Potential Memory Leaks on FreeRDP

[nicowaisman]

Dear FreeRDP,
I would like to report a potential memory leak on FreeRDP.

The problem occurs on the way realloc is being used. When a size
bigger than the chunk that wants to be reallocated is passed, realloc
try to malloc a bigger size, however in the case that malloc fails
(for example, by forcing a big allocation) realloc will return NULL.

According to the man page:
"The realloc() function returns a pointer to the newly allocated
memory, which is suitably aligned for any built-in type and may be
different from ptr, or NULL if the request fails. If size was
equal to 0, either NULL or a pointer suitable to be passed to free()
is returned. If realloc() fails, the original block is left
untouched; it is not freed or moved."

The problem occurs when the memory ptr passed to the first argument of
realloc is the same as the one used for the result, for example in
this case:

libfreerdp/codec/region.c
(470) int allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
(471) region->data = realloc(region->data, allocSize);

If the malloc inside that realloc fails, then the original memory
chunk will never be free but since realloc will return NULL, the
pointer to that memory chunk will be lost and a memory leak will
occur.

We found other 9 cases, all could be found here:
https://lgtm.com/query/8334994658751916283/

(The case where xrealloc should be disregarded since abort is being called on fail)

Best Regards,
Nico Waisman
Semmle Security Team

[akallabeth]

@nicowaisman thank you for the report, the referenced pull request should fix these issues.

[abergmann]

CVE-2019-17177 was assigned to this issue.

[abergmann]

CVE-2019-17178 was also assigned to this issue.