FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function gdi_Bitmap_Decompress() and results in a memory corruption and probably even a remote code execution.
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freerdp | Freerdp | * | 1.2.0 (including) |
| Freerdp | Freerdp | 2.0.0-rc1 (including) | 2.0.0-rc1 (including) |
| Freerdp | Freerdp | 2.0.0-rc2 (including) | 2.0.0-rc2 (including) |
| Freerdp | Freerdp | 2.0.0-rc3 (including) | 2.0.0-rc3 (including) |
| Red Hat Enterprise Linux 7 | RedHat | freerdp-0:1.0.2-15.el7_6.1 | * |
| Freerdp | Ubuntu | bionic | * |
| Freerdp | Ubuntu | cosmic | * |
| Freerdp | Ubuntu | trusty | * |
| Freerdp | Ubuntu | xenial | * |
| Freerdp2 | Ubuntu | bionic | * |
| Freerdp2 | Ubuntu | cosmic | * |
| Freerdp2 | Ubuntu | devel | * |
| Freerdp2 | Ubuntu | disco | * |
| Freerdp2 | Ubuntu | upstream | * |