Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory out of bounds read in update_read_icon_info #6010

Closed
hac425xxx opened this issue Mar 31, 2020 · 2 comments
Closed

memory out of bounds read in update_read_icon_info #6010

hac425xxx opened this issue Mar 31, 2020 · 2 comments
Labels
fixed-waiting-test
Milestone
2.0.0

Comments

@hac425xxx
Copy link

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/window.c#L187

vuln code

update_read_icon_info first read iconInfo->cbColorTable, iconInfo->cbBitsMask and iconInfo->cbBitsColor from the wStream,

static BOOL update_read_icon_info(wStream* s, ICON_INFO* iconInfo)
{
        ..................................................
        ..................................................
			Stream_Read_UINT16(s, iconInfo->cbColorTable); /* cbColorTable (2 bytes) */
			break;
	}
        // 
	Stream_Read_UINT16(s, iconInfo->cbBitsMask);  /* cbBitsMask (2 bytes) */
	Stream_Read_UINT16(s, iconInfo->cbBitsColor); /* cbBitsColor (2 bytes) */

And then it check cbBitsMask and cbBitsColor

	if (Stream_GetRemainingLength(s) < iconInfo->cbBitsMask + iconInfo->cbBitsColor)
		return FALSE;

Then it could call Stream_Read to read data from s, size is cbBitsMask+cbColorTable+cbBitsColor

        ....................................................................................................
        ....................................................................................................
        ....................................................................................................
	Stream_Read(s, iconInfo->bitsMask, iconInfo->cbBitsMask);

        ....................................................................................................
        ....................................................................................................

		Stream_Read(s, iconInfo->colorTable, iconInfo->cbColorTable);

        ....................................................................................................
        ....................................................................................................
	Stream_Read(s, iconInfo->bitsColor, iconInfo->cbBitsColor);

so when cbBitsMask+cbBitsColor < Stream_GetRemainingLength(s) and cbBitsMask+cbColorTable+cbBitsColor > Stream_GetRemainingLength(s) , it could lead memory out of bounds read
@akallabeth akallabeth added this to the 2.0.0 milestone Mar 31, 2020
akallabeth added a commit to akallabeth/FreeRDP that referenced this issue Apr 2, 2020
@akallabeth
Fix FreeRDP#6010: Check length in read_icon_info
1237662
@nfedera nfedera closed this as completed in 6b2bc41 Apr 6, 2020
@bmiklautz bmiklautz mentioned this issue May 6, 2020
Closed
@carnil
Copy link

carnil commented May 8, 2020

CVE-2020-11042 was assigned for this issue.

@tcullum-rh
Copy link

@akallabeth @hac425xxx Does this function accept untrusted input (icon metadata packet) from anywhere or only from an established RDP connection? Trying to assess impact. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed-waiting-test
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@carnil @akallabeth @hac425xxx @tcullum-rh