAL_P(line), \"Uncaught %s\\n thrown\", Z_STRVAL_P(str));\n\t} else {\n\t\tzend_error(severity, \"Uncaught exception '%s'\", ce_exception->name);\n\t}\n}", "project": "php-src", "hash": 233019637263204593162642334084906168743, "size": 47, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374469 }, { "func": "ZEND_API void zend_throw_exception_object(zval *exception TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *exception_ce;\n\n\tif (exception == NULL || Z_TYPE_P(exception) != IS_OBJECT) {\n\t\tzend_error(E_ERROR, \"Need to supply an object when throwing an exception\");\n\t}\n\n\texception_ce = Z_OBJCE_P(exception);\n\n\tif (!exception_ce || !instanceof_function(exception_ce, default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Exceptions must be valid objects derived from the Exception base class\");\n\t}\n\tzend_throw_exception_internal(exception TSRMLS_CC);\n}", "project": "php-src", "hash": 168358188494444651132316427800666457773, "size": 15, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374451 }, { "func": "static void zend_error_va(int type, const char *file, uint lineno, const char *format, ...) /* {{{ */\n{\n\tva_list args;\n\n\tva_start(args, format);\n\tzend_error_cb(type, file, lineno, format, args);\n\tva_end(args);\n}", "project": "php-src", "hash": 313633724532951233240989058937036034067, "size": 8, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374463 }, { "func": "void zend_exception_restore(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tif (EG(exception)) {\n\t\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t\t} else {\n\t\t\tEG(exception) = EG(prev_exception);\n\t\t}\n\t\tEG(prev_exception) = NULL;\n\t}\n}", "project": "php-src", "hash": 65940455749340376476088943638997947991, "size": 11, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374462 }, { "func": "void zend_exception_set_previous(zval *exception, zval *add_previous TSRMLS_DC)\n{\n\tzval *previous;\n\n\tif (exception == add_previous || !add_previous || !exception) {\n\t\treturn;\n\t}\n\tif (Z_TYPE_P(add_previous) != IS_OBJECT && !instanceof_function(Z_OBJCE_P(add_previous), default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Cannot set non exception as previous exception\");\n\t\treturn;\n\t}\n\twhile (exception && exception != add_previous && Z_OBJ_HANDLE_P(exception) != Z_OBJ_HANDLE_P(add_previous)) {\n\t\tprevious = zend_read_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, 1 TSRMLS_CC);\n\t\tif (Z_TYPE_P(previous) == IS_NULL) {\n\t\t\tzend_update_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, add_previous TSRMLS_CC);\n\t\t\tZ_DELREF_P(add_previous);\n\t\t\treturn;\n\t\t}\n\t\texception = previous;\n\t}\n}", "project": "php-src", "hash": 159666285129417513959591408876495337624, "size": 21, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374466 }, { "func": "void zend_throw_exception_internal(zval *exception TSRMLS_DC) /* {{{ */\n{\n#ifdef HAVE_DTRACE\n\tif (DTRACE_EXCEPTION_THROWN_ENABLED()) {\n\t\tconst char *classname;\n\t\tzend_uint name_len;\n\n\t\tif (exception != NULL) {\n\t\t\tzend_get_object_classname(exception, &classname, &name_len TSRMLS_CC);\n\t\t\tDTRACE_EXCEPTION_THROWN((char *)classname);\n\t\t} else {\n\t\t\tDTRACE_EXCEPTION_THROWN(NULL);\n\t\t}\n\t}\n#endif /* HAVE_DTRACE */\n\n\tif (exception != NULL) {\n\t\tzval *previous = EG(exception);\n\t\tzend_exception_set_previous(exception, EG(exception) TSRMLS_CC);\n\t\tEG(exception) = exception;\n\t\tif (previous) {\n\t\t\treturn;\n\t\t}\n\t}\n\tif (!EG(current_execute_data)) {\n\t\tif(EG(exception)) {\n\t\t\tzend_exception_error(EG(exception), E_ERROR TSRMLS_CC);\n\t\t}\n\t\tzend_error(E_ERROR, \"Exception thrown without a stack frame\");\n\t}\n\n\tif (zend_throw_exception_hook) {\n\t\tzend_throw_exception_hook(exception TSRMLS_CC);\n\t}\n\n\tif (EG(current_execute_data)->opline == NULL ||\n\t (EG(current_execute_data)->opline+1)->opcode == ZEND_HANDLE_EXCEPTION) {\n\t\t/* no need to rethrow the exception */\n\t\treturn;\n\t}\n\tEG(opline_before_exception) = EG(current_execute_data)->opline;\n\tEG(current_execute_data)->opline = EG(exception_op);\n}", "project": "php-src", "hash": 247917911400170479938783393940056166910, "size": 43, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374455 }, { "func": "void zend_exception_save(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t}\n\tif (EG(exception)) {\n\t\tEG(prev_exception) = EG(exception);\n\t}\n\tEG(exception) = NULL;\n}", "project": "php-src", "hash": 116066607902918107578657479066223949823, "size": 10, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374448 } ] }, { "call_depth": 4, "longest_call_chain": [ "Open_table_context", "m_flags", "Profiler", "BindToCPU" ], "group_size": 13, "functions": [ { "func": "static long get_us_interval(struct timeval *start, struct timeval *end) {\n return (((end->tv_sec - start->tv_sec) * 1000000)\n + (end->tv_usec - start->tv_usec));\n}", "project": "hhvm", "hash": 226869654135616472232911777556010156798, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219250 }, { "func": " MachineInfo() {\n m_cpu_num = sysconf(_SC_NPROCESSORS_CONF);\n m_cpu_frequencies = get_cpu_frequency_from_file(\"/proc/cpuinfo\", m_cpu_num);\n\n if (m_cpu_frequencies)\n return;\n\n m_cpu_frequencies = new int64_t[m_cpu_num];\n for (int i = 0; i < m_cpu_num; i++) {\n cpu_set_t prev_mask;\n GET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n BindToCPU(i);\n // Make sure the current process gets scheduled to the target cpu. This\n // might not be necessary though.\n usleep(0);\n m_cpu_frequencies[i] = get_cpu_frequency();\n SET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n }\n }", "project": "hhvm", "hash": 180263000948610311410935395853679103945, "size": 19, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219057 }, { "func": "static int64_t* get_cpu_frequency_from_file(const char *file, int ncpus)\n{\n std::ifstream cpuinfo(file);\n if (cpuinfo.fail()) {\n return nullptr;\n }\n char line[MAX_LINELENGTH];\n int64_t* freqs = new int64_t[ncpus];\n for (int i = 0; i < ncpus; ++i) {\n freqs[i] = 0;\n }\n int processor = -1;\n\n while (cpuinfo.getline(line, sizeof(line))) {\n if (sscanf(line, \"processor : %d\", &processor) == 1) {\n continue;\n }\n float freq;\n if ((sscanf(line, \"cpu MHz : %f\", &freq) == 1) ||\n (sscanf(line, \"clock : %f\", &freq) == 1)) {\n if (processor != -1 && processor < ncpus) {\n freqs[processor] = nearbyint(freq);\n processor = -1;\n }\n }\n }\n for (int i = 0; i < ncpus; ++i) {\n if (freqs[i] == 0) {\n delete[] freqs;\n return nullptr;\n }\n }\n return freqs;\n}", "project": "hhvm", "hash": 248085455882707873436144105338088029488, "size": 34, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219292 }, { "func": " static void BindToCPU(uint32_t cpu_id) {\n cpu_set_t new_mask;\n CPU_ZERO(&new_mask);\n CPU_SET(cpu_id, &new_mask);\n SET_AFFINITY(0, sizeof(cpu_set_t), &new_mask);\n }", "project": "hhvm", "hash": 252561999300798108266609964241078876025, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219879 }, { "func": " explicit TraceProfiler(int flags)\n : Profiler(true)\n , m_traceBuffer(nullptr)\n , m_traceBufferSize(0)\n , m_nextTraceEntry(0)\n , m_traceBufferFilled(false)\n , m_maxTraceBuffer(0)\n , m_overflowCalls(0)\n , m_flags(flags)\n {\n if (!(m_flags & IHaveInfiniteMemory) && pthread_mutex_trylock(&s_inUse)) {\n // This profiler uses a very large amount of memory. Only allow\n // one in the process at any time.