CVE-2026-55191

Public on 2026-07-10
Modified on 2026-07-10
Description
Heap-buffer-overflow write in AVC444 YUV buffer allocation

In libfreerdp/codec/h264.c, avc444_ensure_buffer() computes the AVC444 YUV444 intermediate buffer size as piDstSize[x] = piDstStride[x] * padDstHeight using UINT32 arithmetic. When the true product exceeds UINT32_MAX, the value wraps to a small non-zero integer. The only guard is if (piDstSize[x] == 0) return FALSE, so non-zero wraps pass. winpr_aligned_recalloc() then allocates a buffer far too small, and yuv444_context_decode() → YUV420CombineToYUV444() writes using the real stride and rectangle dimensions, causing a heap-buffer-overflow write.

The reallocation trigger at lines 498–499 correctly compares against 1ull * piMainStride[0] * padDstHeight (64-bit), but the allocation at line 504 still uses 32-bit multiply.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
8.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core freerdp Not Affected
Amazon Linux 2023 freerdp Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H