Package: freerdp Version: 1.0.2-4 Severity: important Tags: security Advisory: https://github.com/FreeRDP/FreeRDP/issues/1871 Potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657
"""
client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:
void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
{
XcursorImage ci;
[…]
ci.width = pointer->width;
ci.height = pointer->height;
[…]
ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);
The width and height members are read from the wire. Both are 16 bit, but
because of the multiplication with 4, the allocation still overflows (on 32 bit
and 64 bit).
xf_Bitmap_Decompress() appears to have a similar issue.
"""
---
Henri Salo
signature.asc
Description: Digital signature