\n m_successful = false;\n } else {\n m_maxTraceBuffer = RuntimeOption::ProfilerMaxTraceBuffer;\n Extension* ext = ExtensionRegistry::get(s_hotprofiler);\n assertx(ext);\n IniSetting::Bind(ext, IniSetting::PHP_INI_ALL,\n \"profiler.max_trace_buffer\",\n &m_maxTraceBuffer);\n }\n }", "project": "hhvm", "hash": 97949173461319208565106839514492844861, "size": 23, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219466 }, { "func": " explicit HierarchicalProfiler(int flags) : Profiler(true), m_flags(flags) {\n }", "project": "hhvm", "hash": 56700908204766941970227207576771894312, "size": 2, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219660 }, { "func": "void Profiler::endAllFrames() {\n while (m_stack) {\n endFrame(nullptr, nullptr, true);\n }\n}", "project": "hhvm", "hash": 245415849160079604862531924084058340861, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219314 }, { "func": " void endAllFrames() override {\n // Nothing to do for this profiler since all work is done as we go.\n }", "project": "hhvm", "hash": 150441449384399467871760114204802685380, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219864 }, { "func": "Profiler::~Profiler() {\n if (m_has_affinity) {\n SET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n }\n\n endAllFrames();\n for (Frame *p = m_frame_free_list; p;) {\n Frame *cur = p;\n p = p->m_parent;\n delete cur;\n }\n}", "project": "hhvm", "hash": 218080934643076592466588935207842016775, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219479 }, { "func": " explicit MemoProfiler(int /*flags*/) : Profiler(true) {}", "project": "hhvm", "hash": 76196938429753322405609073721382273498, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219768 }, { "func": "static int64_t get_cpu_frequency() {\n struct timeval start;\n struct timeval end;\n\n if (gettimeofday(&start, 0)) {\n perror(\"gettimeofday\");\n return 0.0;\n }\n uint64_t tsc_start = cpuCycles();\n uint64_t tsc_end;\n volatile int i;\n // Busy loop for 5 miliseconds. Don't use usleep() here since it causes the\n // CPU to halt which will generate meaningless results.\n do {\n for (i = 0; i < 1000000; i++);\n if (gettimeofday(&end, 0)) {\n perror(\"gettimeofday\");\n return 0.0;\n }\n tsc_end = cpuCycles();\n } while (get_us_interval(&start, &end) < 5000);\n\n return nearbyint((tsc_end - tsc_start) * 1.0\n / (get_us_interval(&start, &end)));\n}", "project": "hhvm", "hash": 82995547803504983128639277702102155539, "size": 25, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219071 }, { "func": "Profiler::Profiler(bool needCPUAffinity) : m_successful(true),\n m_stack(nullptr),\n m_frame_free_list(nullptr),\n m_has_affinity(needCPUAffinity) {\n if (!s_rand_initialized) {\n s_rand_initialized = true;\n srand(math_generate_seed());\n }\n\n if (m_has_affinity) {\n //\n // Bind to a random cpu so that we can use rdtsc instruction.\n //\n int cur_cpu_id = rand() % s_machine.m_cpu_num;\n GET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n MachineInfo::BindToCPU(cur_cpu_id);\n m_MHz = s_machine.m_cpu_frequencies[cur_cpu_id];\n } else {\n //\n // Take cpu0's speed as a proxy for all cpus.\n //\n m_MHz = s_machine.m_cpu_frequencies[0];\n }\n\n memset(m_func_hash_counters, 0, sizeof(m_func_hash_counters));\n}", "project": "hhvm", "hash": 228890197525810853672696827937472522779, "size": 26, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219669 }, { "func": "Open_table_context::Open_table_context(THD *thd, uint flags)\n :m_thd(thd),\n m_failed_table(NULL),\n m_start_of_statement_svp(thd->mdl_context.mdl_savepoint()),\n m_timeout(flags & MYSQL_LOCK_IGNORE_TIMEOUT ?\n LONG_TIMEOUT : thd->variables.lock_wait_timeout),\n m_flags(flags),\n m_action(OT_NO_ACTION),\n m_has_locks(thd->mdl_context.has_locks()),\n m_has_protection_against_grl(0)\n{}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 231716104947654513237673151084075997257, "size": 11, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514562 } ] }, { "call_depth": 4, "longest_call_chain": [ "latm_dmx_process", "latm_dmx_check_pid", "latm_dmx_check_dur", "latm_dmx_sync_frame_bs" ], "group_size": 6, "functions": [ { "func": "static void latm_dmx_check_pid(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tu8 *dsi_b;\n\tu32 dsi_s, sr, timescale=0;\n\tu32 codecid;\n\tif (!ctx->opid) {\n\t\tctx->opid = gf_filter_pid_new(filter);\n\t\tgf_filter_pid_copy_properties(ctx->opid, ctx->ipid);\n\t\tlatm_dmx_check_dur(filter, ctx);\n\t}\n\tif (!GF_M4ASampleRates[ctx->acfg.base_sr_index]) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[LATMDmx] Wrong sample rate in audio config, broken stream\\n\"));\n\t\tctx->in_error = GF_NON_COMPLIANT_BITSTREAM;\n\t\treturn;\n\t}\n\n\tif ((ctx->sr_idx == ctx->acfg.base_sr_index) && (ctx->nb_ch == ctx->acfg.nb_chan )\n\t\t&& (ctx->base_object_type == ctx->acfg.base_object_type) ) return;\n\n\tif (ctx->acfg.base_object_type==GF_M4A_USAC)\n\t\tcodecid = GF_CODECID_USAC;\n\telse\n\t\tcodecid = GF_CODECID_AAC_MPEG4;\n\t//copy properties at init or reconfig\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_STREAM_TYPE, & PROP_UINT( GF_STREAM_AUDIO));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CODECID, & PROP_UINT( codecid));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLES_PER_FRAME, & PROP_UINT(ctx->frame_size) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_UNFRAMED, & PROP_BOOL(GF_FALSE) );\n\tif (ctx->is_file && ctx->index) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PLAYBACK_MODE, & PROP_UINT(GF_PLAYBACK_MODE_FASTFORWARD) );\n\t}\n\tif (ctx->duration.num)\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\n\tctx->nb_ch = ctx->acfg.nb_chan;\n\tctx->base_object_type = ctx->acfg.base_object_type;\n\n\tsr = GF_M4ASampleRates[ctx->acfg.base_sr_index];\n\tif (!ctx->timescale) {\n\t\t//we change sample rate, change cts\n\t\tif (ctx->cts && (ctx->sr_idx != ctx->acfg.base_sr_index)) {\n\t\t\tctx->cts *= sr;\n\t\t\tctx->cts /= GF_M4ASampleRates[ctx->sr_idx];\n\t\t}\n\t}\n\tctx->sr_idx = ctx->acfg.base_sr_index;\n\n\tctx->dts_inc = ctx->frame_size;\n\tgf_m4a_write_config(&ctx->acfg, &dsi_b, &dsi_s);\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DECODER_CONFIG, & PROP_DATA_NO_COPY(dsi_b, dsi_s) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PROFILE_LEVEL, & PROP_UINT (ctx->acfg.audioPL) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLE_RATE, & PROP_UINT(sr));\n\n\ttimescale = sr;\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_TIMESCALE, & PROP_UINT(ctx->timescale ? ctx->timescale : timescale));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_NUM_CHANNELS, & PROP_UINT(ctx->nb_ch) );\n\n\tif (ctx->bitrate) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_BITRATE, & PROP_UINT(ctx->bitrate));\n\t}\n}", "project": "gpac", "hash": 165495346712678193500478445775721262302, "size": 63, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271472 }, { "func": "static GFINLINE void latm_dmx_update_cts(GF_LATMDmxCtx *ctx)\n{\n\tassert(ctx->dts_inc);\n\n\tif (ctx->timescale) {\n\t\tu64 inc = ctx->dts_inc;\n\t\tinc *= ctx->timescale;\n\t\tinc /= GF_M4ASampleRates[ctx->sr_idx];\n\t\tctx->cts += inc;\n\t} else {\n\t\tctx->cts += ctx->dts_inc;\n\t}\n}", "project": "gpac", "hash": 326400713483767484341063456654570434654, "size": 13, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271475 }, { "func": "static void latm_dmx_check_dur(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tFILE *stream;\n\tGF_BitStream *bs;\n\tGF_M4ADecSpecInfo acfg;\n\tu64 duration, cur_dur, cur_pos, rate;\n\ts32 sr_idx = -1;\n\tconst GF_PropertyValue *p;\n\tif (!ctx->opid || ctx->timescale || ctx->file_loaded) return;\n\n\tif (ctx->index<=0) {\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILEPATH);\n\tif (!p || !p->value.string || !strncmp(p->value.string, \"gmem://\", 7)) {\n\t\tctx->is_file = GF_FALSE;\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\tctx->is_file = GF_TRUE;\n\n\tstream = gf_fopen(p->value.string, \"rb\");\n\tif (!stream) return;\n\n\tctx->index_size = 0;\n\n\tmemset(&acfg, 0, sizeof(GF_M4ADecSpecInfo));\n\n\n\tbs = gf_bs_from_file(stream, GF_BITSTREAM_READ);\n\tduration = 0;\n\tcur_dur = 0;\n\tcur_pos = gf_bs_get_position(bs);\n\twhile (latm_dmx_sync_frame_bs(bs, &acfg, 0, NULL, NULL)) {\n\t\tif ((sr_idx>=0) && (sr_idx != acfg.base_sr_index)) {\n\t\t\tduration *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tduration /= GF_M4ASampleRates[sr_idx];\n\n\t\t\tcur_dur *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tcur_dur /= GF_M4ASampleRates[sr_idx];\n\t\t}\n\t\tsr_idx = acfg.base_sr_index;\n\t\tduration += ctx->frame_size;\n\t\tcur_dur += ctx->frame_size;\n\t\tif (cur_dur > ctx->index * GF_M4ASampleRates[sr_idx]) {\n\t\t\tif (!ctx->index_alloc_size) ctx->index_alloc_size = 10;\n\t\t\telse if (ctx->index_alloc_size == ctx->index_size) ctx->index_alloc_size *= 2;\n\t\t\tctx->indexes = gf_realloc(ctx->indexes, sizeof(LATMIdx)*ctx->index_alloc_size);\n\t\t\tctx->indexes[ctx->index_size].pos = cur_pos;\n\t\t\tctx->indexes[ctx->index_size].duration = (Double) duration;\n\t\t\tctx->indexes[ctx->index_size].duration /= GF_M4ASampleRates[sr_idx];\n\t\t\tctx->index_size ++;\n\t\t\tcur_dur = 0;\n\t\t}\n\n\t\tcur_pos = gf_bs_get_position(bs);\n\t}\n\trate = gf_bs_get_position(bs);\n\tgf_bs_del(bs);\n\tgf_fclose(stream);\n\n\tif (sr_idx>=0) {\n\t\tif (!ctx->duration.num || (ctx->duration.num * GF_M4ASampleRates[sr_idx] != duration * ctx->duration.den)) {\n\t\t\tctx->duration.num = (s32) duration;\n\t\t\tctx->duration.den = GF_M4ASampleRates[sr_idx];\n\n\t\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\t\t\tif (duration && !gf_sys_is_test_mode() ) {\n\t\t\t\trate *= 8 * ctx->duration.den;\n\t\t\t\trate /= ctx->duration.num;\n\t\t\t\tctx->bitrate = (u32) rate;\n\t\t\t}\n\t\t}\n\t}\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);\n\tif (p && p->value.boolean) ctx->file_loaded = GF_TRUE;\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) );\n}", "project": "gpac", "hash": 268079972344018463318373147938902590521, "size": 81, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271469 }, { "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data, *output;\n\tu32 pck_size, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\n\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 129393460693122238437209841613363417813, "size": 138, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 1, "dataset": "other", "idx": 198278 }, { "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data=NULL, *output;\n\tu32 pck_size=0, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t} else {\n\t\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\t}\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 10482263121380563115286320698149929915, "size": 138, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271474 }, { "func": "static Bool latm_dmx_sync_frame_bs(GF_BitStream *bs, GF_M4ADecSpecInfo *acfg, u32 *nb_bytes, u8 *buffer, u32 *nb_skipped)\n{\n\tu32 val, size;\n\tu64 pos, mux_size;\n\tif (nb_skipped) *nb_skipped = 0;\n\tif (!acfg) return 0;\n\n\twhile (gf_bs_available(bs)>3) {\n\t\tval = gf_bs_read_u8(bs);\n\t\tif (val!=0x56) {\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tval = gf_bs_read_int(bs, 3);\n\t\tif (val != 0x07) {\n\t\t\tgf_bs_read_int(bs, 5);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tmux_size = gf_bs_read_int(bs, 13);\n\t\tpos = gf_bs_get_position(bs);\n\t\tif (mux_size>gf_bs_available(bs) ) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\t/*use same stream mux*/\n\t\tif (!gf_bs_read_int(bs, 1)) {\n\t\t\tBool amux_version, amux_versionA;\n\n\t\t\tamux_version = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tamux_versionA = GF_FALSE;\n\t\t\tif (amux_version) amux_versionA = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tif (!amux_versionA) {\n\t\t\t\tu32 i, allStreamsSameTimeFraming, numProgram;\n\t\t\t\tif (amux_version) gf_latm_get_value(bs);\n\n\t\t\t\tallStreamsSameTimeFraming = gf_bs_read_int(bs, 1);\n\t\t\t\t/*numSubFrames = */gf_bs_read_int(bs, 6);\n\t\t\t\tnumProgram = gf_bs_read_int(bs, 4);\n\t\t\t\tfor (i=0; i<=numProgram; i++) {\n\t\t\t\t\tu32 j, num_lay;\n\t\t\t\t\tnum_lay = gf_bs_read_int(bs, 3);\n\t\t\t\t\tfor (j=0; j<=num_lay; j++) {\n\t\t\t\t\t\tu32 frameLengthType;\n\t\t\t\t\t\tBool same_cfg = GF_FALSE;\n\t\t\t\t\t\tif (i || j) same_cfg = (Bool)gf_bs_read_int(bs, 1);\n\n\t\t\t\t\t\tif (!same_cfg) {\n\t\t\t\t\t\t\tif (amux_version==1) gf_latm_get_value(bs);\n\t\t\t\t\t\t\tgf_m4a_parse_config(bs, acfg, GF_FALSE);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tframeLengthType = gf_bs_read_int(bs, 3);\n\t\t\t\t\t\tif (!frameLengthType) {\n\t\t\t\t\t\t\t/*latmBufferFullness = */gf_bs_read_int(bs, 8);\n\t\t\t\t\t\t\tif (!allStreamsSameTimeFraming) {\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t/*not supported*/\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t\t/*other data present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n//\t\t\t\t\tu32 k = 0;\n\t\t\t\t}\n\t\t\t\t/*CRCcheck present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tsize = 0;\n\t\twhile (1) {\n\t\t\tu32 tmp = gf_bs_read_int(bs, 8);\n\t\t\tsize += tmp;\n\t\t\tif (tmp!=255) break;\n\t\t}\n\t\tif (gf_bs_available(bs) < size) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\tif (nb_bytes) {\n\t\t\t*nb_bytes = (u32) size;\n\t\t}\n\n\t\tif (buffer) {\n\t\t\tgf_bs_read_data(bs, (char *) buffer, size);\n\t\t} else {\n\t\t\twhile (size) {\n\t\t\t\tgf_bs_read_int(bs, 8);\n\t\t\t\tsize--;\n\t\t\t}\n\t\t}\n\n\t\t/*parse amux*/\n\t\tgf_bs_seek(bs, pos + mux_size);\n\n\t\tif ((gf_bs_available(bs)>2) && gf_bs_peek_bits(bs, 11, 0) != 0x2B7) {\n\t\t\tgf_bs_seek(bs, pos + 1);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\n\t\treturn GF_TRUE;\n\t}\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 156960673027032244624743319408540723268, "size": 110, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271470 } ] }, { "call_depth": 3, "longest_call_chain": [ "mariadb_get_info", "mariadb_get_infov", "mariadb_connection" ], "group_size": 9, "functions": [ { "func": "my_bool STDCALL mariadb_get_info(MYSQL *mysql, enum mariadb_value value, void *arg)\n{\n return mariadb_get_infov(mysql, value, arg);\n}", "project": "mariadb-connector-c", "hash": 260222517558586894785283733852562791600, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429729 }, { "func": "mysql_get_socket(MYSQL *mysql)\n{\n return mariadb_get_socket(mysql);\n}", "project": "mariadb-connector-c", "hash": 72239553276577952597504120876756915746, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429694 }, { "func": "static my_socket mariadb_get_socket(MYSQL *mysql)\n{\n my_socket sock= INVALID_SOCKET;\n if (mysql->net.pvio)\n {\n ma_pvio_get_handle(mysql->net.pvio, &sock);\n\n }\n /* if an asynchronous connect is in progress, we need to obtain\n pvio handle from async_context until the connection was\n successfully established.\n */\n else if (mysql->options.extension && mysql->options.extension->async_context &&\n mysql->options.extension->async_context->pvio)\n {\n ma_pvio_get_handle(mysql->options.extension->async_context->pvio, &sock);\n }\n return sock;\n}", "project": "mariadb-connector-c", "hash": 315036384148822492369287916293424404609, "size": 19, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429745 }, { "func": "my_bool STDCALL mariadb_connection(MYSQL *mysql)\n{\n return (strstr(mysql->server_version, \"MariaDB\") ||\n strstr(mysql->server_version, \"-maria-\"));\n}", "project": "mariadb-connector-c", "hash": 115443252438559440682462900203206671459, "size": 5, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429713 }, { "func": "my_bool mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *arg, ...)