File: rdp.c
Function: process_bitmap_updates()

Variables “width” and “height” are read from the input stream “s” and can be in the range: 0 - 0xFFFF.
Variable “bpp” is read from the input stream “s”, and later on variable “Bpp” can be in the range: 0 - 0x2000
During the “xmalloc(width * height * Bpp)” allocation call there is an Integer Overflow, and the result is chopped to 32 bits.
Using the following values, we were able to set the allocation size to 0 = (0xF000 * 0xF000 * 0x0A00) & 0xFFFFFFFF.
Later on, “bitmap_decompress()” will write controlled input bytes into the small buffer, triggering a buffer overflow.
Since “bitmap_decompress()” will stop when reaching an error, the buffer overflow can be fully controlled in content and in length.

Code Snippet:

for (i = 0; i < num_updates; i++)
	in_uint16_le(s, left);
	in_uint16_le(s, top);
	in_uint16_le(s, right);
	in_uint16_le(s, bottom);
	in_uint16_le(s, width);
	in_uint16_le(s, height);
	in_uint16_le(s, bpp);
	Bpp = (bpp + 7) / 8;
	in_uint16_le(s, compress);
	in_uint16_le(s, bufsize);

	in_uint8p(s, data, size);
	bmpdata = (uint8 *) xmalloc(width * height * Bpp);
	if (bitmap_decompress(bmpdata, width, height, data, size, Bpp))
		ui_paint_bitmap(left, top, cx, cy, width, height, bmpdata);