998941 – (CVE-2014-0791) CVE-2014-0791 freerdp: integer overflow in heap allocation in license_read_scope_list()

Bug 998941 (CVE-2014-0791) - CVE-2014-0791 freerdp: integer overflow in heap allocation in license_read_scope_list()

Summary: CVE-2014-0791 freerdp: integer overflow in heap allocation in license_read_sc...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2014-0791
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	983080 983081
Blocks:	982959 999871
TreeView+	depends on / blocked

Reported:	2013-08-20 11:46 UTC by Florian Weimer
Modified:	2019-09-29 13:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-31 09:37:43 UTC
Embargoed:

Attachments	(Terms of Use)
Possible patch (773 bytes, patch) 2014-01-02 08:55 UTC, Huzaifa S. Sidhpurwala	no flags	Details \| Diff
View All

Description Florian Weimer 2013-08-20 11:46:34 UTC

This is from libfreerdp-core/license_read_scope_list():

	stream_read_uint32(s, scopeCount); /* ScopeCount (4 bytes) */

	scopeList->count = scopeCount;
	scopeList->array = (LICENSE_BLOB*) xmalloc(sizeof(LICENSE_BLOB) * scopeCount);

Assuming that scopeCount is read from the wire, this results in an integer overflow in the size computation.  The array is subsequentially filled with pointers and constants, so this is probably not exploitable for anything but a crash:

	/* ScopeArray */
	for (i = 0; i < scopeCount; i++)
	{
		scopeList->array[i].type = BB_SCOPE_BLOB;
		license_read_binary_blob(s, &scopeList->array[i]);
	}

But I'm filing it as an embargoed security bug just to be sure.

Comment 6 Huzaifa S. Sidhpurwala 2014-01-02 08:55:29 UTC

Created attachment 844423 [details]
Possible patch

Comment 7 Florian Weimer 2014-01-02 09:00:03 UTC

(In reply to Huzaifa S. Sidhpurwala from comment #6)
> Created attachment 844423 [details]
> Possible patch

Patch looks good to me.

Comment 8 Huzaifa S. Sidhpurwala 2014-01-02 09:07:55 UTC

This is now submitted as a pull request for upstream at:

https://github.com/FreeRDP/FreeRDP/pull/1649

Comment 9 Murray McAllister 2014-01-06 03:19:46 UTC

This issue was assigned CVE-2014-0791:

http://www.openwall.com/lists/oss-security/2014/01/03/7

Comment 10 Huzaifa S. Sidhpurwala 2014-03-24 05:57:11 UTC

Fixed upstream via:

https://github.com/FreeRDP/FreeRDP/commit/f1d6afca6ae620f9855a33280bdc6f3ad9153be0#diff-b6d68bbca6e0f5875c57ef225cd65c45

(There is no new release yet)

Note You need to log in before you can comment on or make changes to this bug.