\n{\n va_list ap;\n\n va_start(ap, arg);\n\n switch(value) {\n case MARIADB_MAX_ALLOWED_PACKET:\n *((size_t *)arg)= (size_t)max_allowed_packet;\n break;\n case MARIADB_NET_BUFFER_LENGTH:\n *((size_t *)arg)= (size_t)net_buffer_length;\n break;\n case MARIADB_CONNECTION_ERROR_ID:\n if (!mysql)\n goto error;\n *((unsigned int *)arg)= mysql->net.last_errno;\n break;\n case MARIADB_CONNECTION_ERROR:\n if (!mysql)\n goto error;\n *((char **)arg)= mysql->net.last_error;\n break;\n case MARIADB_CONNECTION_SQLSTATE:\n if (!mysql)\n goto error;\n *((char **)arg)= mysql->net.sqlstate;\n break;\n case MARIADB_CONNECTION_TLS_VERSION:\n #ifdef HAVE_TLS\n if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n *((char **)arg)= (char *)ma_pvio_tls_get_protocol_version(mysql->net.pvio->ctls);\n else\n #endif\n goto error;\n break;\n case MARIADB_CONNECTION_TLS_VERSION_ID:\n #ifdef HAVE_TLS\n if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n *((unsigned int *)arg)= ma_pvio_tls_get_protocol_version_id(mysql->net.pvio->ctls);\n else\n #endif\n goto error;\n break;\n case MARIADB_TLS_LIBRARY:\n#ifdef HAVE_TLS\n *((const char **)arg)= tls_library_version;\n#else\n *((const char **)arg)= \"Off\";\n#endif\n break;\n case MARIADB_CLIENT_VERSION:\n *((const char **)arg)= MARIADB_CLIENT_VERSION_STR;\n break;\n case MARIADB_CLIENT_VERSION_ID:\n *((size_t *)arg)= MARIADB_VERSION_ID;\n break;\n case MARIADB_CONNECTION_SERVER_VERSION:\n if (mysql)\n *((char **)arg)= mysql->server_version;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_TYPE:\n if (mysql)\n *((const char **)arg)= mariadb_connection(mysql) ? \"MariaDB\" : \"MySQL\";\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_VERSION_ID:\n if (mysql)\n *((size_t *)arg)= mariadb_server_version_id(mysql);\n else\n goto error;\n break;\n case MARIADB_CONNECTION_PROTOCOL_VERSION_ID:\n if (mysql)\n *((unsigned int *)arg)= mysql->protocol_version;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_MARIADB_CHARSET_INFO:\n if (mysql)\n mariadb_get_charset_info(mysql, (MY_CHARSET_INFO *)arg);\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SOCKET:\n if (mysql)\n *((my_socket *)arg)= mariadb_get_socket(mysql);\n else\n goto error;\n break;\n case MARIADB_CONNECTION_TYPE:\n if (mysql && mysql->net.pvio)\n *((int *)arg)= (int)mysql->net.pvio->type;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_ASYNC_TIMEOUT_MS:\n if (mysql && mysql->options.extension && mysql->options.extension->async_context)\n *((unsigned int *)arg)= mysql->options.extension->async_context->timeout_value;\n break;\n case MARIADB_CONNECTION_ASYNC_TIMEOUT:\n if (mysql && mysql->options.extension && mysql->options.extension->async_context)\n {\n unsigned int timeout= mysql->options.extension->async_context->timeout_value;\n if (timeout > UINT_MAX - 999)\n *((unsigned int *)arg)= (timeout - 1)/1000 + 1;\n else\n *((unsigned int *)arg)= (timeout+999)/1000;\n }\n break;\n case MARIADB_CHARSET_NAME:\n {\n char *name;\n name= va_arg(ap, char *);\n if (name)\n *((MARIADB_CHARSET_INFO **)arg)= (MARIADB_CHARSET_INFO *)mysql_find_charset_name(name);\n else\n goto error;\n }\n break;\n case MARIADB_CHARSET_ID:\n {\n unsigned int nr;\n nr= va_arg(ap, unsigned int);\n *((MARIADB_CHARSET_INFO **)arg)= (MARIADB_CHARSET_INFO *)mysql_find_charset_nr(nr);\n }\n break;\n case MARIADB_CONNECTION_SSL_CIPHER:\n #ifdef HAVE_TLS\n if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n *((char **)arg)= (char *)ma_pvio_tls_cipher(mysql->net.pvio->ctls);\n else\n #endif\n goto error;\n break;\n case MARIADB_CLIENT_ERRORS:\n *((char ***)arg)= (char **)client_errors;\n break;\n case MARIADB_CONNECTION_INFO:\n if (mysql)\n *((char **)arg)= (char *)mysql->info;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_PVIO_TYPE:\n if (mysql && mysql->net.pvio)\n *((unsigned int *)arg)= (unsigned int)mysql->net.pvio->type;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SCHEMA:\n if (mysql)\n *((char **)arg)= mysql->db;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_USER:\n if (mysql)\n *((char **)arg)= mysql->user;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_PORT:\n if (mysql)\n *((unsigned int *)arg)= mysql->port;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_UNIX_SOCKET:\n if (mysql)\n *((char **)arg)= mysql->unix_socket;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_HOST:\n if (mysql)\n *((char **)arg)= mysql->host;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_STATUS:\n if (mysql)\n *((unsigned int *)arg)= mysql->server_status;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_CAPABILITIES:\n if (mysql)\n *((unsigned long *)arg)= mysql->server_capabilities;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_EXTENDED_SERVER_CAPABILITIES:\n if (mysql)\n *((unsigned long *)arg)= mysql->extension->mariadb_server_capabilities;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_CLIENT_CAPABILITIES:\n if (mysql)\n *((unsigned long *)arg)= mysql->client_flag;\n else\n goto error;\n break;\n default:\n va_end(ap);\n return(-1);\n }\n va_end(ap);\n return(0);\nerror:\n va_end(ap);\n return(-1);\n}", "project": "mariadb-connector-c", "hash": 169671727087038349126198218159280624326, "size": 217, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429678 }, { "func": "void STDCALL mysql_get_character_set_info(MYSQL *mysql, MY_CHARSET_INFO *cs)\n{\n mariadb_get_charset_info(mysql, cs);\n}", "project": "mariadb-connector-c", "hash": 217164025069153547830281264000695896647, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429705 }, { "func": "unsigned long STDCALL mysql_get_server_version(MYSQL *mysql)\n{\n return (unsigned long)mariadb_server_version_id(mysql);\n}", "project": "mariadb-connector-c", "hash": 122711105199939788046945873828848009668, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429708 }, { "func": "static void mariadb_get_charset_info(MYSQL *mysql, MY_CHARSET_INFO *cs)\n{\n if (!cs)\n return;\n\n cs->number= mysql->charset->nr;\n cs->csname= mysql->charset->csname;\n cs->name= mysql->charset->name;\n cs->state= 0;\n cs->comment= NULL;\n cs->dir= NULL;\n cs->mbminlen= mysql->charset->char_minlen;\n cs->mbmaxlen= mysql->charset->char_maxlen;\n\n return;\n}", "project": "mariadb-connector-c", "hash": 234853578981854839530463108815494608239, "size": 16, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429695 }, { "func": "static size_t mariadb_server_version_id(MYSQL *mysql)\n{\n size_t major, minor, patch;\n char *p;\n\n if (!(p = mysql->server_version)) {\n return 0;\n }\n\n major = strtol(p, &p, 10);\n p += 1; /* consume the dot */\n minor = strtol(p, &p, 10);\n p += 1; /* consume the dot */\n patch = strtol(p, &p, 10);\n\n return (major * 10000L + (unsigned long)(minor * 100L + patch));\n}", "project": "mariadb-connector-c", "hash": 313301315730600233929478529358826963028, "size": 17, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429739 } ] }, { "call_depth": 4, "longest_call_chain": [ "process_update", "verify_signature", "get_esl_cert", "get_esl_signature_list" ], "group_size": 15, "functions": [ { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int check_timestamp(const char *key, const struct efi_time *timestamp,\n\t\t char *last_timestamp)\n{\n\tstruct efi_time *prev;\n\tuint64_t new;\n\tuint64_t last;\n\n\tprev = get_last_timestamp(key, last_timestamp);\n\tif (prev == NULL)\n\t\treturn OPAL_INTERNAL_ERROR;\n\n\tprlog(PR_DEBUG, \"timestamp year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(timestamp->year), timestamp->month,\n\t\t\ttimestamp->day);\n\tprlog(PR_DEBUG, \"prev year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(prev->year), prev->month, prev->day);\n\n\tnew = unpack_timestamp(timestamp);\n\tlast = unpack_timestamp(prev);\n\n\tif (new > last)\n\t\treturn OPAL_SUCCESS;\n\n\treturn OPAL_PERMISSION;\n}", "idx": 521655, "cwe": "CWE-681", "hash": 71734921946669776012689805880040557221, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int verify_signature(const struct efi_variable_authentication_2 *auth,\n\t\t\t const char *newcert, const size_t new_data_size,\n\t\t\t const struct secvar *avar)\n{\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tmbedtls_x509_crt x509;\n\tchar *signing_cert = NULL;\n\tchar *x509_buf = NULL;\n\tint signing_cert_size;\n\tint rc = 0;\n\tchar *errbuf;\n\tint eslvarsize;\n\tint eslsize;\n\tint offset = 0;\n\n\tif (!auth)\n\t\treturn OPAL_PARAMETER;\n\n\t/* Extract the pkcs7 from the auth structure */\n\tpkcs7 = get_pkcs7(auth);\n\t/* Failure to parse pkcs7 implies bad input. */\n\tif (!pkcs7)\n\t\treturn