Fixed Out-of-bound read in glyph_cache_put

CVE-2020-11098 thanks to @antonio-morales for finding this.

(cherry picked from commit c0fd449ec0870b050d350d6d844b1ea6dad4bc7d)

diff --git a/libfreerdp/cache/glyph.c b/libfreerdp/cache/glyph.c
index 9f5e4a3..5c41f91 100644 (file)
--- a/libfreerdp/cache/glyph.c
+++ b/libfreerdp/cache/glyph.c
@@ -579,7 +579,7 @@ BOOL glyph_cache_put(rdpGlyphCache* glyphCache, UINT32 id, UINT32 index, rdpGlyp
                return FALSE;
        }
 
-       if (index > glyphCache->glyphCache[id].number)
+       if (index >= glyphCache->glyphCache[id].number)
        {
                WLog_ERR(TAG, "invalid glyph cache index: %" PRIu32 " in cache id: %" PRIu32 "", index, id);
                return FALSE;