July 1, 2020

GHSL-2020-105: OOB read vulnerability in FreeRDP glyph_cache_put - CVE-2020-11098

Antonio Morales

Summary

An out-of-bounds (OOB) read vulnerability has been detected in glyph_cache_put due to an Off-by-one error in boundary condition checking.

Product

FreeRDP

Tested Version

Development version - master branch (May 22, 2020)

Details: Out-of-bound read in glyph_cache_put

The glyph_cache_put function in "glyph.c" performs a call to glyphCache->glyphCache[id].entries[index] where index is a value that can be controlled indirectly by a potential attacker:

View on GitHub!

/* libfreerdp/cache/glyph.c */
...
[line 582] if (index > glyphCache->glyphCache[id].number)
           {
		          WLog_ERR(TAG, "invalid glyph cache index: %" PRIu32 " in cache id: %" PRIu32 "", index, id);
		          return FALSE;
           }
...
[line 590] prevGlyph = glyphCache->glyphCache[id].entries[index]
...

As you can see above, the index value is checked to not be greater than glyphCache->glyphCache[id].number, where this value is the number of elements in entries array. However, in the C programmin glanguage array indexes start with 0.

So, if the index value is equal to glyphCache->glyphCache[id].number OOB reads will occur resulting in accessing a memory location that is outside of the boundaries of the glyphCache[id].entries array.

Impact

This issue may lead to Out-of-Bounds read.

CVE

  • CVE-2020-11098

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 05/22/2020: Vendor contacted
  • 05/26/2020: Vendor acknowledges report
  • 06/22/2020: Bug fixed and patch released by the vendor

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-105 in any communication regarding this issue.