OPAL_PARAMETER;\n\n\tprlog(PR_INFO, \"Load the signing certificate from the keystore\");\n\n\teslvarsize = avar->data_size;\n\n\t/* Variable is not empty */\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = get_esl_signature_list_size(avar->data + offset,\n\t\t\t\t\t\t eslvarsize);\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tsigning_cert_size = get_esl_cert(avar->data + offset,\n\t\t\t\t\t\t eslvarsize, &signing_cert);\n\t\tif (signing_cert_size < 0) {\n\t\t\trc = signing_cert_size;\n\t\t\tbreak;\n\t\t}\n\n\t\tmbedtls_x509_crt_init(&x509);\n\t\trc = mbedtls_x509_crt_parse(&x509,\n\t\t\t\t\t signing_cert,\n\t\t\t\t\t signing_cert_size);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif(rc) {\n\t\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\t\trc = mbedtls_x509_crt_info(x509_buf,\n\t\t\t\t\t CERT_BUFFER_SIZE,\n\t\t\t\t\t \"CRT:\",\n\t\t\t\t\t &x509);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif (rc < 0) {\n\t\t\tfree(x509_buf);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tprlog(PR_INFO, \"%s \\n\", x509_buf);\n\t\tfree(x509_buf);\n\t\tx509_buf = NULL;\n\n\t\trc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, newcert, new_data_size);\n\n\t\t/* If you find a signing certificate, you are done */\n\t\tif (rc == 0) {\n\t\t\tprlog(PR_INFO, \"Signature Verification passed\\n\");\n\t\t\tmbedtls_x509_crt_free(&x509);\n\t\t\tbreak;\n\t\t} else {\n\t\t\terrbuf = zalloc(MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tmbedtls_strerror(rc, errbuf, MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tprlog(PR_ERR, \"Signature Verification failed %02x %s\\n\",\n\t\t\t\t\trc, errbuf);\n\t\t\tfree(errbuf);\n\t\t\trc = OPAL_PERMISSION;\n\t\t}\n\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tmbedtls_x509_crt_free(&x509);\n\t\tfree(signing_cert);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tsigning_cert = NULL;\n\n\t}\n\n\tfree(signing_cert);\n\tmbedtls_pkcs7_free(pkcs7);\n\tfree(pkcs7);\n\n\treturn rc;\n}", "idx": 521654, "cwe": "CWE-681", "hash": 169175420840573290317758226120475277153, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int process_update(const struct secvar *update, char **newesl,\n\t\t int *new_data_size, struct efi_time *timestamp,\n\t\t struct list_head *bank, char *last_timestamp)\n{\n\tstruct efi_variable_authentication_2 *auth = NULL;\n\tvoid *auth_buffer = NULL;\n\tint auth_buffer_size = 0;\n\tconst char *key_authority[3];\n\tchar *tbhbuffer = NULL;\n\tsize_t tbhbuffersize = 0;\n\tstruct secvar *avar = NULL;\n\tint rc = 0;\n\tint i;\n\n\t/* We need to split data into authentication descriptor and new ESL */\n\tauth_buffer_size = get_auth_descriptor2(update->data,\n\t\t\t\t\t\tupdate->data_size,\n\t\t\t\t\t\t&auth_buffer);\n\tif ((auth_buffer_size < 0)\n\t || (update->data_size < auth_buffer_size)) {\n\t\tprlog(PR_ERR, \"Invalid auth buffer size\\n\");\n\t\trc = auth_buffer_size;\n\t\tgoto out;\n\t}\n\n\tauth = auth_buffer;\n\n\tif (!timestamp) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\tmemcpy(timestamp, auth_buffer, sizeof(struct efi_time));\n\n\trc = check_timestamp(update->key, timestamp, last_timestamp);\n\t/* Failure implies probably an older command being resubmitted */\n\tif (rc != OPAL_SUCCESS) {\n\t\tprlog(PR_ERR, \"Timestamp verification failed for key %s\\n\", update->key);\n\t\tgoto out;\n\t}\n\n\t/* Calculate the size of new ESL data */\n\t*new_data_size = update->data_size - auth_buffer_size;\n\tif (*new_data_size < 0) {\n\t\tprlog(PR_ERR, \"Invalid new ESL (new data content) size\\n\");\n\t\trc = OPAL_PARAMETER;\n\t\tgoto out;\n\t}\n\t*newesl = zalloc(*new_data_size);\n\tif (!(*newesl)) {\n\t\trc = OPAL_NO_MEM;\n\t\tgoto out;\n\t}\n\tmemcpy(*newesl, update->data + auth_buffer_size, *new_data_size);\n\n\t/* Validate the new ESL is in right format */\n\trc = validate_esl_list(update->key, *newesl, *new_data_size);\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"ESL validation failed for key %s with error %04x\\n\",\n\t\t update->key, rc);\n\t\tgoto out;\n\t}\n\n\tif (setup_mode) {\n\t\trc = OPAL_SUCCESS;\n\t\tgoto out;\n\t}\n\n\t/* Prepare the data to be verified */\n\ttbhbuffer = get_hash_to_verify(update->key, *newesl, *new_data_size,\n\t\t\t\ttimestamp);\n\tif (!tbhbuffer) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\t/* Get the authority to verify the signature */\n\tget_key_authority(key_authority, update->key);\n\n\t/*\n\t * Try for all the authorities that are allowed to sign.\n\t * For eg. db/dbx can be signed by both PK or KEK\n\t */\n\tfor (i = 0; key_authority[i] != NULL; i++) {\n\t\tprlog(PR_DEBUG, \"key is %s\\n\", update->key);\n\t\tprlog(PR_DEBUG, \"key authority is %s\\n\", key_authority[i]);\n\t\tavar = find_secvar(key_authority[i],\n\t\t\t\t strlen(key_authority[i]) + 1,\n\t\t\t\t bank);\n\t\tif (!avar || !avar->data_size)\n\t\t\tcontinue;\n\n\t\t/* Verify the signature */\n\t\trc = verify_signature(auth, tbhbuffer, tbhbuffersize,\n\t\t\t\t avar);\n\n\t\t/* Break if signature verification is successful */\n\t\tif (rc == OPAL_SUCCESS) {\n\t\t\tprlog(PR_INFO, \"Key %s successfully verified by authority %s\\n\", update->key, key_authority[i]);\n\t\t\tbreak;\n\t\t}\n\t}\n\nout:\n\tfree(auth_buffer);\n\tfree(tbhbuffer);\n\n\treturn rc;\n}", "idx": 521660, "cwe": "CWE-681", "hash": 178401092850407839532373766829369702237, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 1, "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le32_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}", "idx": 217514, "cwe": "CWE-681", "hash": 261903108962534180969470598132431142070, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le16_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}", "idx": 521649, "cwe": "CWE-681", "hash": 337463125729458282018478225518421551092, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)\n{\n\tuint32_t dw_length;\n\tsize_t size;\n\n\tassert(auth != NULL);\n\n\tdw_length = le32_to_cpu(auth->auth_info.hdr.dw_length);\n\tsize = dw_length - (sizeof(auth->auth_info.hdr.dw_length)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_revision)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_certificate_type)\n\t\t\t+ sizeof(auth->auth_info.cert_type));\n\n\treturn size;\n}", "idx": 521659, "cwe": "CWE-681", "hash": 250773754624625586965202166265104085065, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffer)\n{\n\tconst struct efi_variable_authentication_2 *auth = buf;\n\tint auth_buffer_size;\n\tsize_t len;\n\n\tassert(auth_buffer != NULL);\n\tif (buflen < sizeof(struct efi_variable_authentication_2)\n\t || !buf)\n\t\t\treturn OPAL_PARAMETER;\n\n\tlen = get_pkcs7_len(auth);\n\t/* pkcs7 content length cannot be greater than buflen */ \n\tif (len > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\tauth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)\n\t\t\t + sizeof(auth->auth_info.cert_type) + len;\n\n\t*auth_buffer = zalloc(auth_buffer_size);\n\tif (!(*auth_buffer))\n\t\treturn OPAL_NO_MEM;\n\n\t/*\n\t * Data = auth descriptor + new ESL data.\n\t * Extracts only the auth descriptor from data.