Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory out of bounds read in update_read_bitmap_data #6005

Closed
hac425xxx opened this issue Mar 31, 2020 · 4 comments
Closed

memory out of bounds read in update_read_bitmap_data #6005

hac425xxx opened this issue Mar 31, 2020 · 4 comments

Comments

@hac425xxx
Copy link

vuln code


static BOOL update_read_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA* bitmapData)
{
	WINPR_UNUSED(update);
	if (Stream_GetRemainingLength(s) < 18)
		return FALSE;

	Stream_Read_UINT16(s, bitmapData->destLeft);
	Stream_Read_UINT16(s, bitmapData->destTop);
	Stream_Read_UINT16(s, bitmapData->destRight);
	Stream_Read_UINT16(s, bitmapData->destBottom);
	Stream_Read_UINT16(s, bitmapData->width);
	Stream_Read_UINT16(s, bitmapData->height);
	Stream_Read_UINT16(s, bitmapData->bitsPerPixel);
	Stream_Read_UINT16(s, bitmapData->flags);
	Stream_Read_UINT16(s, bitmapData->bitmapLength);
        
       // now use 18 byte in s


	if (bitmapData->flags & BITMAP_COMPRESSION)
	{
		if (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))
		{
                        // below read data from stream without check stream's size
			Stream_Read_UINT16(s,
			                   bitmapData->cbCompFirstRowSize); /* cbCompFirstRowSize (2 bytes) */
			Stream_Read_UINT16(s,
			                   bitmapData->cbCompMainBodySize); /* cbCompMainBodySize (2 bytes) */
			Stream_Read_UINT16(s, bitmapData->cbScanWidth);     /* cbScanWidth (2 bytes) */
			Stream_Read_UINT16(s,
			                   bitmapData->cbUncompressedSize); /* cbUncompressedSize (2 bytes) */
			bitmapData->bitmapLength = bitmapData->cbCompMainBodySize;
		}

		bitmapData->compressed = TRUE;
	}
	else
		bitmapData->compressed = FALSE;

	if (Stream_GetRemainingLength(s) < bitmapData->bitmapLength)
		return FALSE;

The function first verifies that the length of s cannot be less than 18, and then reads 18 bytes later.

If bitmapData-> flags & BITMAP_COMPRESSION and ! (BitmapData-> flags & NO_BITMAP_COMPRESSION_HDR) , it will continue to read data from the stream without check if the length in the stream is enough

@hac425xxx
Copy link
Author

suggestion:

check stream's length before read it

@hac425xxx
Copy link
Author

branch

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/update.c#L106

@akallabeth akallabeth added this to the 2.0.0 milestone Mar 31, 2020
@bmiklautz
Copy link
Member

@hac425xxx Thank you. Just as note it would be nice if you contact us before opening a security related issue.

@carnil
Copy link

carnil commented May 8, 2020

CVE-2020-11045 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants