Closed
Description
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129
vuln code
if Stream_GetRemainingLength(s) = 5 and *length = 5, it could one byte overflow read in Stream_Read_UINT16(s, *channel_id);
BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id)
{
if (Stream_GetRemainingLength(s) < 2)
return FALSE;
Stream_Read_UINT16(s, *length); /* totalLength */
if (((size_t)*length - 2) > Stream_GetRemainingLength(s))
return FALSE;
Stream_Read_UINT16(s, *type); /* pduType */
*type &= 0x0F; /* type is in the 4 least significant bits */
if (*length > 4)
Stream_Read_UINT16(s, *channel_id); // memory out of bounds read
return TRUE;
}