Bug 998934 – CVE-2014-0250 freerdp: integer overflows in memory allocations in client/X11/xf_graphics.c

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 998934 - (CVE-2014-0250) CVE-2014-0250 freerdp: integer overflows in memory allocations in client/X11/xf_graphics.c

Summary:	CVE-2014-0250 freerdp: integer overflows in memory allocations in client/X11/...

Status:	NEW

Aliases:	CVE-2014-0250

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20140528,repor...
Keywords:	Security

Depends On:	983080 983081
Blocks:	982959 999871
	Show dependency tree / graph

Reported:	2013-08-20 07:19 EDT by Florian Weimer
Modified:	2016-03-04 07:41 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Florian Weimer 2013-08-20 07:19:46 EDT

client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:

void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
{
	XcursorImage ci;
[…]
	ci.width = pointer->width;
	ci.height = pointer->height;
[…]
	ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);

The width and height members are read from the wire.  Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit).

xf_Bitmap_Decompress() appears to have a similar issue.

These look very much like a trust boundary is crossed.  Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).

Comment 5 Florian Weimer 2014-01-09 07:48:48 EST

This issue is potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657

Comment 6 Huzaifa S. Sidhpurwala 2014-05-28 04:26:39 EDT

This issue has been assigned CVE-2014-0250

Comment 7 Huzaifa S. Sidhpurwala 2014-05-28 04:29:05 EDT

Filed an upstream bug via: https://github.com/FreeRDP/FreeRDP/issues/1871

Comment 8 Huzaifa S. Sidhpurwala 2014-05-28 04:36:18 EDT

Statement:

This issue affects the version of freerdp as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw.

Note You need to log in before you can comment on or make changes to this bug.