Red Hat Bugzilla – Bug 998941
CVE-2014-0791 freerdp: integer overflow in heap allocation in license_read_scope_list()
Last modified: 2016-03-04 06:36:21 EST
This is from libfreerdp-core/license_read_scope_list():
stream_read_uint32(s, scopeCount); /* ScopeCount (4 bytes) */
scopeList->count = scopeCount;
scopeList->array = (LICENSE_BLOB*) xmalloc(sizeof(LICENSE_BLOB) * scopeCount);
Assuming that scopeCount is read from the wire, this results in an integer overflow in the size computation. The array is subsequentially filled with pointers and constants, so this is probably not exploitable for anything but a crash:
/* ScopeArray */
for (i = 0; i < scopeCount; i++)
scopeList->array[i].type = BB_SCOPE_BLOB;
But I'm filing it as an embargoed security bug just to be sure.
Created attachment 844423 [details]
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> Created attachment 844423 [details]
> Possible patch
Patch looks good to me.
This is now submitted as a pull request for upstream at:
This issue was assigned CVE-2014-0791:
Fixed upstream via:
(There is no new release yet)
This issue affects the version of freerdp as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw.