Fixed OOB read in update_recv_secondary_order

CVE-2020-4032 thanks to @antonio-morales for finding this.
2020-05-27 08:10:11 +02:00 · 2020-05-27 08:10:11 +02:00 · e7bffa64ef
commit e7bffa64ef
parent 05cd9ea229
1 changed files with 3 additions and 2 deletions
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@ -3762,12 +3762,13 @@ static BOOL update_recv_secondary_order(rdpUpdate* update, wStream* s, BYTE flag
 		           name, end - start);
 		return FALSE;
 	}
-	diff = start - end;
+	diff = end - start;
 	if (diff > 0)
 	{
 		WLog_Print(update->log, WLOG_DEBUG,
 		           "SECONDARY_ORDER %s: read %" PRIuz "bytes short, skipping", name, diff);
-		Stream_Seek(s, diff);
+		if (!Stream_SafeSeek(s, diff))
+			return FALSE;
 	}
 	return rc;
 }