--- ../xrdp-0.4.0~dfsg/rdp/rdp_rdp.c	2007-01-12 05:51:48.000000000 +0100
+++ rdp/rdp_rdp.c	2009-01-14 20:45:50.000000000 +0100
@@ -395,7 +395,7 @@
 
 /******************************************************************************/
 /* Process a color pointer PDU */
-static void APP_CC
+static int APP_CC
 rdp_rdp_process_color_pointer_pdu(struct rdp_rdp* self, struct stream* s)
 {
   int cache_idx;
@@ -404,6 +404,10 @@
   struct rdp_cursor* cursor;
 
   in_uint16_le(s, cache_idx);
+  if (cache_idx >= sizeof(self->cursors) / sizeof(cursor))
+  {
+    return 1;
+  }
   cursor = self->cursors + cache_idx;
   in_uint16_le(s, cursor->x);
   in_uint16_le(s, cursor->y);
@@ -411,24 +415,34 @@
   in_uint16_le(s, cursor->height);
   in_uint16_le(s, mlen); /* mask length */
   in_uint16_le(s, dlen); /* data length */
+  if (mlen > sizeof(cursor->mask) || dlen > sizeof(cursor->data))
+  {
+    return 1;
+  }
   in_uint8a(s, cursor->data, dlen);
   in_uint8a(s, cursor->mask, mlen);
   self->mod->server_set_cursor(self->mod, cursor->x, cursor->y,
                                cursor->data, cursor->mask);
+  return 0;
 }
 
 /******************************************************************************/
 /* Process a cached pointer PDU */
-static void APP_CC
+static int APP_CC
 rdp_rdp_process_cached_pointer_pdu(struct rdp_rdp* self, struct stream* s)
 {
   int cache_idx;
   struct rdp_cursor* cursor;
 
   in_uint16_le(s, cache_idx);
+  if (cache_idx >= sizeof(self->cursors) / sizeof(cursor))
+  {
+    return 1;
+  }
   cursor = self->cursors + cache_idx;
   self->mod->server_set_cursor(self->mod, cursor->x, cursor->y,
                                cursor->data, cursor->mask);
+  return 0;
 }
 
 /******************************************************************************/
@@ -456,7 +470,7 @@
 
 /******************************************************************************/
 /* Process a pointer PDU */
-static void APP_CC
+static int APP_CC
 rdp_rdp_process_pointer_pdu(struct rdp_rdp* self, struct stream* s)
 {
   int message_type;
@@ -472,10 +486,16 @@
       in_uint16_le(s, y);
       break;
     case RDP_POINTER_COLOR:
-      rdp_rdp_process_color_pointer_pdu(self, s);
+      if (rdp_rdp_process_color_pointer_pdu(self, s))
+      {
+        return 1;
+      }
       break;
     case RDP_POINTER_CACHED:
-      rdp_rdp_process_cached_pointer_pdu(self, s);
+      if (rdp_rdp_process_cached_pointer_pdu(self, s))
+      {
+        return 1;
+      }
       break;
     case RDP_POINTER_SYSTEM:
       rdp_rdp_process_system_pointer_pdu(self, s);
@@ -483,6 +503,7 @@
     default:
       break;
   }
+  return 0;
 }
 
 /******************************************************************************/
@@ -860,7 +881,10 @@
     case RDP_DATA_PDU_SYNCHRONISE:
       break;
     case RDP_DATA_PDU_POINTER:
-      rdp_rdp_process_pointer_pdu(self, s);
+      if (rdp_rdp_process_pointer_pdu(self, s))
+      {
+        return 1;
+      }
       break;
     case RDP_DATA_PDU_BELL:
       break;