How is the image processed for display on the OSD screen while it is uploaded through zero client admin web interface?

The web interface of the zero client will perform basic checking, permitting only .bmp files to be uploaded. It will exclude file such as foo.exe.bmp.

The next layer during the upload is a check to ensure it’s a valid BMP header and that the file has the correct dimensions, bpp, and signature. If the dimensions or bpp are not supported, it will be rejected. Next the content is verified to ensure it matches expected format and content of a bitmap. If those pass, it will be written to flash.

We use the hash of the bitmap to ensure the file has not been corrupted along the way. If so, it will be rejected. When writing the bitmap to flash, checks are in place to ensure it will not overflow the allocated space and impact other information stored in flash. If the bitmap is too large, it will be rejected.

We are unaware of any vulnerabilities in our rendering of the image. In addition, the rendering is in the OSD and not at all in the AWI, so there is no possibility of vulnerabilities such as cross-site scripting due to the rendering of the image and it is being interpreted incorrectly. In addition, the zero client does not contain a general purpose operating system, and so it is unlikely that an error in the image or malicious information in the image would result in manipulation of other services.