client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way: void xf_Pointer_New(rdpContext* context, rdpPointer* pointer) { XcursorImage ci; […] ci.width = pointer->width; ci.height = pointer->height; […] ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4); The width and height members are read from the wire. Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit). xf_Bitmap_Decompress() appears to have a similar issue. These look very much like a trust boundary is crossed. Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).
This issue is potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657
This issue has been assigned CVE-2014-0250
Filed an upstream bug via: https://github.com/FreeRDP/FreeRDP/issues/1871