=============================================================================================================================================
| # Title     : FreeRDP Integer Overflow in Stream_EnsureCapacity Leads to Infinite Loop                                                    |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://github.com/FreeRDP/FreeRDP/                                                                                         |
=============================================================================================================================================

[+] Summary    :  A vulnerability in FreeRDP prior to version 3.23.0 allows an attacker to trigger an endless blocking loop due to an integer overflow in the Stream_EnsureCapacity function.
                  The issue occurs when a requested buffer size approaches or exceeds half of SIZE_MAX on 32-bit systems. During capacity expansion, the internal buffer size is doubled repeatedly. 
				  If the size crosses the maximum limit of a 32-bit unsigned integer, an integer overflow causes the value to wrap around to a smaller number (or zero). 
				  As a result, the loop condition (current_capacity < requested_size) may never become false, leading to an infinite loop and denial of service (DoS).

Affected Component: Stream_EnsureCapacity

Root Cause: Integer overflow during buffer resizing (capacity *= 2)

Impact: Infinite loop → CPU exhaustion / denial of service

Affected Systems: 32-bit architectures with large addressable memory (>= SIZE_MAX)

Fixed in: FreeRDP version 3.23.0

Workarounds: None available

[+] POC   :  

#include <stdio.h>
#include <stdint.h>

void simulate_vulnerability(uint32_t requested_size) {
    uint32_t current_capacity = 1024; 
    
    printf("Attempting to ensure capacity for: %u\n", requested_size);

    while (current_capacity < requested_size) {
        uint32_t old_cap = current_capacity;
        current_capacity *= 2; 

        if (current_capacity < old_cap) {
            printf("Overflow occurred! New capacity wrapped to: %u\n", current_capacity);
        }

    }
    
    printf("Capacity secured: %u\n", current_capacity);
}

int main() {

    uint32_t malicious_size = 0x80000001; 
    simulate_vulnerability(malicious_size);
    return 0;
}
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================