fix: add integer overflow check in wf_cliprdr.c (#15142)

* fix: V-003 security vulnerability Automated security fix generated by OrbisAI Security Signed-off-by: orbisai0security <mediratta01.pally@gmail.com> * fix: add integer overflow check in wf_cliprdr.c At line 774, memory is allocated using calloc with instance->m_nStreams as the count parameter Signed-off-by: orbisai0security <mediratta01.pally@gmail.com> * Apply code changes: @orbisai0security can you address code review comm... * fix(cliprdr): ci Signed-off-by: fufesou <linlong1266@gmail.com> * fix(cliprdr): ci, use msvc Signed-off-by: fufesou <linlong1266@gmail.com> * fix(cliprdr): ci Signed-off-by: fufesou <linlong1266@gmail.com> * fix(cliprdr): ci, test Signed-off-by: fufesou <linlong1266@gmail.com> * fix(cliprdr): fix ci Signed-off-by: fufesou <linlong1266@gmail.com> * fix(cliprdr): fix ci Signed-off-by: fufesou <linlong1266@gmail.com> * fix(cliprdr): fix ci Signed-off-by: fufesou <linlong1266@gmail.com> * fix(cliprdr): ci Signed-off-by: fufesou <linlong1266@gmail.com> * Apply code changes: @orbisai0security can you address code review comm... * adding bounds check and tests * Apply code changes: @orbisai0security can you address code review comm... * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Signed-off-by: orbisai0security <mediratta01.pally@gmail.com> Signed-off-by: fufesou <linlong1266@gmail.com> Co-authored-by: fufesou <linlong1266@gmail.com> Co-authored-by: RustDesk <71636191+rustdesk@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-10 02:14:53 +03:00 · 2026-06-01 12:56:39 +05:30
parent 5eed50961d
commit fabeae4180
3 changed files with 293 additions and 36 deletions
--- a/tests/test_invariant_wf_cliprdr.c
+++ b/tests/test_invariant_wf_cliprdr.c
@@ -0,0 +1,92 @@
+#include <check.h>
+#include <stdlib.h>
+#include <stddef.h>
+
+#include "../libs/clipboard/src/windows/wf_cliprdr.c"
+
+static SIZE_T descriptor_size(UINT count)
+{
+	return offsetof(FILEGROUPDESCRIPTORW, fgd) + (SIZE_T)count * sizeof(FILEDESCRIPTORW);
+}
+
+START_TEST(test_descriptor_size_rejects_buffer_smaller_than_header)
+{
+	ck_assert_int_eq(wf_cliprdr_file_group_descriptor_size_valid(0, 1), FALSE);
+	ck_assert_int_eq(wf_cliprdr_file_group_descriptor_size_valid(
+	                     offsetof(FILEGROUPDESCRIPTORW, fgd) - 1, 1),
+	                 FALSE);
+}
+END_TEST
+
+START_TEST(test_descriptor_size_rejects_zero_items)
+{
+	ck_assert_int_eq(
+	    wf_cliprdr_file_group_descriptor_size_valid(offsetof(FILEGROUPDESCRIPTORW, fgd), 0),
+	    FALSE);
+}
+END_TEST
+
+START_TEST(test_descriptor_size_accepts_max_stream_count)
+{
+	ck_assert_int_eq(wf_cliprdr_file_group_descriptor_size_valid(
+	                     descriptor_size(WF_CLIPRDR_MAX_STREAMS), WF_CLIPRDR_MAX_STREAMS),
+	                 TRUE);
+}
+END_TEST
+
+START_TEST(test_descriptor_size_rejects_stream_count_above_limit)
+{
+	ck_assert_int_eq(wf_cliprdr_file_group_descriptor_size_valid(
+	                     descriptor_size(WF_CLIPRDR_MAX_STREAMS), WF_CLIPRDR_MAX_STREAMS + 1),
+	                 FALSE);
+}
+END_TEST
+
+START_TEST(test_descriptor_size_rejects_truncated_descriptor_array)
+{
+	ck_assert_int_eq(wf_cliprdr_file_group_descriptor_size_valid(descriptor_size(2) - 1, 2),
+	                 FALSE);
+}
+END_TEST
+
+START_TEST(test_descriptor_size_rejects_extreme_count)
+{
+	ck_assert_int_eq(wf_cliprdr_file_group_descriptor_size_valid((SIZE_T)-1, (UINT)-1),
+	                 FALSE);
+}
+END_TEST
+
+Suite *wf_cliprdr_invariant_suite(void)
+{
+	Suite *s;
+	TCase *tc_core;
+
+	s = suite_create("wf_cliprdr_invariants");
+	tc_core = tcase_create("descriptor_size");
+
+	tcase_add_test(tc_core, test_descriptor_size_rejects_buffer_smaller_than_header);
+	tcase_add_test(tc_core, test_descriptor_size_rejects_zero_items);
+	tcase_add_test(tc_core, test_descriptor_size_accepts_max_stream_count);
+	tcase_add_test(tc_core, test_descriptor_size_rejects_stream_count_above_limit);
+	tcase_add_test(tc_core, test_descriptor_size_rejects_truncated_descriptor_array);
+	tcase_add_test(tc_core, test_descriptor_size_rejects_extreme_count);
+
+	suite_add_tcase(s, tc_core);
+	return s;
+}
+
+int main(void)
+{
+	int number_failed;
+	Suite *s;
+	SRunner *sr;
+
+	s = wf_cliprdr_invariant_suite();
+	sr = srunner_create(s);
+
+	srunner_run_all(sr, CK_NORMAL);
+	number_failed = srunner_ntests_failed(sr);
+	srunner_free(sr);
+
+	return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}