FreeRDP Progressive Codec Quant Underflow Vulnerability Leading to Undefined Behavior and CPU Denial-of-Service

A vulnerability in FreeRDP's progressive codec handling can cause a byte underflow, leading to undefined behavior and a CPU denial-of-service condition. This issue is present in FreeRDP versions through 3.24.1. The vulnerability arises in the 'progressive_decompress_tile_upgrade()' function, which fails to properly handle quantization value mismatches. Instead of terminating execution, it logs a warning and continues, allowing an invalid value to be used as a shift exponent. This error triggers a shift operation violation, causing an estimated 80 billion iteration loop that effectively hangs the CPU. Although the BitStream is bounds-checked, the improper handling of quantization values can still lead to significant performance degradation.

Impact

Exploitation of this vulnerability causes a complete CPU hang, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using FreeRDP versions through 3.24.1 and applying a progressive codec that introduces a quantization value mismatch. The 'progressive_decompress_tile_upgrade()' function will log a warning about the mismatch but will not stop execution, allowing the invalid value to be processed as a shift exponent. This will result in a 'shift exponent too large' violation, confirmed by Undefined Behavior Sanitizer, and cause the CPU denial-of-service condition.

Remediation

Users can upgrade to FreeRDP version 3.24.2 or later, where this vulnerability has been patched.