\n\t */\n\tmemcpy(*auth_buffer, buf, auth_buffer_size);\n\n\treturn auth_buffer_size;\n}", "idx": 521656, "cwe": "CWE-681", "hash": 305644016089787436408464435206138914640, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static bool validate_hash(uuid_t type, int size)\n{\n if (uuid_equals(&type, &EFI_CERT_SHA1_GUID) && (size == 20))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA224_GUID) && (size == 28))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA256_GUID) && (size == 32))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA384_GUID) && (size == 48))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA512_GUID) && (size == 64))\n return true;\n\n return false;\n}", "idx": 521657, "cwe": "CWE-681", "hash": 178128338452607838604171323429136382734, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static mbedtls_pkcs7* get_pkcs7(const struct efi_variable_authentication_2 *auth)\n{\n\tchar *checkpkcs7cert = NULL;\n\tsize_t len;\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tint rc;\n\n\tlen = get_pkcs7_len(auth);\n\n\tpkcs7 = malloc(sizeof(struct mbedtls_pkcs7));\n\tif (!pkcs7)\n\t\treturn NULL;\n\n\tmbedtls_pkcs7_init(pkcs7);\n\trc = mbedtls_pkcs7_parse_der( auth->auth_info.cert_data, len, pkcs7);\n\tif (rc <= 0) {\n\t\tprlog(PR_ERR, \"Parsing pkcs7 failed %04x\\n\", rc);\n\t\tgoto out;\n\t}\n\n\tcheckpkcs7cert = zalloc(CERT_BUFFER_SIZE);\n\tif (!checkpkcs7cert)\n\t\tgoto out;\n\n\trc = mbedtls_x509_crt_info(checkpkcs7cert, CERT_BUFFER_SIZE, \"CRT:\",\n\t\t\t\t &(pkcs7->signed_data.certs));\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"Failed to parse the certificate in PKCS7 structure\\n\");\n\t\tfree(checkpkcs7cert);\n\t\tgoto out;\n\t}\n\n\tprlog(PR_DEBUG, \"%s \\n\", checkpkcs7cert);\n\tfree(checkpkcs7cert);\n\treturn pkcs7;\n\nout:\n\tmbedtls_pkcs7_free(pkcs7);\n\tpkcs7 = NULL;\n\treturn pkcs7;\n}", "idx": 521644, "cwe": "CWE-681", "hash": 285422590631529911090789466166025019210, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static void get_key_authority(const char *ret[3], const char *key)\n{\n\tint i = 0;\n\n\tif (key_equals(key, \"PK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"KEK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"db\") || key_equals(key, \"dbx\")) {\n\t\tret[i++] = \"KEK\";\n\t\tret[i++] = \"PK\";\n\t}\n\n\tret[i] = NULL;\n}", "idx": 521642, "cwe": "CWE-681", "hash": 297738273191075284106162991641740642673, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int32_t get_esl_signature_list_size(const char *buf, const size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\treturn le32_to_cpu(list->SignatureListSize);\n}", "idx": 521643, "cwe": "CWE-681", "hash": 78060638800999667578112940727001384482, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\tif (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf)\n\t\treturn NULL;\n\n\tlist = (EFI_SIGNATURE_LIST *)buf;\n\n\treturn list;\n}", "idx": 521652, "cwe": "CWE-681", "hash": 120387305635648549803864652788577802214, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int get_esl_cert(const char *buf, const size_t buflen, char **cert)\n{\n\tsize_t sig_data_offset;\n\tsize_t size;\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\tassert(cert != NULL);\n\n\tsize = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);\n\n\tprlog(PR_DEBUG,\"size of signature list size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureListSize));\n\tprlog(PR_DEBUG, \"size of signature header size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureHeaderSize));\n\tprlog(PR_DEBUG, \"size of signature size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureSize));\n\n\tsig_data_offset = sizeof(EFI_SIGNATURE_LIST)\n\t\t\t + le32_to_cpu(list->SignatureHeaderSize)\n\t\t\t + 16 * sizeof(uint8_t);\n\tif (sig_data_offset > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\t*cert = zalloc(size);\n\tif (!(*cert))\n\t\treturn OPAL_NO_MEM;\n\n\t/* Since buf can have more than one ESL, copy only the size calculated\n\t * to return single ESL */\n\tmemcpy(*cert, buf + sig_data_offset, size);\n\n\treturn size;\n}", "idx": 521650, "cwe": "CWE-681", "hash": 76056064316561882808219871420473489575, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static bool validate_cert(char *signing_cert, int signing_cert_size)\n{\n\tmbedtls_x509_crt x509;\n\tchar *x509_buf = NULL;\n\tint rc;\n\n\tmbedtls_x509_crt_init(&x509);\n\trc = mbedtls_x509_crt_parse(&x509, signing_cert, signing_cert_size);\n\n\t/* If failure in parsing the certificate, exit */\n\tif(rc) {\n\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\treturn false;\n\t}\n\n\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\trc = mbedtls_x509_crt_info(x509_buf, CERT_BUFFER_SIZE, \"CRT:\", &x509);\n\n\tmbedtls_x509_crt_free(&x509);\n\tfree(x509_buf);\n\tx509_buf = NULL;\n\n\t/* If failure in reading the certificate, exit */\n\tif (rc < 0)\n\t\treturn false;\n\n\treturn true;\n}", "idx": 521646, "cwe": "CWE-681", "hash": 89322362298830297891556293893589653635, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int validate_esl_list(const char *key, const char *esl, const size_t size)\n{\n\tint count = 0;\n\tint dsize;\n\tchar *data = NULL;\n\tint eslvarsize = size;\n\tint eslsize;\n\tint rc = OPAL_SUCCESS;\n\tint offset = 0;\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Check Supported ESL Type */\n\t\tlist = get_esl_signature_list(esl, eslvarsize);\n\n\t\tif (!list)\n\t\t\treturn OPAL_PARAMETER;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = le32_to_cpu(list->SignatureListSize);\n\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\tprlog(PR_ERR, \"Invalid size of the ESL: %u\\n\",\n\t\t\t\t\tle32_to_cpu(list->SignatureListSize));\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tdsize = get_esl_cert(esl, eslvarsize, &data);\n\t\tif (dsize < 0) {\n\t\t\trc = dsize;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (key_equals(key, \"dbx\")) {\n\t\t\tif (!validate_hash(list->SignatureType, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid hash is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t if (!uuid_equals(&list->SignatureType, &EFI_CERT_X509_GUID)\n\t\t\t || !validate_cert(data, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid cert is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t }\n\t\t}\n\n\t\tcount++;\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tfree(data);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tdata = NULL;\n\t}\n\n\tif (rc == OPAL_SUCCESS) {\n\t\tif (key_equals(key, \"PK\") && (count > 1)) {\n\t\t\tprlog(PR_ERR, \"PK can only be one\\n\");\n\t\t\trc = OPAL_PARAMETER;\n\t\t} else {\n\t\t\trc = count;\n\t\t}\n\t}\n\n\tfree(data);\n\n\tprlog(PR_INFO, \"Total ESLs are %d\\n\", rc);\n\treturn rc;\n}", "idx": 521648, "cwe": "CWE-681", "hash": 135687032396769714616764529094035254125, "dataset": "other" } ] }, { "call_depth": 3, "longest_call_chain": [ "trace_vbprintk", "ftrace_trace_stack", "__ftrace_trace_stack" ], "group_size": 15, "functions": [ { "func": "int __trace_bputs(unsigned long ip, const char *str)\n{\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct bputs_entry *entry;\n\tunsigned long irq_flags;\n\tint size = sizeof(struct bputs_entry);\n\tint pc;\n\n\tif (!(global_trace.trace_flags & TRACE_ITER_PRINTK))\n\t\treturn 0;\n\n\tpc = preempt_count();\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\tlocal_save_flags(irq_flags);\n\tbuffer = global_trace.trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_BPUTS, size,\n\t\t\t\t\t irq_flags, pc);\n\tif (!event)\n\t\treturn 0;\n\n\tentry = ring_buffer_event_data(event);\n\tentry->ip\t\t\t= ip;\n\tentry->str\t\t\t= str;\n\n\t__buffer_unlock_commit(buffer, event);\n\tftrace_trace_stack(&global_trace, buffer, irq_flags, 4, pc, NULL);\n\n\treturn 1;\n}", "project": "linux", "hash": 97935509873229655098639551909617223595, "size": 33, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445651 }, { "func": "void __trace_stack(struct trace_array *tr, unsigned long flags, int skip,\n\t\t int pc)\n{\n\tstruct ring_buffer *buffer = tr->trace_buffer.buffer;\n\n\tif (rcu_is_watching()) {\n\t\t__ftrace_trace_stack(buffer, flags, skip, pc, NULL);\n\t\treturn;\n\t}\n\n\t/*\n\t * When an NMI triggers, RCU is enabled via rcu_nmi_enter(),\n\t * but if the above rcu_is_watching() failed, then the NMI\n\t * triggered someplace critical, and rcu_irq_enter() should\n\t * not be called from NMI.\n\t */\n\tif (unlikely(in_nmi()))\n\t\treturn;\n\n\t/*\n\t * It is possible that a function is being traced in a\n\t * location that RCU is not watching. A call to\n\t * rcu_irq_enter() will make sure that it is, but there's\n\t * a few internal rcu functions that could be traced\n\t * where that wont work either. In those cases, we just\n\t * do nothing.