In FreeRDP before version 2.1.2, an out of bound reads occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.
Created freerdp tracking bugs for this issue:
Affects: epel-all [bug 1854853]
Affects: fedora-all [bug 1854852]
in libfreerdp/core/update.c's update_write_order_info(), update_prepare_order_info, and libfreerdp/core/orders.c's update_recv_primary_order() it was possible for update->primary to be outside the bounds of the PRIMARY_DRAWING_ORDER_FIELD_BYTES static array, referenced with PRIMARY_DRAWING_ORDER_FIELD_BYTES[orderInfo->orderType], which could cause an out-of-bounds read due to lack of bounds checking. The patch replaces the static array with a getter function that uses a switch-case to prevent this.
The flaw is present in libfreerdp-core/orders.c for freerdp-1.0.2. Note this flaw applies to the freerdp CLIENT code.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):