projects / platform / upstream / freerdp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ab18f07)
Fixed OOB read in update_recv_secondary_order
authorakallabeth <akallabeth@posteo.net>
Wed, 27 May 2020 06:10:11 +0000 (08:10 +0200)
committerArmin Novak <armin.novak@thincast.com>
Mon, 22 Jun 2020 10:13:05 +0000 (12:13 +0200)
CVE-2020-4032 thanks to @antonio-morales for finding this.

(cherry picked from commit e7bffa64ef5ed70bac94f823e2b95262642f5296)

libfreerdp/core/orders.c patch | blob | history

diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 744bf3c..dc4e51a 100644 (file)
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -3762,12 +3762,13 @@ static BOOL update_recv_secondary_order(rdpUpdate* update, wStream* s, BYTE flag
                           name, end - start);
                return FALSE;
        }
-       diff = start - end;
+       diff = end - start;
        if (diff > 0)
        {
                WLog_Print(update->log, WLOG_DEBUG,
                           "SECONDARY_ORDER %s: read %" PRIuz "bytes short, skipping", name, diff);
-               Stream_Seek(s, diff);
+               if (!Stream_SafeSeek(s, diff))
+                       return FALSE;
        }
        return rc;
 }
Domain: Graphics System / Display Server;