Skip to content

stream out of bounds seek in update_read_synchronize could lead out of bounds read later #6006

Closed
@hac425xxx

Description

@hac425xxx

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/update.c#L293

vuln code

static void update_read_synchronize(rdpUpdate* update, wStream* s)
{
	WINPR_UNUSED(update);
	Stream_Seek_UINT16(s); /* pad2Octets (2 bytes) */
	                       /**
	                        * The Synchronize Update is an artifact from the
	                        * T.128 protocol and should be ignored.
	                        */
}

the code just seek the stream pointer without check stream's length, it could lead _s->pointer - _s->buffer > _s->length
Then the check in other functions could fail, and could lead out of bounds read later.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions