FreeRDP Client-Side Heap Buffer Overflow Vulnerability in Surface-to-Surface GDI Processing

A heap buffer overflow vulnerability has been identified in the FreeRDP client, specifically in the handling of the 'gdi_SurfaceToSurface' function. This issue arises from a discrepancy between how destination rectangles are clamped and the actual size of the data being copied. As a result, a malicious server can exploit this vulnerability, leading to a client-side heap buffer overflow. The exploitation causes a crash and potential heap corruption, with a risk of arbitrary code execution depending on the behavior of the memory allocator and the layout of the heap. This vulnerability affects FreeRDP versions prior to 3.21.0.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to a crash and potential heap corruption. Such corruption carries a risk of arbitrary code execution, depending on how the memory allocator manages the corrupted heap.

Reproduction

To reproduce this vulnerability, create a large surface (with a height of 65535 or more) and send a 'SurfaceToSurface' PDU that includes a destination point where the combined y-coordinate and height exceeds the surface's actual height. This will trigger the heap buffer overflow by causing an out-of-bounds write.

Remediation

Users can upgrade to FreeRDP version 3.21.0 or later, where this vulnerability has been patched.