Headline
CVE-2020-11044: Fixed #6013: Check new length is > 0 · FreeRDP/FreeRDP@67c2aa5
In FreeRDP greater than 1.2 and before 2.0.0, a double free in update_read_cache_bitmap_v3_order crashes the client application if corrupted data from a manipulated server is parsed. This has been patched in 2.0.0.
Permalink
Browse files
Fixed #6013: Check new length is > 0
- Loading branch information
1 parent 3627aaf commit 67c2aa52b2ae0341d469071d1bc8aab91f8d2ed8
Showing 1 changed file with 1 addition and 1 deletion.
@@ -2161,7 +2161,7 @@ static CACHE_BITMAP_V3_ORDER* update_read_cache_bitmap_v3_order(rdpUpdate* updat
Stream_Read_UINT16(s, bitmapData->height); /* height (2 bytes) */
Stream_Read_UINT32(s, new_len); /* length (4 bytes) */
if (Stream_GetRemainingLength(s) < new_len)
if ((new_len == 0) || (Stream_GetRemainingLength(s) < new_len))
goto fail;
new_data = (BYTE*)realloc(bitmapData->data, new_len);
0 comments on commit 67c2aa5
Please sign in to comment.