Summary

An integer signedness mismatch vulnerability has been detected in the trio_length_max function in triostr.c.

Product

FreeRDP

Tested Version

Development version - master branch (May 25, 2020)

Details: Integer casting vulnerability in trio_length_max

Under certain circumstances (mainly when /log-level:TRACE is enabled and WLog_PrintMessage is called) the TrioParse parse function in trio.c returns parameters.precision = -1. This value is subsequently passed as the max parameter to the trio_length_max function.

So, the problem is that the size_t max argument in the trio_length_max function is an unsigned integer, but precision is a signed integer. For this reason, when precision = -1 is passed to the function trio_lenght_max, the max parameter is converted to SIZE_MAX which on e.g. 64bit Linux is 18446744073709551615UL.

View on GitHub!

/* winpr/libwinpr/utils/trio/trio.c */

TRIO_PRIVATE void TrioWriteString TRIO_ARGS5((self, string, flags, width, precision), trio_class_t* self, TRIO_CONST char* string, trio_flags_t flags, int width, int precision)
...
length = trio_length_max(string, precision); // precision = -1
...

View on GitHub!

/* winpr/libwinpr/utils/trio/triostr.c */

TRIO_PUBLIC_STRING size_t trio_length_max TRIO_ARGS2((string, max), TRIO_CONST char* string, size_t max) // max = 18446744073709551615
{
	size_t i;

	for (i = 0; i < max; ++i)
	{
		if (string[i] == 0)
			break;
	}
	return i;
}

Impact

This issue may lead to Out-of-Bounds read.

CVE

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-106 in any communication regarding this issue.