skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
July 1, 2020

GHSL-2020-125: integer signedness mismatch vulnerability in FreeRDP leads to OOB read - CVE-2020-4032

Antonio Morales


An integer casting vulnerability has been detected in update_recv_secondary_order in orders.c.



Tested Version

Development version - master branch (May 27, 2020)

Details: Integer casting vulnerability in update_recv_secondary_order

Under certain circumstances (glyph-cache and relax-order-checks should be enabled) the update_recv_secondary_order function in orders.c is affected by an integer signedness mismatch vulnerability.

The problem is that the size_t diff variable is an unsigned integer type, but start - end is a signed integer arithmetic expression that can return a negative value. When such a negative value is assigned to the unsigned size_t diff variable, it becomes a very large positive value at [1] up to and including SIZE_MAX. Consequently, Stream_Seek will be called with an extremely large diff value, moving the s stream pointer to an invalid address [2].

View on GitHub!

/* libfreerdp/core/orders.c */
diff = start - end; // [1]
if (diff > 0)
		WLog_Print(update->log, WLOG_DEBUG,
		           "SECONDARY_ORDER %s: read %" PRIuz "bytes short, skipping", name, diff);
		Stream_Seek(s, diff); // [2]
return rc;


This issue may lead to Out-of-Bounds read.


Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Supporting Resources


This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at, please include the GHSL-2020-125 in any communication regarding this issue.