int ncrush_decompress(NCRUSH_CONTEXT* ncrush, const BYTE* pSrcData, UINT32 SrcSize,
const BYTE** ppDstData, UINT32* pDstSize, UINT32 flags)
{
UINT32 index = 0;
...
if (!(flags & PACKET_COMPRESSED))
{
*ppDstData = pSrcData;
*pDstSize = SrcSize;
return 1;
}
const BYTE* SrcEnd = &pSrcData[SrcSize];
const BYTE* SrcPtr = pSrcData + 4;
INT32 nbits = 32;
[1] UINT32 bits = get_dword(pSrcData);
...
Impact
FreeRDP
basedClients
andServers
1 - out-of-bounds read in case SrcSize less than 4
Patches
Workarounds
none
References