Bug 998934 (CVE-2014-0250) - CVE-2014-0250 freerdp: integer overflows in memory allocations in client/X11/xf_graphics.c
Summary: CVE-2014-0250 freerdp: integer overflows in memory allocations in client/X11/...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-0250
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 983080 983081
Blocks: 982959 999871
TreeView+ depends on / blocked
 
Reported: 2013-08-20 11:19 UTC by Florian Weimer
Modified: 2021-06-11 20:42 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-31 20:33:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Florian Weimer 2013-08-20 11:19:46 UTC 
client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:

void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
{
	XcursorImage ci;
[…]
	ci.width = pointer->width;
	ci.height = pointer->height;
[…]
	ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);

The width and height members are read from the wire.  Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit).

xf_Bitmap_Decompress() appears to have a similar issue.

These look very much like a trust boundary is crossed.  Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).
Comment 5 Florian Weimer 2014-01-09 12:48:48 UTC 
This issue is potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657
Comment 6 Huzaifa S. Sidhpurwala 2014-05-28 08:26:39 UTC 
This issue has been assigned CVE-2014-0250
Comment 7 Huzaifa S. Sidhpurwala 2014-05-28 08:29:05 UTC 
Filed an upstream bug via: https://github.com/FreeRDP/FreeRDP/issues/1871
Note You need to log in before you can comment on or make changes to this bug.