From 7ece410ce5b5660b9191e1ccb6835158afa11822 Mon Sep 17 00:00:00 2001 From: akallabeth <akallabeth@posteo.net> Date: Fri, 4 Aug 2023 13:55:40 +0200 Subject: [PATCH] [codec,rfx] fix possible out of bound read Allows malicious servers to crash FreeRDP based clients reported by @pwn2carr (cherry picked from commit a51952882f2eb3bbce6b69a7a4f9a54bf1dbb672) --- libfreerdp/codec/rfx.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c index b41c15794daa..6cd267203a73 100644 --- a/libfreerdp/codec/rfx.c +++ b/libfreerdp/codec/rfx.c @@ -1109,8 +1109,18 @@ BOOL rfx_process_message(RFX_CONTEXT* context, const BYTE* data, UINT32 length, } } - Stream_StaticInit(&subStream, Stream_Pointer(s), blockLen - (6 + extraBlockLen)); - Stream_Seek(s, blockLen - (6 + extraBlockLen)); + const size_t blockLenNoHeader = blockLen - 6; + if (blockLenNoHeader < extraBlockLen) + { + WLog_Print(context->priv->log, WLOG_ERROR, + "blockLen too small(%" PRIu32 "), must be >= 6 + %" PRIu16, blockLen, + extraBlockLen); + return FALSE; + } + + const size_t subStreamLen = blockLenNoHeader - extraBlockLen; + Stream_StaticInit(&subStream, Stream_Pointer(s), subStreamLen); + Stream_Seek(s, subStreamLen); switch (blockType) {