Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

integer overflows in memory allocations in client/X11/xf_graphics.c #1871

Closed
sidhpurwala-huzaifa opened this issue May 28, 2014 · 4 comments
Closed
Assignees
Labels

Comments

@sidhpurwala-huzaifa
Copy link

client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:

void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
{
XcursorImage ci;
[…]
ci.width = pointer->width;
ci.height = pointer->height;
[…]
ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);

The width and height members are read from the wire. Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit).

xf_Bitmap_Decompress() appears to have a similar issue.

These look very much like a trust boundary is crossed. Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).

This issue is potentially related: #1657

This issue has been assigned CVE-2014-0250

@hardening hardening self-assigned this May 28, 2014
@hardening
Copy link
Contributor

@sidhpurwala-huzaifa #1874 may correct the issue at least for master. Waiting for careful review.

@fweimer
Copy link

fweimer commented Aug 15, 2014

Master still has this, so it still seems affected:

234         ci.pixels = (XcursorPixel*) calloc(1, ci.width * ci.height * 4);

@hardening
Copy link
Contributor

@fweimer true, but values are checked when they are extracted from the wire see #1874

@opoplawski
Copy link

Time to close this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants