Skip to content

double free in update_read_cache_bitmap_v3_order #6013

Closed
@hac425xxx

Description

@hac425xxx

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/orders.c#L2167

vuln code

update_read_cache_bitmap_v3_order first read new_len from stream, and pass the new_len to realloc

Then it could call realloc(bitmapData->data, 0), this could free bitmapData->data, and return NULL

realloc function source code

 void *__libc_realloc(void *oldmem, size_t bytes)
{

  if (bytes == 0 && oldmem != NULL)  // if bytes =0, it could free(oldmem).
  {
    __libc_free(oldmem);
    return 0;
  }

when new_data is NULL, it could call free_cache_bitmap_v3_order to free bitmapData->data again.

Double Free!

function code.

static CACHE_BITMAP_V3_ORDER* update_read_cache_bitmap_v3_order
{
	Stream_Read_UINT32(s, new_len);     // if new_len = 0

	if (Stream_GetRemainingLength(s) < new_len)  //pass this check
		goto fail;

	new_data = (BYTE*)realloc(bitmapData->data, new_len);  // realloc could free bitmapData->data

	if (!new_data) // new_data could be NULL
		goto fail;


fail:
	free_cache_bitmap_v3_order(update->context, cache_bitmap_v3);  // free bitmapData->data again.
	return NULL;
}

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions