FreeRDP Heap Out-of-Bounds Write Vulnerability Due to Persistent Cache Size Desynchronization

A heap out-of-bounds write vulnerability has been identified in FreeRDP versions prior to 3.24.2. The issue arises in the 'persistent_cache_read_entry_v3' function within 'libfreerdp/cache/persistent.c'. The vulnerability occurs because 'persistent->bmpSize' is updated before the 'winpr_aligned_recalloc' function is called. If the reallocation fails, 'bmpSize' is incorrectly increased while 'bmpData' still points to the old buffer. This desynchronization allows 'fread' to write data into an undersized buffer, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability causes a heap out-of-bounds write, which can corrupt memory and potentially lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a crafted '.bmc' persistent cache file and using it with FreeRDP versions through 3.24.1. When 'fread' processes the entry data, it will write up to 4 MB into a buffer that is only 16 KB in size, due to the desynchronized 'bmpSize' value.

Remediation

Users can upgrade to FreeRDP version 3.24.2 or later to address this vulnerability.