We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129
vuln code
if Stream_GetRemainingLength(s) = 5 and *length = 5, it could one byte overflow read in Stream_Read_UINT16(s, *channel_id);
Stream_GetRemainingLength(s) = 5
*length = 5
Stream_Read_UINT16(s, *channel_id);
BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id) { if (Stream_GetRemainingLength(s) < 2) return FALSE; Stream_Read_UINT16(s, *length); /* totalLength */ if (((size_t)*length - 2) > Stream_GetRemainingLength(s)) return FALSE; Stream_Read_UINT16(s, *type); /* pduType */ *type &= 0x0F; /* type is in the 4 least significant bits */ if (*length > 4) Stream_Read_UINT16(s, *channel_id); // memory out of bounds read return TRUE; }
The text was updated successfully, but these errors were encountered:
Successfully merging a pull request may close this issue.
version
vuln code
if
Stream_GetRemainingLength(s) = 5
and*length = 5
, it could one byte overflow read inStream_Read_UINT16(s, *channel_id);
The text was updated successfully, but these errors were encountered: