FreeRDP Stream_EnsureCapacity Function Integer Overflow Vulnerability Leading to Denial-of-Service

A vulnerability exists in FreeRDP versions prior to 3.23.0, where the Stream_EnsureCapacity function can cause an infinite blocking loop. This issue affects all client and server implementations using FreeRDP, but can only be exploited on 32-bit systems with sufficient physical memory. The vulnerability arises from improper handling of memory allocation, allowing the function to overflow and create a loop that never terminates.

Impact

Exploitation of this vulnerability leads to an infinite loop, causing a denial-of-service condition by blocking further processing.

Reproduction

To reproduce this vulnerability, create a stream with a size of SSIZE_MAX/2. When Stream_EnsureCapacity is called, it attempts to double the allocation size, which causes an overflow. The function then sets the new capacity to 0, leading to an infinite loop because the condition to exit the loop is never met.

Remediation

Users can upgrade to FreeRDP version 3.23.0 or later, where this vulnerability has been patched.