Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/orders.c#L2167
vuln code
update_read_cache_bitmap_v3_order first read new_len from stream, and pass the new_len to realloc
update_read_cache_bitmap_v3_order
Then it could call realloc(bitmapData->data, 0), this could free bitmapData->data, and return NULL
realloc(bitmapData->data, 0)
bitmapData->data
realloc function source code
void *__libc_realloc(void *oldmem, size_t bytes) { if (bytes == 0 && oldmem != NULL) // if bytes =0, it could free(oldmem). { __libc_free(oldmem); return 0; }
when new_data is NULL, it could call free_cache_bitmap_v3_order to free bitmapData->data again.
Double Free!
function code.
static CACHE_BITMAP_V3_ORDER* update_read_cache_bitmap_v3_order { Stream_Read_UINT32(s, new_len); // if new_len = 0 if (Stream_GetRemainingLength(s) < new_len) //pass this check goto fail; new_data = (BYTE*)realloc(bitmapData->data, new_len); // realloc could free bitmapData->data if (!new_data) // new_data could be NULL goto fail; fail: free_cache_bitmap_v3_order(update->context, cache_bitmap_v3); // free bitmapData->data again. return NULL; }
The text was updated successfully, but these errors were encountered:
code to test realloc action
#include<stdlib.h> int main() { char* p = malloc(0x30); char* x = realloc(p, 0); printf("x:%x\n", x); free(p); return 0; }
Sorry, something went wrong.
67c2aa5
CVE-2020-11044 was assigned for this issue.
No branches or pull requests
version
vuln code
update_read_cache_bitmap_v3_orderfirst read new_len from stream, and pass the new_len to reallocThen it could call
realloc(bitmapData->data, 0), this could freebitmapData->data, and return NULLrealloc function source code
when new_data is NULL, it could call free_cache_bitmap_v3_order to free
bitmapData->dataagain.Double Free!
function code.
The text was updated successfully, but these errors were encountered: