CVE-2014-0250: Integer Overflow

First published: Tue Aug 20 2013(Updated: )

client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way: void xf_Pointer_New(rdpContext* context, rdpPointer* pointer) { XcursorImage ci; […] ci.width = pointer->width; ci.height = pointer->height; […] ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4); The width and height members are read from the wire. Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit). xf_Bitmap_Decompress() appears to have a similar issue. These look very much like a trust boundary is crossed. Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/weakness
• agent/severity
• agent/author
• agent/description
• agent/event
• agent/tags
• collector/nvd-index
• agent/software-canonical-lookup-request
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2014-0250
• vendor/freerdp
• canonical/freerdp freerdp
• version/freerdp freerdp/1.0.0
• version/freerdp freerdp/1.0.1
• version/freerdp freerdp/1.0.2
• vendor/opensuse
• canonical/opensuse opensuse
• version/opensuse opensuse/12.3
• version/opensuse opensuse/13.1