FreeRDP Heap Buffer Overflow Vulnerability in Planar Bitmap Decompression

A heap buffer overflow vulnerability has been identified in FreeRDP, a free implementation of the Remote Desktop Protocol, in versions prior to 3.21.0. The issue arises in the function 'freerdp_bitmap_decompress_planar', which fails to properly validate the source width and height against the maximum allowed dimensions before performing Run-Length Encoding (RLE) decoding. This lack of validation allows a malicious server to send a planar bitmap that exceeds the client's capacity, leading to a buffer overflow. Such exploitation can cause a crash, create heap corruption, and potentially allow for arbitrary code execution, depending on the behavior of the memory allocator and the layout of the heap.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to a crash and potential heap corruption. Such corruption could be exploited to execute arbitrary code, depending on the behavior of the memory allocator and the surrounding heap layout.

Reproduction

To reproduce this vulnerability, send a 'CreateSurface' command with a width and height that exceed the desktop size, ensuring that the surface dimensions surpass the planar context's maximum width and height. Then, send a 'WireToSurface1' command containing a planar bitmap with the RLE flag set and the No Alpha (NA) bit activated, making sure the bitmap header includes width and height values that are large enough and consistent with the surface size. This will cause the decoding loop to advance beyond the bounds of the context buffer, triggering the heap overflow.

Remediation

Users can upgrade to FreeRDP version 3.21.0 or later, where this vulnerability has been patched.