📄 FreeRDP Integer Overflow

=============================================================================================================================================
    | # Title     : FreeRDP Integer Overflow in Stream_EnsureCapacity Leads to Infinite Loop                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://github.com/FreeRDP/FreeRDP/                                                                                         |
    =============================================================================================================================================
    
    [+] Summary    :  A vulnerability in FreeRDP prior to version 3.23.0 allows an attacker to trigger an endless blocking loop due to an integer overflow in the Stream_EnsureCapacity function.
                      The issue occurs when a requested buffer size approaches or exceeds half of SIZE_MAX on 32-bit systems. During capacity expansion, the internal buffer size is doubled repeatedly. 
    				  If the size crosses the maximum limit of a 32-bit unsigned integer, an integer overflow causes the value to wrap around to a smaller number (or zero). 
    				  As a result, the loop condition (current_capacity < requested_size) may never become false, leading to an infinite loop and denial of service (DoS).
    
    Affected Component: Stream_EnsureCapacity
    
    Root Cause: Integer overflow during buffer resizing (capacity *= 2)
    
    Impact: Infinite loop → CPU exhaustion / denial of service
    
    Affected Systems: 32-bit architectures with large addressable memory (>= SIZE_MAX)
    
    Fixed in: FreeRDP version 3.23.0
    
    Workarounds: None available
    
    [+] POC   :  
    
    #include <stdio.h>
    #include <stdint.h>
    
    void simulate_vulnerability(uint32_t requested_size) {
        uint32_t current_capacity = 1024; 
        
        printf("Attempting to ensure capacity for: %u\n", requested_size);
    
        while (current_capacity < requested_size) {
            uint32_t old_cap = current_capacity;
            current_capacity *= 2; 
    
            if (current_capacity < old_cap) {
                printf("Overflow occurred! New capacity wrapped to: %u\n", current_capacity);
            }
    
        }
        
        printf("Capacity secured: %u\n", current_capacity);
    }
    
    int main() {
    
        uint32_t malicious_size = 0x80000001; 
        simulate_vulnerability(malicious_size);
        return 0;
    }
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================