New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Memory Leaks on FreeRDP #5645
Labels
Milestone
Comments
@nicowaisman thank you for the report, the referenced pull request should fix these issues. |
akallabeth
added a commit
to akallabeth/FreeRDP
that referenced
this issue
Oct 4, 2019
akallabeth
added a commit
to akallabeth/FreeRDP
that referenced
this issue
Oct 4, 2019
CVE-2019-17177 was assigned to this issue. |
CVE-2019-17178 was also assigned to this issue. |
clrpackages
pushed a commit
to clearlinux-pkgs/FreeRDP
that referenced
this issue
Oct 11, 2019
CVEs fixed in this build: CVE-2019-17177 CVE-2019-17178 Note that CVE-2019-17177.patch fixed both issues in a single commit. See upstream issue tracker: FreeRDP/FreeRDP#5645
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear FreeRDP,
I would like to report a potential memory leak on FreeRDP.
The problem occurs on the way realloc is being used. When a size
bigger than the chunk that wants to be reallocated is passed, realloc
try to malloc a bigger size, however in the case that malloc fails
(for example, by forcing a big allocation) realloc will return NULL.
According to the man page:
"The realloc() function returns a pointer to the newly allocated
memory, which is suitably aligned for any built-in type and may be
different from ptr, or NULL if the request fails. If size was
equal to 0, either NULL or a pointer suitable to be passed to free()
is returned. If realloc() fails, the original block is left
untouched; it is not freed or moved."
The problem occurs when the memory ptr passed to the first argument of
realloc is the same as the one used for the result, for example in
this case:
libfreerdp/codec/region.c
(470) int allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
(471) region->data = realloc(region->data, allocSize);
If the malloc inside that realloc fails, then the original memory
chunk will never be free but since realloc will return NULL, the
pointer to that memory chunk will be lost and a memory leak will
occur.
We found other 9 cases, all could be found here:
https://lgtm.com/query/8334994658751916283/
(The case where xrealloc should be disregarded since abort is being called on fail)
Best Regards,
Nico Waisman
Semmle Security Team
The text was updated successfully, but these errors were encountered: