--- a/libfreerdp-core/license.h	2013-01-03 05:46:59.000000000 +0800
+++ b/libfreerdp-core/license.h	2014-04-09 19:11:59.593507658 +0800
@@ -177,9 +177,9 @@
 
 SCOPE_LIST* license_new_scope_list();
 void license_free_scope_list(SCOPE_LIST* scopeList);
-void license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList);
+boolean license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList);
 
-void license_read_license_request_packet(rdpLicense* license, STREAM* s);
+boolean license_read_license_request_packet(rdpLicense* license, STREAM* s);
 void license_read_platform_challenge_packet(rdpLicense* license, STREAM* s);
 void license_read_new_license_packet(rdpLicense* license, STREAM* s);
 void license_read_upgrade_license_packet(rdpLicense* license, STREAM* s);
--- a/libfreerdp-core/license.c	2013-01-03 05:46:59.000000000 +0800
+++ b/libfreerdp-core/license.c	2014-04-09 19:11:59.593507658 +0800
@@ -199,7 +199,8 @@
 	switch (bMsgType)
 	{
 		case LICENSE_REQUEST:
-			license_read_license_request_packet(license, s);
+			if(!license_read_license_request_packet(license, s))
+				return false;
 			license_send_new_license_request_packet(license);
 			break;
 
@@ -533,13 +534,16 @@
  * @param scopeList scope list
  */
 
-void license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList)
+boolean license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList)
 {
 	uint32 i;
 	uint32 scopeCount;
 
 	stream_read_uint32(s, scopeCount); /* ScopeCount (4 bytes) */
 
+	if (scopeCount > stream_get_length(s) / 4)  /* every blob is at least 4 bytes */
+		return false;
+
 	scopeList->count = scopeCount;
 	scopeList->array = (LICENSE_BLOB*) xmalloc(sizeof(LICENSE_BLOB) * scopeCount);
 
@@ -549,6 +553,7 @@
 		scopeList->array[i].type = BB_SCOPE_BLOB;
 		license_read_binary_blob(s, &scopeList->array[i]);
 	}
+	return true;
 }
 
 /**
@@ -593,7 +598,7 @@
  * @param s stream
  */
 
-void license_read_license_request_packet(rdpLicense* license, STREAM* s)
+boolean license_read_license_request_packet(rdpLicense* license, STREAM* s)
 {
 	/* ServerRandom (32 bytes) */
 	stream_read(s, license->server_random, 32);
@@ -608,7 +613,8 @@
 	license_read_binary_blob(s, license->server_certificate);
 
 	/* ScopeList */
-	license_read_scope_list(s, license->scope_list);
+	if(!license_read_scope_list(s, license->scope_list))
+		return false;
 
 	/* Parse Server Certificate */
 	certificate_read_server_certificate(license->certificate,
@@ -617,6 +623,7 @@
 	license_generate_keys(license);
 	license_generate_hwid(license);
 	license_encrypt_premaster_secret(license);
+	return true;
 }
 
 /**