Summary
Out-Of-Bounds Write in progressive_decompress
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
|
for (UINT32 j = 0; j < nbUpdateRects; j++) |
|
{ |
|
const RECTANGLE_16* rect = &updateRects[j]; |
|
const UINT32 nXSrc = rect->left - (nXDst + tile->x); |
|
const UINT32 nYSrc = rect->top - (nYDst + tile->y); |
|
const UINT32 width = rect->right - rect->left; |
|
const UINT32 height = rect->bottom - rect->top; |
|
|
|
if (!freerdp_image_copy(pDstData, DstFormat, nDstStep, rect->left, rect->top, width, |
|
height, tile->data, progressive->format, tile->stride, nXSrc, |
|
nYSrc, NULL, FREERDP_KEEP_DST_ALPHA)) |
|
{ |
|
rc = -42; |
|
break; |
|
} |
|
|
|
if (invalidRegion) |
|
region16_union_rect(invalidRegion, invalidRegion, rect); |
|
} |
I might not have the exact cause, but it seems like the issue could be related to incorrect calculations of
nXSrc and
nYSrc, or possibly due to inadequate offset verification.
PoC
If reproducing the issue is not possible, I would appreciate it if you could send me the packet file you have for analysis.
Impact
Out-Of-Bounds Write
Asan
==23968==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f0001e9a8c at pc 0x000107143824 bp 0x00016b299370 sp 0x00016b298b20
WRITE of size 256 at 0x62f0001e9a8c thread T4
#0 0x107143820 in __asan_memcpy+0x428 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f820) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x1060f9c2c in freerdp_image_copy+0x1118 (libfreerdp3.3.0.0.dylib:arm64+0xa9c2c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#2 0x1060c178c in progressive_decompress+0x1140 (libfreerdp3.3.0.0.dylib:arm64+0x7178c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#3 0x1061b2d24 in gdi_SurfaceCommand_Progressive+0x814 (libfreerdp3.3.0.0.dylib:arm64+0x162d24) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#4 0x1061a64e0 in gdi_SurfaceCommand+0x5e8 (libfreerdp3.3.0.0.dylib:arm64+0x1564e0) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#5 0x105382118 in rdpgfx_decode+0x288 (libfreerdp-client3.3.0.0.dylib:arm64+0xaa118) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#6 0x10536bafc in rdpgfx_recv_wire_to_surface_1_pdu+0x1760 (libfreerdp-client3.3.0.0.dylib:arm64+0x93afc) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#7 0x1053690e4 in rdpgfx_recv_pdu+0x5d4 (libfreerdp-client3.3.0.0.dylib:arm64+0x910e4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#8 0x105367fd4 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8ffd4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#9 0x1052eb42c in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x1342c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#10 0x1052eb21c in dvcman_receive_channel_data+0x3c4 (libfreerdp-client3.3.0.0.dylib:arm64+0x1321c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#11 0x1052e7c80 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc80) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#12 0x1052e5ef4 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#13 0x1052e5938 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd938) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#14 0x1052e4620 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc620) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#15 0x1062a61d8 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2561d8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#16 0x106357ba4 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x307ba4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#17 0x106307c8c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b7c8c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#18 0x106306a4c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b6a4c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#19 0x1063022b4 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b22b4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#20 0x106300ddc in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b0ddc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#21 0x1063275c8 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d75c8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#22 0x106302bbc in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b2bbc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#23 0x10629d994 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24d994) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#24 0x10629e064 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24e064) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#25 0x104ef3130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#26 0x106bbd4ac in thread_launcher thread.c:520
#27 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#28 0x60308001a20c6d9c (<unknown module>)
0x62f0001e9a8c is located 1636 bytes after 53288-byte region [0x62f0001dc400,0x62f0001e9428)
allocated by thread T4 here:
#0 0x1071455b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x106c1cf18 in winpr_aligned_offset_malloc alignment.c:114
#2 0x106c1cdf0 in winpr_aligned_malloc alignment.c:60
#3 0x1061a7038 in gdi_CreateSurface+0x82c (libfreerdp3.3.0.0.dylib:arm64+0x157038) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#4 0x10537215c in rdpgfx_recv_create_surface_pdu+0xab0 (libfreerdp-client3.3.0.0.dylib:arm64+0x9a15c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#5 0x105369744 in rdpgfx_recv_pdu+0xc34 (libfreerdp-client3.3.0.0.dylib:arm64+0x91744) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#6 0x105367fd4 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8ffd4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#7 0x1052eb42c in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x1342c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#8 0x1052eb298 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13298) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#9 0x1052e7c80 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc80) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#10 0x1052e5ef4 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#11 0x1052e5938 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd938) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#12 0x1052e4620 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc620) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#13 0x1062a61d8 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2561d8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#14 0x106357ba4 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x307ba4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#15 0x106307c8c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b7c8c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#16 0x106306a4c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b6a4c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#17 0x1063022b4 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b22b4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#18 0x106300ddc in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b0ddc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#19 0x1063275c8 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d75c8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#20 0x106302bbc in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b2bbc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#21 0x10629d994 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24d994) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#22 0x10629e064 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24e064) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#23 0x104ef3130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#24 0x106bbd4ac in thread_launcher thread.c:520
#25 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#26 0x60308001a20c6d9c (<unknown module>)
Thread T4 created by T0 here:
#0 0x10713e91c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x106bba52c in winpr_StartThread thread.c:568
#2 0x106bb9c00 in CreateThread thread.c:650
#3 0x104ef2894 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12894) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#4 0x104ef1ce4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x11ce4) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#5 0x104ee5bbc in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x5bbc) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#6 0x104e2278c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
#7 0x1a219f17c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
#8 0x8b7e8001a223aee8 (<unknown module>)
#9 0x701f0001a223ae30 (<unknown module>)
#10 0x181c8001a21704c8 (<unknown module>)
#11 0x23f8001a30ce8f0 (<unknown module>)
#12 0xe06d0001a53d1154 (<unknown module>)
#13 0x3c508001a53d0f04 (<unknown module>)
#14 0x7a538001a53cefa0 (<unknown module>)
#15 0x6f780001a53ceb9c (<unknown module>)
#16 0xa4110001a30f8b60 (<unknown module>)
#17 0xc43b0001a30f89c0 (<unknown module>)
#18 0x3b1d0001a84d1514 (<unknown module>)
#19 0x46200001a84d0e40 (<unknown module>)
#20 0x23180001a84c9f14 (<unknown module>)
#21 0x995e0001aba02b40 (<unknown module>)
#22 0x70030001a53ca044 (<unknown module>)
#23 0x7e0a0001a53c8edc (<unknown module>)
#24 0x793d0001a53bd340 (<unknown module>)
#25 0x5c3a8001a5394790 (<unknown module>)
#26 0x2d09000104e22020 (<unknown module>)
#27 0x1a1d73f24 (<unknown module>)
#28 0xaf17fffffffffffc (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f820) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00) in __asan_memcpy+0x428
Shadow bytes around the buggy address:
0x62f0001e9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x62f0001e9a80: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
pwn2carr Reporter
Summary
Out-Of-Bounds Write in
progressive_decompressAffected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
FreeRDP/libfreerdp/codec/progressive.c
Lines 2598 to 2616 in 5be5553
I might not have the exact cause, but it seems like the issue could be related to incorrect calculations of
nXSrcandnYSrc, or possibly due to inadequate offset verification.PoC
If reproducing the issue is not possible, I would appreciate it if you could send me the packet file you have for analysis.
Impact
Out-Of-Bounds Write
Asan