\n\t */\n\tif (unlikely(rcu_irq_enter_disabled()))\n\t\treturn;\n\n\trcu_irq_enter_irqson();\n\t__ftrace_trace_stack(buffer, flags, skip, pc, NULL);\n\trcu_irq_exit_irqson();\n}", "project": "linux", "hash": 148688729114021066957743413682696870780, "size": 34, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445686 }, { "func": "trace_buffer_lock_reserve(struct ring_buffer *buffer,\n\t\t\t int type,\n\t\t\t unsigned long len,\n\t\t\t unsigned long flags, int pc)\n{\n\treturn __trace_buffer_lock_reserve(buffer, type, len, flags, pc);\n}", "project": "linux", "hash": 290494509004862626438777072381730768500, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445711 }, { "func": "void trace_dump_stack(int skip)\n{\n\tunsigned long flags;\n\n\tif (tracing_disabled || tracing_selftest_running)\n\t\treturn;\n\n\tlocal_save_flags(flags);\n\n\t/*\n\t * Skip 3 more, seems to get us at the caller of\n\t * this function.\n\t */\n\tskip += 3;\n\t__ftrace_trace_stack(global_trace.trace_buffer.buffer,\n\t\t\t flags, skip, preempt_count(), NULL);\n}", "project": "linux", "hash": 209716427486737830029222622578390806861, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445554 }, { "func": "static void __ftrace_trace_stack(struct ring_buffer *buffer,\n\t\t\t\t unsigned long flags,\n\t\t\t\t int skip, int pc, struct pt_regs *regs)\n{\n\tstruct trace_event_call *call = &event_kernel_stack;\n\tstruct ring_buffer_event *event;\n\tstruct stack_entry *entry;\n\tstruct stack_trace trace;\n\tint use_stack;\n\tint size = FTRACE_STACK_ENTRIES;\n\n\ttrace.nr_entries\t= 0;\n\ttrace.skip\t\t= skip;\n\n\t/*\n\t * Add two, for this function and the call to save_stack_trace()\n\t * If regs is set, then these functions will not be in the way.\n\t */\n\tif (!regs)\n\t\ttrace.skip += 2;\n\n\t/*\n\t * Since events can happen in NMIs there's no safe way to\n\t * use the per cpu ftrace_stacks. We reserve it and if an interrupt\n\t * or NMI comes in, it will just have to use the default\n\t * FTRACE_STACK_SIZE.\n\t */\n\tpreempt_disable_notrace();\n\n\tuse_stack = __this_cpu_inc_return(ftrace_stack_reserve);\n\t/*\n\t * We don't need any atomic variables, just a barrier.\n\t * If an interrupt comes in, we don't care, because it would\n\t * have exited and put the counter back to what we want.\n\t * We just need a barrier to keep gcc from moving things\n\t * around.\n\t */\n\tbarrier();\n\tif (use_stack == 1) {\n\t\ttrace.entries\t\t= this_cpu_ptr(ftrace_stack.calls);\n\t\ttrace.max_entries\t= FTRACE_STACK_MAX_ENTRIES;\n\n\t\tif (regs)\n\t\t\tsave_stack_trace_regs(regs, &trace);\n\t\telse\n\t\t\tsave_stack_trace(&trace);\n\n\t\tif (trace.nr_entries > size)\n\t\t\tsize = trace.nr_entries;\n\t} else\n\t\t/* From now on, use_stack is a boolean */\n\t\tuse_stack = 0;\n\n\tsize *= sizeof(unsigned long);\n\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_STACK,\n\t\t\t\t\t sizeof(*entry) + size, flags, pc);\n\tif (!event)\n\t\tgoto out;\n\tentry = ring_buffer_event_data(event);\n\n\tmemset(&entry->caller, 0, size);\n\n\tif (use_stack)\n\t\tmemcpy(&entry->caller, trace.entries,\n\t\t trace.nr_entries * sizeof(unsigned long));\n\telse {\n\t\ttrace.max_entries\t= FTRACE_STACK_ENTRIES;\n\t\ttrace.entries\t\t= entry->caller;\n\t\tif (regs)\n\t\t\tsave_stack_trace_regs(regs, &trace);\n\t\telse\n\t\t\tsave_stack_trace(&trace);\n\t}\n\n\tentry->size = trace.nr_entries;\n\n\tif (!call_filter_check_discard(call, entry, buffer, event))\n\t\t__buffer_unlock_commit(buffer, event);\n\n out:\n\t/* Again, don't let gcc optimize things here */\n\tbarrier();\n\t__this_cpu_dec(ftrace_stack_reserve);\n\tpreempt_enable_notrace();\n\n}", "project": "linux", "hash": 228181925911186695377319876003635852001, "size": 87, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445528 }, { "func": "static inline void __ftrace_trace_stack(struct ring_buffer *buffer,\n\t\t\t\t\tunsigned long flags,\n\t\t\t\t\tint skip, int pc, struct pt_regs *regs)\n{\n}", "project": "linux", "hash": 326356546210729082046651620939364926726, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445804 }, { "func": "static void put_trace_buf(void)\n{\n\t/* Don't let the decrement of nesting leak before this */\n\tbarrier();\n\tthis_cpu_dec(trace_percpu_buffer->nesting);\n}", "project": "linux", "hash": 151274970754355397862267931791174596447, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445718 }, { "func": "trace_event_setup(struct ring_buffer_event *event,\n\t\t int type, unsigned long flags, int pc)\n{\n\tstruct trace_entry *ent = ring_buffer_event_data(event);\n\n\ttracing_generic_entry_update(ent, flags, pc);\n\tent->type = type;\n}", "project": "linux", "hash": 33661644687624186718785817022496531739, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445676 }, { "func": "void trace_buffer_unlock_commit_regs(struct trace_array *tr,\n\t\t\t\t struct ring_buffer *buffer,\n\t\t\t\t struct ring_buffer_event *event,\n\t\t\t\t unsigned long flags, int pc,\n\t\t\t\t struct pt_regs *regs)\n{\n\t__buffer_unlock_commit(buffer, event);\n\n\t/*\n\t * If regs is not set, then skip the following callers:\n\t * trace_buffer_unlock_commit_regs\n\t * event_trigger_unlock_commit\n\t * trace_event_buffer_commit\n\t * trace_event_raw_event_sched_switch\n\t * Note, we can still get here via blktrace, wakeup tracer\n\t * and mmiotrace, but that's ok if they lose a function or\n\t * two. They are that meaningful.\n\t */\n\tftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs);\n\tftrace_trace_userstack(buffer, flags, pc);\n}", "project": "linux", "hash": 286052656294965236812004646636467502665, "size": 21, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445619 }, { "func": "static inline void ftrace_trace_stack(struct trace_array *tr,\n\t\t\t\t struct ring_buffer *buffer,\n\t\t\t\t unsigned long flags,\n\t\t\t\t int skip, int pc, struct pt_regs *regs)\n{\n}", "project": "linux", "hash": 12958771922969768168390039976616805710, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445697 }, { "func": "static inline void ftrace_trace_stack(struct trace_array *tr,\n\t\t\t\t struct ring_buffer *buffer,\n\t\t\t\t unsigned long flags,\n\t\t\t\t int skip, int pc, struct pt_regs *regs)\n{\n\tif (!(tr->trace_flags & TRACE_ITER_STACKTRACE))\n\t\treturn;\n\n\t__ftrace_trace_stack(buffer, flags, skip, pc, regs);\n}", "project": "linux", "hash": 122015228433718164966279605143093293709, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445815 }, { "func": "int __trace_puts(unsigned long ip, const char *str, int size)\n{\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct print_entry *entry;\n\tunsigned long irq_flags;\n\tint alloc;\n\tint pc;\n\n\tif (!(global_trace.trace_flags & TRACE_ITER_PRINTK))\n\t\treturn 0;\n\n\tpc = preempt_count();\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\talloc = sizeof(*entry) + size + 2; /* possible \\n added */\n\n\tlocal_save_flags(irq_flags);\n\tbuffer = global_trace.trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc, \n\t\t\t\t\t irq_flags, pc);\n\tif (!event)\n\t\treturn 0;\n\n\tentry = ring_buffer_event_data(event);\n\tentry->ip = ip;\n\n\tmemcpy(&entry->buf, str, size);\n\n\t/* Add a newline if necessary */\n\tif (entry->buf[size - 1] != '\\n') {\n\t\tentry->buf[size] = '\\n';\n\t\tentry->buf[size + 1] = '\\0';\n\t} else\n\t\tentry->buf[size] = '\\0';\n\n\t__buffer_unlock_commit(buffer, event);\n\tftrace_trace_stack(&global_trace, buffer, irq_flags, 4, pc, NULL);\n\n\treturn size;\n}", "project": "linux", "hash": 333230938796332990582828767642145709691, "size": 43, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445537 }, { "func": "__trace_buffer_lock_reserve(struct ring_buffer *buffer,\n\t\t\t int type,\n\t\t\t unsigned long len,\n\t\t\t unsigned long flags, int pc)\n{\n\tstruct ring_buffer_event *event;\n\n\tevent = ring_buffer_lock_reserve(buffer, len);\n\tif (event != NULL)\n\t\ttrace_event_setup(event, type, flags, pc);\n\n\treturn event;\n}", "project": "linux", "hash": 277862938369440085694307103004898588643, "size": 13, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445828 }, { "func": "int trace_vbprintk(unsigned long ip, const char *fmt, va_list args)\n{\n\tstruct trace_event_call *call = &event_bprint;\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct trace_array *tr = &global_trace;\n\tstruct bprint_entry *entry;\n\tunsigned long flags;\n\tchar *tbuffer;\n\tint len = 0, size, pc;\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\t/* Don't pollute graph traces with trace_vprintk internals */\n\tpause_graph_tracing();\n\n\tpc = preempt_count();\n\tpreempt_disable_notrace();\n\n\ttbuffer = get_trace_buf();\n\tif (!tbuffer) {\n\t\tlen = 0;\n\t\tgoto out_nobuffer;\n\t}\n\n\tlen = vbin_printf((u32 *)tbuffer, TRACE_BUF_SIZE/sizeof(int), fmt, args);\n\n\tif (len > TRACE_BUF_SIZE/sizeof(int) || len < 0)\n\t\tgoto out;\n\n\tlocal_save_flags(flags);\n\tsize = sizeof(*entry) + sizeof(u32) * len;\n\tbuffer = tr->trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_BPRINT, size,\n\t\t\t\t\t flags, pc);\n\tif (!event)\n\t\tgoto out;\n\tentry = ring_buffer_event_data(event);\n\tentry->ip\t\t\t= ip;\n\tentry->fmt\t\t\t= fmt;\n\n\tmemcpy(entry->buf, tbuffer, sizeof(u32) * len);\n\tif (!call_filter_check_discard(call, entry, buffer, event)) {\n\t\t__buffer_unlock_commit(buffer, event);\n\t\tftrace_trace_stack(tr, buffer, flags, 6, pc, NULL);\n\t}\n\nout:\n\tput_trace_buf();\n\nout_nobuffer:\n\tpreempt_enable_notrace();\n\tunpause_graph_tracing();\n\n\treturn len;\n}", "project": "linux", "hash": 253947971610352669400134070783242158477, "size": 57, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445733 }, { "func": "int call_filter_check_discard(struct trace_event_call *call, void *rec,\n\t\t\t struct ring_buffer *buffer,\n\t\t\t struct ring_buffer_event *event)\n{\n\tif (unlikely(call->flags & TRACE_EVENT_FL_FILTERED) &&\n\t !filter_match_preds(call->filter, rec)) {\n\t\t__trace_event_discard_commit(buffer, event);\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 295670194917690430799317477652109148509, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445792 } ] }, { "call_depth": 3, "longest_call_chain": [ "HrReadHeaders", "HrParseHeaders", "HrGetHeaderValue" ], "group_size": 14, "functions": [ { "func": "HRESULT Http::HrFinalize()\n{\n\tHRESULT hr = hrSuccess;\n\n\tHrResponseHeader(\"Content-Length\", stringify(m_strRespBody.length()));\n\n\t// force chunked http for long size response, should check version >= 1.1 to disable chunking\n\tif (m_strRespBody.size() < HTTP_CHUNK_SIZE || m_strHttpVer != \"1.1\") {\n\t\thr = HrFlushHeaders();\n\t\tif (hr != hrSuccess && hr != MAPI_E_END_OF_SESSION) {\n\t\t\tec_log_debug(\"Http::HrFinalize flush fail %d\", hr);\n\t\t\tm_ulRetCode = 0;\n\t\t\treturn hr;\n\t\t}\n\t\tif (!m_strRespBody.empty()) {\n\t\t\tm_lpChannel->HrWriteString(m_strRespBody);\n\t\t\tec_log_debug(\"Response body:\\n%s\", m_strRespBody.c_str());\n\t\t}\n\t}\n\telse\n\t{\n\t\tconst char *lpstrBody = m_strRespBody.data();\n\t\tchar lpstrLen[10];\n\t\tauto szBodyLen = m_strRespBody.size(); // length of data to be sent to the client\n\t\tsize_t szBodyWritten = 0; // length of data sent to client\n\t\tunsigned int szPart = HTTP_CHUNK_SIZE;\t\t\t\t\t\t// default length of chunk data to be written\n\n\t\tHrResponseHeader(\"Transfer-Encoding\", \"chunked\");\n\t\thr = HrFlushHeaders();\n\t\tif (hr != hrSuccess && hr != MAPI_E_END_OF_SESSION) {\n\t\t\tec_log_debug(\"Http::HrFinalize flush fail(2) %d\", hr);\n\t\t\tm_ulRetCode = 0;\n\t\t\treturn hr;\n\t\t}\n\n\t\twhile (szBodyWritten < szBodyLen)\n\t\t{\n\t\t\tif ((szBodyWritten + HTTP_CHUNK_SIZE) > szBodyLen)\n\t\t\t\tszPart = szBodyLen - szBodyWritten;\t\t\t\t// change length of data for last chunk\n\t\t\t// send hex length of data and data part\n\t\t\tsnprintf(lpstrLen, sizeof(lpstrLen), \"%X\", szPart);\n\t\t\tm_lpChannel->HrWriteLine(lpstrLen);\n\t\t\tm_lpChannel->HrWriteLine(string_view(lpstrBody, szPart));\n\t\t\tszBodyWritten += szPart;\n\t\t\tlpstrBody += szPart;\n\t\t}\n\n\t\t// end of response\n\t\tsnprintf(lpstrLen, 10, \"0\\r\\n\");\n\t\tm_lpChannel->HrWriteLine(lpstrLen);\n\t\t// just the first part of the body in the log. header shows it's chunked.\n\t\tec_log_debug(\"%s\", m_strRespBody.c_str());\n\t}\n\n\t// if http_log_enable?\n\tchar szTime[32];\n\ttime_t now = time(NULL);\n\ttm local;\n\tstd::string strAgent;\n\tlocaltime_r(&now, &local);\n\t// @todo we're in C LC_TIME locale to get the correct (month) format, but the timezone will be GMT, which is not wanted.\n\tstrftime(szTime, ARRAY_SIZE(szTime), \"%d/%b/%Y:%H:%M:%S %z\", &local);\n\tHrGetHeaderValue(\"User-Agent\", &strAgent);\n\tec_log_notice(\"%s - %s [%s] \\\"%s\\\" %d %d \\\"-\\\" \\\"%s\\\"\", m_lpChannel->peer_addr(), m_strUser.empty() ? \"-\" : m_strUser.c_str(), szTime, m_strAction.c_str(), m_ulRetCode, (int)m_strRespBody.length(), strAgent.c_str());\n\tm_ulRetCode = 0;\n\treturn hr;\n}", "project": "kopano-core", "hash": 259595367262276487244267405280402291162, "size": 67, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412624 }, { "func": "HRESULT Http::HrGetDepth(ULONG *ulDepth)\n{\n\tstd::string strDepth;\n\t/*\n\t * Valid input: [0, 1, infinity]\n\t */\n\tauto hr = HrGetHeaderValue(\"Depth\", &strDepth);\n\tif (hr != hrSuccess)\n\t\t*ulDepth = 0; /* Default is no subfolders. Default should become a parameter. It is action dependent. */\n\telse if (strDepth == \"infinity\")\n\t\t*ulDepth = 2;\n\telse {\n\t\t*ulDepth = atoi(strDepth.c_str());\n\t\tif (*ulDepth > 1)\n\t\t\t*ulDepth = 1;\n\t}\n\treturn hr;\n}", "project": "kopano-core", "hash": 217517827692339967634595091257873772062, "size": 18, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412614 }, { "func": "HRESULT Http::HrReadBody()\n{\n\tstd::string strLength;\n\n\t// find the Content-Length\n\tif (HrGetHeaderValue(\"Content-Length\", &strLength) != hrSuccess) {\n\t\tec_log_debug(\"Http::HrReadBody content-length missing\");\n\t\treturn MAPI_E_NOT_FOUND;\n\t}\n\tauto ulContLength = atoi(strLength.c_str());\n\tif (ulContLength <= 0) {\n\t\tec_log_debug(\"Http::HrReadBody content-length invalid %d\", ulContLength);\n\t\treturn MAPI_E_NOT_FOUND;\n\t}\n\tauto hr = m_lpChannel->HrReadBytes(&m_strReqBody, ulContLength);\n\tif (!m_strUser.empty())\n\t\tec_log_debug(\"Request body:\\n%s\", m_strReqBody.c_str());\n\treturn hr;\n}", "project": "kopano-core", "hash": 113696208786814068339618293734508448744, "size": 19, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412634 }, { "func": "HRESULT Http::HrRequestAuth(const std::string &strMsg)\n{\n\tauto hr = HrResponseHeader(401, \"Unauthorized\");\n\tif (hr != hrSuccess)\n\t\treturn hr;\n\treturn HrResponseHeader(\"WWW-Authenticate\", \"Basic realm=\\\"\" + strMsg + \"\\\"\");\n}", "project": "kopano-core", "hash": 326592081151301752571350035393463588511, "size": 7, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412626 }, { "func": "HRESULT Http::HrReadHeaders()\n{\n\tHRESULT hr;\n\tstd::string strBuffer;\n\tULONG n = 0;\n\tstd::map::iterator iHeader = mapHeaders.end();\n\n\tec_log_debug(\"Receiving headers:\");\n\tdo\n\t{\n\t\thr = m_lpChannel->HrReadLine(strBuffer);\n\t\tif (hr != hrSuccess)\n\t\t\treturn hr;\n\t\tif (strBuffer.empty())\n\t\t\tbreak;\n\n\t\tif (n == 0) {\n\t\t\tm_strAction = strBuffer;\n\t\t} else {\n\t\t\tauto pos = strBuffer.find(':');\n\t\t\tsize_t start = 0;\n\n\t\t\tif (strBuffer[0] == ' ' || strBuffer[0] == '\\t') {\n\t\t\t\tif (iHeader == mapHeaders.end())\n\t\t\t\t\tcontinue;\n\t\t\t\t// continue header\n\t\t\t\twhile (strBuffer[start] == ' ' || strBuffer[start] == '\\t')\n\t\t\t\t\t++start;\n\t\t\t\tiHeader->second += strBuffer.substr(start);\n\t\t\t} else {\n\t\t\t\t// new header\n\t\t\t\tauto r = mapHeaders.emplace(strBuffer.substr(0, pos), strBuffer.substr(pos + 2));\n\t\t\t\tiHeader = r.first;\n\t\t\t}\n\t\t}\n\n\t\tif (strBuffer.find(\"Authorization\") != std::string::npos)\n\t\t\tec_log_debug(\"< Authorization: