Bug 998941 (CVE-2014-0791) - CVE-2014-0791 freerdp: integer overflow in heap allocation in license_read_scope_list()
Summary: CVE-2014-0791 freerdp: integer overflow in heap allocation in license_read_sc...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-0791
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 983080 983081
Blocks: 982959 999871
TreeView+ depends on / blocked
 
Reported: 2013-08-20 11:46 UTC by Florian Weimer
Modified: 2019-09-29 13:07 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-31 09:37:43 UTC


Attachments (Terms of Use)
Possible patch (773 bytes, patch)
2014-01-02 08:55 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff

Description Florian Weimer 2013-08-20 11:46:34 UTC
This is from libfreerdp-core/license_read_scope_list():

	stream_read_uint32(s, scopeCount); /* ScopeCount (4 bytes) */

	scopeList->count = scopeCount;
	scopeList->array = (LICENSE_BLOB*) xmalloc(sizeof(LICENSE_BLOB) * scopeCount);

Assuming that scopeCount is read from the wire, this results in an integer overflow in the size computation.  The array is subsequentially filled with pointers and constants, so this is probably not exploitable for anything but a crash:

	/* ScopeArray */
	for (i = 0; i < scopeCount; i++)
	{
		scopeList->array[i].type = BB_SCOPE_BLOB;
		license_read_binary_blob(s, &scopeList->array[i]);
	}

But I'm filing it as an embargoed security bug just to be sure.

Comment 6 Huzaifa S. Sidhpurwala 2014-01-02 08:55:29 UTC
Created attachment 844423 [details]
Possible patch

Comment 7 Florian Weimer 2014-01-02 09:00:03 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> Created attachment 844423 [details]
> Possible patch

Patch looks good to me.

Comment 8 Huzaifa S. Sidhpurwala 2014-01-02 09:07:55 UTC
This is now submitted as a pull request for upstream at:

https://github.com/FreeRDP/FreeRDP/pull/1649

Comment 9 Murray McAllister 2014-01-06 03:19:46 UTC
This issue was assigned CVE-2014-0791:

http://www.openwall.com/lists/oss-security/2014/01/03/7

Comment 10 Huzaifa S. Sidhpurwala 2014-03-24 05:57:11 UTC
Fixed upstream via:

https://github.com/FreeRDP/FreeRDP/commit/f1d6afca6ae620f9855a33280bdc6f3ad9153be0#diff-b6d68bbca6e0f5875c57ef225cd65c45

(There is no new release yet)


Note You need to log in before you can comment on or make changes to this bug.