OutOfBound Read in ncrush_decompress

Impact

FreeRDP based Clients and Servers

int ncrush_decompress(NCRUSH_CONTEXT* ncrush, const BYTE* pSrcData, UINT32 SrcSize,
                      const BYTE** ppDstData, UINT32* pDstSize, UINT32 flags)
{
        UINT32 index = 0;
        ...
       if (!(flags & PACKET_COMPRESSED))
        {
                *ppDstData = pSrcData;
                *pDstSize = SrcSize;
                return 1;
        }

        const BYTE* SrcEnd = &pSrcData[SrcSize];
        const BYTE* SrcPtr = pSrcData + 4;

        INT32 nbits = 32;
[1]        UINT32 bits = get_dword(pSrcData);
         ...

1 - out-of-bounds read in case SrcSize less than 4

Patches

3.5.0 - 91a1535 (#10077 dbe5d52)
2.11.6 - b70c8e9

Workarounds

none

References

Reported by Evgeny Legerov of Kaspersky Lab.
#10077

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OutOfBound Read in ncrush_decompress

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

Severity

CVE ID

Weaknesses