From dea1fe3386b8fdb1b8bb1762ce5c9da4c4590419 Mon Sep 17 00:00:00 2001 From: Romain Vimont Date: Fri, 13 Sep 2024 19:48:44 +0200 Subject: [PATCH] Validate crop and video size A video width or height of 0 triggered an assert. Fail explicitly instead: the server may actually send this size in practice (for example on cropping with small dimensions, even if the requested crop size is not 0). --- app/src/screen.c | 6 ++++++ server/src/main/java/com/genymobile/scrcpy/Options.java | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/app/src/screen.c b/app/src/screen.c index 55a06ab3..dc61e835 100644 --- a/app/src/screen.c +++ b/app/src/screen.c @@ -299,6 +299,12 @@ sc_screen_frame_sink_open(struct sc_frame_sink *sink, struct sc_screen *screen = DOWNCAST(sink); + if (ctx->width <= 0 || ctx->width > 0xFFFF + || ctx->height <= 0 || ctx->height > 0xFFFF) { + LOGE("Invalid video size: %dx%d", ctx->width, ctx->height); + return false; + } + assert(ctx->width > 0 && ctx->width <= 0xFFFF); assert(ctx->height > 0 && ctx->height <= 0xFFFF); // screen->frame_size is never used before the event is pushed, and the diff --git a/server/src/main/java/com/genymobile/scrcpy/Options.java b/server/src/main/java/com/genymobile/scrcpy/Options.java index 2f86d8ce..d07828eb 100644 --- a/server/src/main/java/com/genymobile/scrcpy/Options.java +++ b/server/src/main/java/com/genymobile/scrcpy/Options.java @@ -456,8 +456,14 @@ public class Options { } int width = Integer.parseInt(tokens[0]); int height = Integer.parseInt(tokens[1]); + if (width <= 0 || height <= 0) { + throw new IllegalArgumentException("Invalid crop size: " + width + "x" + height); + } int x = Integer.parseInt(tokens[2]); int y = Integer.parseInt(tokens[3]); + if (x < 0 || y < 0) { + throw new IllegalArgumentException("Invalid crop offset: " + x + ":" + y); + } return new Rect(x, y, x + width, y + height); }