Skip to content

memory out of bounds read in update_read_icon_info #6010

Closed
@hac425xxx

Description

@hac425xxx

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/window.c#L187

vuln code

update_read_icon_info first read iconInfo->cbColorTable, iconInfo->cbBitsMask and iconInfo->cbBitsColor from the wStream,

static BOOL update_read_icon_info(wStream* s, ICON_INFO* iconInfo)
{
        ..................................................
        ..................................................
			Stream_Read_UINT16(s, iconInfo->cbColorTable); /* cbColorTable (2 bytes) */
			break;
	}
        // 
	Stream_Read_UINT16(s, iconInfo->cbBitsMask);  /* cbBitsMask (2 bytes) */
	Stream_Read_UINT16(s, iconInfo->cbBitsColor); /* cbBitsColor (2 bytes) */

And then it check cbBitsMask and cbBitsColor

	if (Stream_GetRemainingLength(s) < iconInfo->cbBitsMask + iconInfo->cbBitsColor)
		return FALSE;

Then it could call Stream_Read to read data from s, size is cbBitsMask+cbColorTable+cbBitsColor

        ....................................................................................................
        ....................................................................................................
        ....................................................................................................
	Stream_Read(s, iconInfo->bitsMask, iconInfo->cbBitsMask);

        ....................................................................................................
        ....................................................................................................

		Stream_Read(s, iconInfo->colorTable, iconInfo->cbColorTable);

        ....................................................................................................
        ....................................................................................................
	Stream_Read(s, iconInfo->bitsColor, iconInfo->cbBitsColor);

so when cbBitsMask+cbBitsColor < Stream_GetRemainingLength(s) and cbBitsMask+cbColorTable+cbBitsColor > Stream_GetRemainingLength(s) , it could lead memory out of bounds read

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions