skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
July 1, 2020

GHSL-2020-106: integer signedness mismatch leading to OOB read in FreeRDP - CVE-2020-4030

Antonio Morales


An integer signedness mismatch vulnerability has been detected in the trio_length_max function in triostr.c.



Tested Version

Development version - master branch (May 25, 2020)

Details: Integer casting vulnerability in trio_length_max

Under certain circumstances (mainly when /log-level:TRACE is enabled and WLog_PrintMessage is called) the TrioParse parse function in trio.c returns parameters.precision = -1. This value is subsequently passed as the max parameter to the trio_length_max function.

So, the problem is that the size_t max argument in the trio_length_max function is an unsigned integer, but precision is a signed integer. For this reason, when precision = -1 is passed to the function trio_lenght_max, the max parameter is converted to SIZE_MAX which on e.g. 64bit Linux is 18446744073709551615UL.

View on GitHub!

/* winpr/libwinpr/utils/trio/trio.c */

TRIO_PRIVATE void TrioWriteString TRIO_ARGS5((self, string, flags, width, precision), trio_class_t* self, TRIO_CONST char* string, trio_flags_t flags, int width, int precision)
length = trio_length_max(string, precision); // precision = -1

View on GitHub!

/* winpr/libwinpr/utils/trio/triostr.c */

TRIO_PUBLIC_STRING size_t trio_length_max TRIO_ARGS2((string, max), TRIO_CONST char* string, size_t max) // max = 18446744073709551615
	size_t i;

	for (i = 0; i < max; ++i)
		if (string[i] == 0)
	return i;


This issue may lead to Out-of-Bounds read.


Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Supporting Resources


This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at, please include the GHSL-2020-106 in any communication regarding this issue.