FreeRDP Heap Buffer Overflow Vulnerability in ClearCodec Resize Function

A heap buffer overflow vulnerability has been identified in FreeRDP versions prior to 3.24.2. The issue arises in the ClearCodec resize_vbar_entry() function, where the vBarEntry's size is updated to match its count before a memory reallocation is attempted. If the reallocation fails, the size remains inflated while the pixel pointer still references the original, smaller buffer. This creates a scenario where, during a subsequent call with a count that is less than or equal to the inflated size, the reallocation is bypassed. Consequently, the function writes an attacker's pixel data into the undersized buffer, leading to a heap buffer overflow.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, a malicious RDP server can send ClearCodec band data that fills a vbar cache entry with a small buffer. The server can then send a larger request that fails to allocate memory due to pressure, and subsequently reuse the cache slot to write pixel data into the smaller, allocated buffer, thereby causing the overflow.

Remediation

Users should upgrade to FreeRDP version 3.24.2 or later, where this vulnerability has been patched.