Potential Heap Out-of-Bounds Read in freerdp_certificate_data_hash_ via Unsafe _snprintf Usage

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.

N/A

跨界内存读

FreeRDP 缓冲区错误漏洞

FreeRDP是FreeRDP团队的一款开源的远程桌面协议（RDP）的实现。 FreeRDP 3.20.0之前版本存在缓冲区错误漏洞，该漏洞源于证书处理代码中未保证NUL终止，可能导致堆越界读取。

N/A

N/A