FreeRDP Heap-Based Buffer Overflow Vulnerability in H.264 Decoder via RDPGFX Frames

A heap-based buffer overflow vulnerability has been identified in FreeRDP versions prior to 3.24.2. The issue arises in the H.264 decoding process, specifically within the 'yuv_ensure_buffer()' function of 'libfreerdp/codec/h264.c'. The vulnerability occurs because the width and height parameters are updated before the memory reallocation process. If a memory allocation fails, the function returns an error, but the width and height values have already been incorrectly increased. This desynchronization allows the H.264 decoder to write decoded YUV data into improperly sized buffers, creating a remote exploitation risk through the RDPGFX protocol with crafted H.264 NAL units from a malicious RDP server.

Impact

Exploitation of this vulnerability leads to a severe heap-based buffer overflow, with up to 33 megabytes of data written into a buffer only 2,048 bytes in size. This overflow is partially controlled by the attacker, via manipulated H.264 data, creating a significant remote exploitation risk.

Remediation

Users can upgrade to FreeRDP version 3.24.2 or later to address this vulnerability.