FreeRDP Heap-Based Buffer Overflow Vulnerability in Planar Bitmap Decoder

A heap-based buffer overflow vulnerability has been identified in FreeRDP's planar bitmap decoder, prior to version 3.26.0. The issue arises when decoding RLE planar data, specifically in the 'libfreerdp/codec/planar.c' file. The function 'freerdp_bitmap_decompress_planar()'' improperly validates the X destination coordinate against the provided destination stride while writing to an internal temporary buffer. This flaw allows an attacker to manipulate the coordinates and stride, causing a write operation to exceed the buffer's allocated memory, leading to potential memory corruption.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption. This vulnerability has been confirmed to cause a crash, creating a denial-of-service condition. However, given the nature of heap-based buffer overflows, there is a possibility of arbitrary code execution, depending on the memory allocator's behavior and the presence of exploit mitigations.

Reproduction

The vulnerability can be reproduced by creating a planar context and allocating a temporary buffer. The 'freerdp_bitmap_decompress_planar()' function can then be called with manipulated destination stride and X destination coordinates that bypass the bounds check, causing an out-of-bounds write into the temporary buffer.

Remediation

Users should upgrade to FreeRDP version 3.26.0 or later, where this vulnerability has been fixed.