Skip to content

Potential Memory Leaks on FreeRDP #5645

Closed
@nicowaisman

Description

@nicowaisman

Dear FreeRDP,
I would like to report a potential memory leak on FreeRDP.

The problem occurs on the way realloc is being used. When a size
bigger than the chunk that wants to be reallocated is passed, realloc
try to malloc a bigger size, however in the case that malloc fails
(for example, by forcing a big allocation) realloc will return NULL.

According to the man page:
"The realloc() function returns a pointer to the newly allocated
memory, which is suitably aligned for any built-in type and may be
different from ptr, or NULL if the request fails. If size was
equal to 0, either NULL or a pointer suitable to be passed to free()
is returned. If realloc() fails, the original block is left
untouched; it is not freed or moved."

The problem occurs when the memory ptr passed to the first argument of
realloc is the same as the one used for the result, for example in
this case:

libfreerdp/codec/region.c
(470) int allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
(471) region->data = realloc(region->data, allocSize);

If the malloc inside that realloc fails, then the original memory
chunk will never be free but since realloc will return NULL, the
pointer to that memory chunk will be lost and a memory leak will
occur.

We found other 9 cases, all could be found here:
https://lgtm.com/query/8334994658751916283/

(The case where xrealloc should be disregarded since abort is being called on fail)

Best Regards,
Nico Waisman
Semmle Security Team

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions