Summary
An out-of-bounds (OOB) read vulnerability has been detected in glyph_cache_put due to an Off-by-one error in boundary condition checking.
Product
FreeRDP
Tested Version
Development version - master branch (May 22, 2020)
Details: Out-of-bound read in glyph_cache_put
The glyph_cache_put function in “glyph.c” performs a call to glyphCache->glyphCache[id].entries[index] where index is a value that can be controlled indirectly by a potential attacker:
/* libfreerdp/cache/glyph.c */
...
[line 582] if (index > glyphCache->glyphCache[id].number)
{
WLog_ERR(TAG, "invalid glyph cache index: %" PRIu32 " in cache id: %" PRIu32 "", index, id);
return FALSE;
}
...
[line 590] prevGlyph = glyphCache->glyphCache[id].entries[index]
...
As you can see above, the index value is checked to not be greater than glyphCache->glyphCache[id].number, where this value is the number of elements in entries array. However, in the C programmin glanguage array indexes start with 0.
So, if the index value is equal to glyphCache->glyphCache[id].number OOB reads will occur resulting in accessing a memory location that is outside of the boundaries of the glyphCache[id].entries array.
Impact
This issue may lead to Out-of-Bounds read.
CVE
- CVE-2020-11098
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 05/22/2020: Vendor contacted
- 05/26/2020: Vendor acknowledges report
- 06/22/2020: Bug fixed and patch released by the vendor
Supporting Resources
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv
- https://github.com/FreeRDP/FreeRDP/commit/c0fd449ec0870b050d350d6d844b1ea6dad4bc7d
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-105 in any communication regarding this issue.