FreeRDP FastGlyph Parsing Buffer Overflow Vulnerability Allowing Denial-of-Service

A heap-based buffer overflow vulnerability has been identified in FreeRDP, a free implementation of the Remote Desktop Protocol, in versions prior to 3.21.0. The vulnerability arises in the FastGlyph parsing, where the `cbData` length is trusted without proper validation against the minimum size indicated by `cx` and `cy`. This flaw allows a malicious server to trigger a client-side global buffer overflow, leading to a crash and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to a crash of the FreeRDP client, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using a malicious server that sends FastGlyph data with a `cbData` length that exceeds the actual glyph data size, while the `cx` and `cy` values imply a larger size is needed. This can be done by crafting a response that takes advantage of the FastGlyph parsing in the RDP protocol, specifically targeting the glyph caching mechanism.

Remediation

Users can upgrade to FreeRDP version 3.21.0 or later, where this vulnerability has been patched.