Closed
Description
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/orders.c#L2167
vuln code
update_read_cache_bitmap_v3_order first read new_len from stream, and pass the new_len to realloc
Then it could call realloc(bitmapData->data, 0), this could free bitmapData->data, and return NULL
realloc function source code
void *__libc_realloc(void *oldmem, size_t bytes)
{
if (bytes == 0 && oldmem != NULL) // if bytes =0, it could free(oldmem).
{
__libc_free(oldmem);
return 0;
}
when new_data is NULL, it could call free_cache_bitmap_v3_order to free bitmapData->data again.
Double Free!
function code.
static CACHE_BITMAP_V3_ORDER* update_read_cache_bitmap_v3_order
{
Stream_Read_UINT32(s, new_len); // if new_len = 0
if (Stream_GetRemainingLength(s) < new_len) //pass this check
goto fail;
new_data = (BYTE*)realloc(bitmapData->data, new_len); // realloc could free bitmapData->data
if (!new_data) // new_data could be NULL
goto fail;
fail:
free_cache_bitmap_v3_order(update->context, cache_bitmap_v3); // free bitmapData->data again.
return NULL;
}