From f2558e541ed60976686d933ddebcd6aace63aac5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20=C3=85strand?= <astrand@cendio.com>
Date: Fri, 18 Nov 2005 22:46:38 +0000
Subject: [PATCH] Handle too short 0xff and 0xfe commands in ui_draw_text.

This fix should remove both a segfault and a "this shouldn't be
happening" abortion, which I can trigger with vertical text in
OpenOffice 2.0.


git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/trunk/rdesktop@1028 423420c4-83ab-492f-b58f-81f9feb106b5
---
 xwin.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/xwin.c b/xwin.c
index 76a802c..af9b51b 100644
--- a/xwin.c
+++ b/xwin.c
@@ -2445,20 +2445,27 @@ ui_draw_text(uint8 font, uint8 flags, uint8 opcode, int mixmode, int x, int y,
 		switch (text[i])
 		{
 			case 0xff:
-				if (i + 2 < length)
-					cache_put_text(text[i + 1], text, text[i + 2]);
-				else
+				if (i + 3 > length)
 				{
-					error("this shouldn't be happening\n");
-					exit(1);
+					/* short command, skip */
+					i = length = 0;
+					break;
 				}
+				cache_put_text(text[i + 1], text, text[i + 2]);
+				i += 3;
+				length -= i;
 				/* this will move pointer from start to first character after FF command */
-				length -= i + 3;
-				text = &(text[i + 3]);
+				text = &(text[i]);
 				i = 0;
 				break;
 
 			case 0xfe:
+				if (i + 3 > length)
+				{
+					/* short command, skip */
+					i = length = 0;
+					break;
+				}
 				entry = cache_get_text(text[i + 1]);
 				if (entry != NULL)
 				{
@@ -2473,10 +2480,7 @@ ui_draw_text(uint8 font, uint8 flags, uint8 opcode, int mixmode, int x, int y,
 					for (j = 0; j < entry->size; j++)
 						DO_GLYPH(((uint8 *) (entry->data)), j);
 				}
-				if (i + 2 < length)
-					i += 3;
-				else
-					i += 2;
+				i += 3;
 				length -= i;
 				/* this will move pointer from start to first character after FE command */
 				text = &(text[i]);