Closed
Description
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/window.c#L187
vuln code
update_read_icon_info first read iconInfo->cbColorTable, iconInfo->cbBitsMask and iconInfo->cbBitsColor from the wStream,
static BOOL update_read_icon_info(wStream* s, ICON_INFO* iconInfo)
{
..................................................
..................................................
Stream_Read_UINT16(s, iconInfo->cbColorTable); /* cbColorTable (2 bytes) */
break;
}
//
Stream_Read_UINT16(s, iconInfo->cbBitsMask); /* cbBitsMask (2 bytes) */
Stream_Read_UINT16(s, iconInfo->cbBitsColor); /* cbBitsColor (2 bytes) */
And then it check cbBitsMask and cbBitsColor
if (Stream_GetRemainingLength(s) < iconInfo->cbBitsMask + iconInfo->cbBitsColor)
return FALSE;
Then it could call Stream_Read to read data from s, size is cbBitsMask+cbColorTable+cbBitsColor
....................................................................................................
....................................................................................................
....................................................................................................
Stream_Read(s, iconInfo->bitsMask, iconInfo->cbBitsMask);
....................................................................................................
....................................................................................................
Stream_Read(s, iconInfo->colorTable, iconInfo->cbColorTable);
....................................................................................................
....................................................................................................
Stream_Read(s, iconInfo->bitsColor, iconInfo->cbBitsColor);
so when cbBitsMask+cbBitsColor < Stream_GetRemainingLength(s) and cbBitsMask+cbColorTable+cbBitsColor > Stream_GetRemainingLength(s) , it could lead memory out of bounds read