{"id":"CVE-2019-17178","details":"HuffmanTree_makeFromFrequencies in lodepng.c in LodePNG through 2019-09-28, as used in WinPR in FreeRDP and other products, has a memory leak because a supplied realloc pointer (i.e., the first argument to realloc) is also used for a realloc return value.","modified":"2026-04-16T04:31:14.837005213Z","published":"2019-10-04T17:15:10.067Z","related":["SUSE-SU-2019:3077-1","SUSE-SU-2019:3078-1","SUSE-SU-2019:3079-1","openSUSE-SU-2019:2604-1","openSUSE-SU-2019:2608-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00004.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00005.html"},{"type":"ADVISORY","url":"https://github.com/FreeRDP/FreeRDP/issues/5645"},{"type":"FIX","url":"https://github.com/FreeRDP/FreeRDP/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freerdp/freerdp","events":[{"introduced":"0"},{"last_affected":"616aed4ec2889f379b9d1e840230d9a33cda8bf0"},{"introduced":"0"},{"last_affected":"1be90abcb9440b6f14b3fca4d7b462d9b3ce6432"},{"fixed":"9fee4ae076b1ec97b97efb79ece08d1dab4df29a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.2"},{"introduced":"0"},{"last_affected":"1.1.0-beta1"}]}}],"versions":["1.0-beta1","1.0-beta2","1.0-beta4","1.0-beta5","1.0.0","1.0.1","1.0.2","1.0.2-rc1","1.0.2-rc2","1.1.0-beta+2013071101","1.1.0-beta1","1.1.0-beta1+android2","1.1.0-beta1+android3","1.1.0-beta1+android4","1.1.0-beta1+android5","1.1.0-beta1+ios1","1.1.0-beta1+ios2","1.1.0-beta1+ios3","1.1.0-beta1+ios4","1.2.0-beta1+android7","1.2.0-beta1+android9","2.0.0-beta1+android10","2.0.0-beta1+android11","2.0.0-rc0","2.0.0-rc1","2.0.0-rc2","2.0.0-rc3","2.0.0-rc4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17178.json","vanir_signatures_modified":"2026-04-11T09:39:38Z","vanir_signatures":[{"source":"https://github.com/freerdp/freerdp/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a","digest":{"threshold":0.9,"line_hashes":["269215551196728372072229002611498048274","60882436054191971992951776647637498497","246423792840165743178928287324492503526","186775369845774264331823368553861729311","121033979759465712227962233428386596536","333459367581250853282024688279097815294","52652199316993592414430078609399706190","281242411092693082450489738599220562788","293078200095957182578457349885119669019"]},"signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"winpr/libwinpr/utils/lodepng/lodepng.c"},"id":"CVE-2019-17178-4f8c096a"},{"source":"https://github.com/freerdp/freerdp/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a","digest":{"function_hash":"111556578513038953191829364359908659521","length":2318},"signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"file":"client/X11/generate_argument_docbook.c","function":"tr_esc_str"},"id":"CVE-2019-17178-7ec9b5d0"},{"source":"https://github.com/freerdp/freerdp/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a","digest":{"function_hash":"238058498232279513812602263336545750696","length":1417},"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"libfreerdp/codec/region.c","function":"region16_intersect_rect"},"id":"CVE-2019-17178-80fe4fbc"},{"source":"https://github.com/freerdp/freerdp/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a","digest":{"function_hash":"182161999730597109211945894636287786661","length":910},"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"libfreerdp/codec/region.c","function":"region16_simplify_bands"},"id":"CVE-2019-17178-9e923a88"},{"source":"https://github.com/freerdp/freerdp/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a","digest":{"threshold":0.9,"line_hashes":["169942117269173459854457627031907093168","192678371756632553035970616533493584616","67712262644008916266627221126531232786","111352148105322516270348382852283456869","68688189215770436792667200383767070546","120400749965676790911622306983534637449","337960107116802670648657492232181897010","115590768827935740976323704459018392382","19501158130532074895777220320136227012","222911646423814009956664567931908529052","314707534127468225231502214208236632670","176978620197884198033439116035680797325","232962076676134982586978795924198445130","54923070188309183671310197226108892649","314707534127468225231502214208236632670","176978620197884198033439116035680797325","161703410555354982306830631585466092817","278765345449261648401903298331054283307","90260239477347542038201787329833467610","176978620197884198033439116035680797325","244861578303904110441648214358557235912","83582483396781978813770731794463705285","90260239477347542038201787329833467610","176978620197884198033439116035680797325","313217851107018138835367919458041581201","216904702782556537822758554598757525054","148190799425122740469724662021157560141","176978620197884198033439116035680797325"]},"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"client/X11/generate_argument_docbook.c"},"id":"CVE-2019-17178-b16b382d"},{"source":"https://github.com/freerdp/freerdp/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a","digest":{"function_hash":"153710806257076984915596454631468483510","length":2888},"signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"file":"libfreerdp/codec/region.c","function":"region16_union_rect"},"id":"CVE-2019-17178-bc572671"},{"source":"https://github.com/freerdp/freerdp/commit/9fee4ae076b1ec97b97efb79ece08d1dab4df29a","digest":{"threshold":0.9,"line_hashes":["236789859763925190122086759330866475518","303447436975685695637060891267598298600","238855805430459233328977818012291901312","320151404832153686982822229424724071681","306277995164946684417977004325037077541","321893086654608489648272653389745040833","320334514659870503550670014781451630788","269239849473155655800555847669994911240","116891536248283089850423111705276134785","110177783688515234290913881762732141893","238100245164064885829079799523851780215","11546404366772640448671224959801578622","31636775941089041245965245234738855235","300596855173215564464195492167778391485","100368184650351677725721506535300695529","143839062400987009432695694937797317323","111849370724169758773020147272706896899","225149152969146341033887566919266056394","17200948198447921021291136443610520655","288041447184418308804384182739267874627","14946096756773680099055441873743711075"]},"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"libfreerdp/codec/region.c"},"id":"CVE-2019-17178-fd5cbcf7"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2019-09-28"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}