CVE-2026-55191
Public on 2026-07-10
Modified on 2026-07-10
Description
Heap-buffer-overflow write in AVC444 YUV buffer allocation
In libfreerdp/codec/h264.c, avc444_ensure_buffer() computes the AVC444 YUV444 intermediate buffer size as piDstSize[x] = piDstStride[x] * padDstHeight using UINT32 arithmetic. When the true product exceeds UINT32_MAX, the value wraps to a small non-zero integer. The only guard is if (piDstSize[x] == 0) return FALSE, so non-zero wraps pass. winpr_aligned_recalloc() then allocates a buffer far too small, and yuv444_context_decode() → YUV420CombineToYUV444() writes using the real stride and rectangle dimensions, causing a heap-buffer-overflow write.
The reallocation trigger at lines 498–499 correctly compares against 1ull * piMainStride[0] * padDstHeight (64-bit), but the allocation at line 504 still uses 32-bit multiply.
In libfreerdp/codec/h264.c, avc444_ensure_buffer() computes the AVC444 YUV444 intermediate buffer size as piDstSize[x] = piDstStride[x] * padDstHeight using UINT32 arithmetic. When the true product exceeds UINT32_MAX, the value wraps to a small non-zero integer. The only guard is if (piDstSize[x] == 0) return FALSE, so non-zero wraps pass. winpr_aligned_recalloc() then allocates a buffer far too small, and yuv444_context_decode() → YUV420CombineToYUV444() writes using the real stride and rectangle dimensions, causing a heap-buffer-overflow write.
The reallocation trigger at lines 498–499 correctly compares against 1ull * piMainStride[0] * padDstHeight (64-bit), but the allocation at line 504 still uses 32-bit multiply.
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | freerdp | Not Affected | ||
| Amazon Linux 2023 | freerdp | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |