Summary
An integer casting vulnerability has been detected in update_recv_secondary_order in orders.c.
Product
FreeRDP
Tested Version
Development version - master branch (May 27, 2020)
Details: Integer casting vulnerability in update_recv_secondary_order
Under certain circumstances (glyph-cache and relax-order-checks should be enabled) the update_recv_secondary_order function in orders.c is affected by an integer signedness mismatch vulnerability.
The problem is that the size_t diff variable is an unsigned integer type, but start - end is a signed integer arithmetic expression that can return a negative value. When such a negative value is assigned to the unsigned size_t diff variable, it becomes a very large positive value at [1] up to and including SIZE_MAX. Consequently, Stream_Seek will be called with an extremely large diff value, moving the s stream pointer to an invalid address [2].
/* libfreerdp/core/orders.c */
...
diff = start - end; // [1]
if (diff > 0)
{
WLog_Print(update->log, WLOG_DEBUG,
"SECONDARY_ORDER %s: read %" PRIuz "bytes short, skipping", name, diff);
Stream_Seek(s, diff); // [2]
}
return rc;
...
Impact
This issue may lead to Out-of-Bounds read.
CVE
- CVE-2020-4032
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 05/27/2020: Report sent to Vendor
- 05/27/2020: Vendor acknowledges report
- 06/22/2020: Bug fixed and patch released by the vendor
Supporting Resources
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3898-mc89-x2vc
- https://github.com/FreeRDP/FreeRDP/commit/e7bffa64ef5ed70bac94f823e2b95262642f5296
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-125 in any communication regarding this issue.