Bug 998934 (CVE-2014-0250)

Summary: CVE-2014-0250 freerdp: integer overflows in memory allocations in client/X11/xf_graphics.c
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fweimer, jkurik, kem, security-response-team, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-31 20:33:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 983080, 983081    
Bug Blocks: 982959, 999871    

Description Florian Weimer 2013-08-20 11:19:46 UTC
client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:

void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
	XcursorImage ci;
	ci.width = pointer->width;
	ci.height = pointer->height;
	ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);

The width and height members are read from the wire.  Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit).

xf_Bitmap_Decompress() appears to have a similar issue.

These look very much like a trust boundary is crossed.  Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).

Comment 5 Florian Weimer 2014-01-09 12:48:48 UTC
This issue is potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657

Comment 6 Huzaifa S. Sidhpurwala 2014-05-28 08:26:39 UTC
This issue has been assigned CVE-2014-0250

Comment 7 Huzaifa S. Sidhpurwala 2014-05-28 08:29:05 UTC
Filed an upstream bug via: https://github.com/FreeRDP/FreeRDP/issues/1871