FreeRDP Heap Buffer Overflow Vulnerability in RDPGFX ClearCodec Prior to 3.21.0

A client-side heap buffer overflow vulnerability has been identified in FreeRDP versions prior to 3.21.0. The issue occurs in the RDPGFX ClearCodec decode path, where maliciously crafted residual data leads to out-of-bounds writes during color output. This vulnerability allows a malicious server to trigger the heap buffer overflow on the client side, causing a crash and potential heap corruption. Depending on the behavior of the memory allocator and the surrounding heap layout, there is a risk of code execution.

Impact

Exploitation of this vulnerability causes a client-side heap buffer overflow, leading to a crash and potential heap corruption. This heap corruption could be exploited for arbitrary code execution, depending on the behavior of the memory allocator and the layout of the heap.

Reproduction

The vulnerability can be reproduced by using a malicious server that sends crafted residual data to a FreeRDP client version prior to 3.21.0. The crafted data should be designed to exploit the ClearCodec's handling of the WIRE_TO_SURFACE_PDU_1, causing out-of-bounds writes that overwrite adjacent memory.

Remediation

Users can upgrade to FreeRDP version 3.21.0 or later, where this vulnerability has been patched.