File: rdp.c
Function: process_bitmap_updates()

The variable “size” is read from the input stream “s” and can in the range: 0 - 0xFFFF.
Later on, the macro “in_uint8p(s, data, size)” advances the input stream using the unchecked “size” value.
Future read from the input stream will trigger an access violation while reading from a potentially unmapped memory address.

Code Snippet:

if (compress & 0x400)
	size = bufsize;
	in_uint8s(s, 2);	/* pad */
	in_uint16_le(s, size);
	in_uint8s(s, 4);	/* line_size, final_size */
in_uint8p(s, data, size);