Summary
Out-Of-Bounds Write in progressive_decompress
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
|
for (UINT32 j = 0; j < nbUpdateRects; j++) |
|
{ |
|
const RECTANGLE_16* rect = &updateRects[j]; |
|
const UINT32 nXSrc = rect->left - (nXDst + tile->x); |
|
const UINT32 nYSrc = rect->top - (nYDst + tile->y); |
|
const UINT32 width = rect->right - rect->left; |
|
const UINT32 height = rect->bottom - rect->top; |
|
|
|
if (!freerdp_image_copy(pDstData, DstFormat, nDstStep, rect->left, rect->top, width, |
|
height, tile->data, progressive->format, tile->stride, nXSrc, |
|
nYSrc, NULL, FREERDP_KEEP_DST_ALPHA)) |
|
{ |
|
rc = -42; |
|
break; |
|
} |
|
|
|
if (invalidRegion) |
|
region16_union_rect(invalidRegion, invalidRegion, rect); |
|
} |
I might not have the exact cause, but it seems like the issue could be related to incorrect calculations of
nXSrc
and
nYSrc
, or possibly due to inadequate offset verification.
PoC
If reproducing the issue is not possible, I would appreciate it if you could send me the packet file you have for analysis.
Impact
Out-Of-Bounds Write
Asan
==23968==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f0001e9a8c at pc 0x000107143824 bp 0x00016b299370 sp 0x00016b298b20
WRITE of size 256 at 0x62f0001e9a8c thread T4
#0 0x107143820 in __asan_memcpy+0x428 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f820) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x1060f9c2c in freerdp_image_copy+0x1118 (libfreerdp3.3.0.0.dylib:arm64+0xa9c2c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#2 0x1060c178c in progressive_decompress+0x1140 (libfreerdp3.3.0.0.dylib:arm64+0x7178c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#3 0x1061b2d24 in gdi_SurfaceCommand_Progressive+0x814 (libfreerdp3.3.0.0.dylib:arm64+0x162d24) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#4 0x1061a64e0 in gdi_SurfaceCommand+0x5e8 (libfreerdp3.3.0.0.dylib:arm64+0x1564e0) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#5 0x105382118 in rdpgfx_decode+0x288 (libfreerdp-client3.3.0.0.dylib:arm64+0xaa118) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#6 0x10536bafc in rdpgfx_recv_wire_to_surface_1_pdu+0x1760 (libfreerdp-client3.3.0.0.dylib:arm64+0x93afc) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#7 0x1053690e4 in rdpgfx_recv_pdu+0x5d4 (libfreerdp-client3.3.0.0.dylib:arm64+0x910e4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#8 0x105367fd4 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8ffd4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#9 0x1052eb42c in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x1342c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#10 0x1052eb21c in dvcman_receive_channel_data+0x3c4 (libfreerdp-client3.3.0.0.dylib:arm64+0x1321c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#11 0x1052e7c80 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc80) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#12 0x1052e5ef4 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#13 0x1052e5938 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd938) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#14 0x1052e4620 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc620) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#15 0x1062a61d8 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2561d8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#16 0x106357ba4 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x307ba4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#17 0x106307c8c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b7c8c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#18 0x106306a4c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b6a4c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#19 0x1063022b4 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b22b4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#20 0x106300ddc in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b0ddc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#21 0x1063275c8 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d75c8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#22 0x106302bbc in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b2bbc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#23 0x10629d994 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24d994) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#24 0x10629e064 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24e064) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#25 0x104ef3130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#26 0x106bbd4ac in thread_launcher thread.c:520
#27 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#28 0x60308001a20c6d9c (<unknown module>)
0x62f0001e9a8c is located 1636 bytes after 53288-byte region [0x62f0001dc400,0x62f0001e9428)
allocated by thread T4 here:
#0 0x1071455b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x106c1cf18 in winpr_aligned_offset_malloc alignment.c:114
#2 0x106c1cdf0 in winpr_aligned_malloc alignment.c:60
#3 0x1061a7038 in gdi_CreateSurface+0x82c (libfreerdp3.3.0.0.dylib:arm64+0x157038) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#4 0x10537215c in rdpgfx_recv_create_surface_pdu+0xab0 (libfreerdp-client3.3.0.0.dylib:arm64+0x9a15c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#5 0x105369744 in rdpgfx_recv_pdu+0xc34 (libfreerdp-client3.3.0.0.dylib:arm64+0x91744) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#6 0x105367fd4 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8ffd4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#7 0x1052eb42c in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x1342c) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#8 0x1052eb298 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13298) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#9 0x1052e7c80 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc80) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#10 0x1052e5ef4 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef4) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#11 0x1052e5938 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd938) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#12 0x1052e4620 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc620) (BuildId: 01e7ea402380302eb65a4eb7f943e6a932000000200000000100000000000d00)
#13 0x1062a61d8 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2561d8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#14 0x106357ba4 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x307ba4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#15 0x106307c8c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b7c8c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#16 0x106306a4c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b6a4c) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#17 0x1063022b4 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b22b4) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#18 0x106300ddc in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b0ddc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#19 0x1063275c8 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d75c8) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#20 0x106302bbc in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b2bbc) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#21 0x10629d994 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24d994) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#22 0x10629e064 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24e064) (BuildId: 26826ab759723e80974dd7bde9e5644332000000200000000100000000000d00)
#23 0x104ef3130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#24 0x106bbd4ac in thread_launcher thread.c:520
#25 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#26 0x60308001a20c6d9c (<unknown module>)
Thread T4 created by T0 here:
#0 0x10713e91c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x106bba52c in winpr_StartThread thread.c:568
#2 0x106bb9c00 in CreateThread thread.c:650
#3 0x104ef2894 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12894) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#4 0x104ef1ce4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x11ce4) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#5 0x104ee5bbc in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x5bbc) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#6 0x104e2278c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
#7 0x1a219f17c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
#8 0x8b7e8001a223aee8 (<unknown module>)
#9 0x701f0001a223ae30 (<unknown module>)
#10 0x181c8001a21704c8 (<unknown module>)
#11 0x23f8001a30ce8f0 (<unknown module>)
#12 0xe06d0001a53d1154 (<unknown module>)
#13 0x3c508001a53d0f04 (<unknown module>)
#14 0x7a538001a53cefa0 (<unknown module>)
#15 0x6f780001a53ceb9c (<unknown module>)
#16 0xa4110001a30f8b60 (<unknown module>)
#17 0xc43b0001a30f89c0 (<unknown module>)
#18 0x3b1d0001a84d1514 (<unknown module>)
#19 0x46200001a84d0e40 (<unknown module>)
#20 0x23180001a84c9f14 (<unknown module>)
#21 0x995e0001aba02b40 (<unknown module>)
#22 0x70030001a53ca044 (<unknown module>)
#23 0x7e0a0001a53c8edc (<unknown module>)
#24 0x793d0001a53bd340 (<unknown module>)
#25 0x5c3a8001a5394790 (<unknown module>)
#26 0x2d09000104e22020 (<unknown module>)
#27 0x1a1d73f24 (<unknown module>)
#28 0xaf17fffffffffffc (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f820) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00) in __asan_memcpy+0x428
Shadow bytes around the buggy address:
0x62f0001e9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x62f0001e9a80: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62f0001e9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Summary
Out-Of-Bounds Write in
progressive_decompress
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
FreeRDP/libfreerdp/codec/progressive.c
Lines 2598 to 2616 in 5be5553
I might not have the exact cause, but it seems like the issue could be related to incorrect calculations of
nXSrc
andnYSrc
, or possibly due to inadequate offset verification.PoC
If reproducing the issue is not possible, I would appreciate it if you could send me the packet file you have for analysis.
Impact
Out-Of-Bounds Write
Asan