From bc85e46b49a5765a086b536e488fdca8432640e4 Mon Sep 17 00:00:00 2001 From: John Thacker Date: Mon, 23 Mar 2026 13:02:49 +0000 Subject: [PATCH] RDP: Check for too long segments on the uncompressed path The RDP 8.0 compression limits the maximum number of uncompressed bytes in a single segment to 65,535 [MS-RDPEGFX] 3.1.9.1.2. Check for that in the uncompressed path. Fix #21105 AI-Assisted: no (cherry picked from commit 87fb30a03d19bb2a0c8597e10c38f1657310fafd) Co-authored-by: John Thacker --- epan/tvbuff_rdp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: wireshark-3.6.24/epan/tvbuff_rdp.c =================================================================== --- wireshark-3.6.24.orig/epan/tvbuff_rdp.c +++ wireshark-3.6.24/epan/tvbuff_rdp.c @@ -155,7 +155,8 @@ static const zgfx_token_t ZGFX_MATCH_TAB { 9, 382, 24, 17094304 }, // 101111110 }; - +/* Limits from [MS-RDPEGFX] 3.1.9.1.2 (So failures here are malformed + * packets, not limitations of the implementation.) */ struct _zgfx_context_t{ guint8 historyBuffer[2500000]; guint32 historyIndex; @@ -334,6 +335,9 @@ rdp8_decompress_segment(zgfx_context_t * len--; if (!(flags & ZGX_PACKET_COMPRESSED)) { + if (len > 65535) { + return false; + } tvbuff_t *raw = tvb_new_subset_remaining(tvb, 1); zgfx_write_history_buffer_tvb(zgfx, raw, len); return TRUE;