Control: close -1 Control: fixed -1 1.1.0~git20140809.1.b07a5c1+dfsg-1
On Mi 28 Mai 2014 13:33:19 CEST, Henri Salo wrote:
Package: freerdp Version: 1.0.2-4 Severity: important Tags: security Advisory: https://github.com/FreeRDP/FreeRDP/issues/1871 Potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657 """client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:void xf_Pointer_New(rdpContext* context, rdpPointer* pointer) { XcursorImage ci; […] ci.width = pointer->width; ci.height = pointer->height; […] ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4); The width and height members are read from the wire. Both are 16 bit, butbecause of the multiplication with 4, the allocation still overflows (on 32 bitand 64 bit). xf_Bitmap_Decompress() appears to have a similar issue. """ --- Henri Salo
Recently, version 1.1.0~git20140809.1.b07a5c1+dfsg-1 of freerdp has been uploaded to Debian unstable. During post-upload bug introspection, I realized that this bug should have been closed with the upload.
Thus, closing it for the freerdp version in unstable. Mike -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net
pgplBdBdWiWmP.pgp
Description: Digitale PGP-Signatur
