Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/capabilities.c#L1398
vuln code
rdp_read_capability_sets first read 2 byte to length, then check Stream_GetRemainingLength(s) + 4 < length
rdp_read_capability_sets
Stream_GetRemainingLength(s) + 4 < length
assume Stream_GetRemainingLength(s)=1 and length=5, then the program will pass the check and continue execution
Stream_GetRemainingLength(s)=1
length=5
static BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCapabilities, UINT16 totalLength) { // read length from s rdp_read_capability_set_header(s, &length, &type); if (Stream_GetRemainingLength(s) + 4 < ((size_t)length)) { WLog_ERR(TAG, "error processing stream"); return FALSE; }
we could control type=CAPSET_TYPE_FONT, then it could enter rdp_read_font_capability_set
type=CAPSET_TYPE_FONT
rdp_read_font_capability_set
case CAPSET_TYPE_FONT: if (!rdp_read_font_capability_set(s, length, settings)) return FALSE; break;
rdp_read_font_capability_set could call Stream_Seek_UINT16(s), because length=5 But currently Stream_GetRemainingLength(s)=1
Stream_Seek_UINT16(s)
static BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settings) { if (length > 4) Stream_Seek_UINT16(s); /* fontSupportFlags (2 bytes) */ if (length > 6) Stream_Seek_UINT16(s); /* pad2Octets (2 bytes) */ return TRUE; }
After Stream_Seek_UINT16 done, it could lead _s->pointer - _s->buffer > _s->length Then the check in other functions could fail, and could lead out of bounds read later.
Stream_Seek_UINT16
lead _s->pointer - _s->buffer > _s->length
The text was updated successfully, but these errors were encountered:
3627aaf
No branches or pull requests
version
vuln code
rdp_read_capability_setsfirst read 2 byte to length, then checkStream_GetRemainingLength(s) + 4 < lengthassume
Stream_GetRemainingLength(s)=1andlength=5, then the program will pass the check and continue executionwe could control
type=CAPSET_TYPE_FONT, then it could enterrdp_read_font_capability_setrdp_read_font_capability_setcould callStream_Seek_UINT16(s), becauselength=5But currently
Stream_GetRemainingLength(s)=1After
Stream_Seek_UINT16done, it couldlead _s->pointer - _s->buffer > _s->lengthThen the check in other functions could fail, and could lead out of bounds read later.
The text was updated successfully, but these errors were encountered: