This is from libfreerdp-core/license_read_scope_list(): stream_read_uint32(s, scopeCount); /* ScopeCount (4 bytes) */ scopeList->count = scopeCount; scopeList->array = (LICENSE_BLOB*) xmalloc(sizeof(LICENSE_BLOB) * scopeCount); Assuming that scopeCount is read from the wire, this results in an integer overflow in the size computation. The array is subsequentially filled with pointers and constants, so this is probably not exploitable for anything but a crash: /* ScopeArray */ for (i = 0; i < scopeCount; i++) { scopeList->array[i].type = BB_SCOPE_BLOB; license_read_binary_blob(s, &scopeList->array[i]); } But I'm filing it as an embargoed security bug just to be sure.
Created attachment 844423 [details] Possible patch
(In reply to Huzaifa S. Sidhpurwala from comment #6) > Created attachment 844423 [details] > Possible patch Patch looks good to me.
This is now submitted as a pull request for upstream at: https://github.com/FreeRDP/FreeRDP/pull/1649
This issue was assigned CVE-2014-0791: http://www.openwall.com/lists/oss-security/2014/01/03/7
Fixed upstream via: https://github.com/FreeRDP/FreeRDP/commit/f1d6afca6ae620f9855a33280bdc6f3ad9153be0#diff-b6d68bbca6e0f5875c57ef225cd65c45 (There is no new release yet)