Summary
Out-Of-Bounds Read in nsc_rle_decompress_data
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
|
static BOOL nsc_stream_initialize(NSC_CONTEXT* context, wStream* s) |
|
{ |
|
int i; |
|
|
|
if (!Stream_CheckAndLogRequiredLength(TAG, s, 20)) |
|
return FALSE; |
|
|
|
for (i = 0; i < 4; i++) |
|
Stream_Read_UINT32(s, context->PlaneByteCount[i]); |
|
|
|
Stream_Read_UINT8(s, context->ColorLossLevel); /* ColorLossLevel (1 byte) */ |
|
Stream_Read_UINT8(s, context->ChromaSubsamplingLevel); /* ChromaSubsamplingLevel (1 byte) */ |
|
Stream_Seek(s, 2); /* Reserved (2 bytes) */ |
|
context->Planes = Stream_Pointer(s); |
|
return TRUE; |
|
} |
context->Planes is assigned in the
nsc_stream_initialize function.
|
static BOOL nsc_rle_decompress_data(NSC_CONTEXT* context) |
|
{ |
|
UINT16 i; |
|
BYTE* rle; |
|
UINT32 planeSize; |
|
UINT32 originalSize; |
|
|
|
if (!context) |
|
return FALSE; |
|
|
|
rle = context->Planes; |
|
|
|
for (i = 0; i < 4; i++) |
|
{ |
|
originalSize = context->OrgByteCount[i]; |
|
planeSize = context->PlaneByteCount[i]; |
|
|
|
if (planeSize == 0) |
|
{ |
|
if (context->priv->PlaneBuffersLength < originalSize) |
|
return FALSE; |
|
|
|
FillMemory(context->priv->PlaneBuffers[i], originalSize, 0xFF); |
|
} |
|
else if (planeSize < originalSize) |
|
{ |
|
if (!nsc_rle_decode(rle, context->priv->PlaneBuffers[i], |
|
context->priv->PlaneBuffersLength, originalSize)) |
|
return FALSE; |
|
} |
|
else |
|
{ |
|
if (context->priv->PlaneBuffersLength < originalSize) |
|
return FALSE; |
|
|
|
CopyMemory(context->priv->PlaneBuffers[i], rle, originalSize); |
|
} |
|
|
|
rle += planeSize; |
|
} |
|
|
|
return TRUE; |
|
} |
In the
nsc_rle_decompress_data function, Out-Of-Bounds Read occurs because it processes
context->Planes without checking if it contains data of sufficient length.
PoC
Insufficient data for context->Planes may cause errors or crashes.
Impact
Out-Of-Bounds Read
Asan
==18171==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000080e3a at pc 0x000102ccb778 bp 0x00016f6f5320 sp 0x00016f6f4ad0
READ of size 20 at 0x616000080e3a thread T5
#0 0x102ccb774 in __asan_memcpy+0x37c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f774) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x101c03914 in nsc_rle_decompress_data+0x3bc (libfreerdp3.3.0.0.dylib:arm64+0x1b914) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#2 0x101c02b60 in nsc_process_message+0x3f8 (libfreerdp3.3.0.0.dylib:arm64+0x1ab60) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#3 0x101c3f3e8 in clear_decompress_nscodec+0xf0 (libfreerdp3.3.0.0.dylib:arm64+0x573e8) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#4 0x101c3dee8 in clear_decompress_subcodecs_data+0x1008 (libfreerdp3.3.0.0.dylib:arm64+0x55ee8) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#5 0x101c3851c in clear_decompress+0x11a0 (libfreerdp3.3.0.0.dylib:arm64+0x5051c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#6 0x101d44ba0 in gdi_SurfaceCommand_ClearCodec+0x6fc (libfreerdp3.3.0.0.dylib:arm64+0x15cba0) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#7 0x101d3bf20 in gdi_SurfaceCommand+0x564 (libfreerdp3.3.0.0.dylib:arm64+0x153f20) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#8 0x100f26118 in rdpgfx_decode+0x288 (libfreerdp-client3.3.0.0.dylib:arm64+0xaa118) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#9 0x100f0fafc in rdpgfx_recv_wire_to_surface_1_pdu+0x1760 (libfreerdp-client3.3.0.0.dylib:arm64+0x93afc) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#10 0x100f0d0e4 in rdpgfx_recv_pdu+0x5d4 (libfreerdp-client3.3.0.0.dylib:arm64+0x910e4) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#11 0x100f0bfd4 in rdpgfx_on_data_received+0x448 (libfreerdp-client3.3.0.0.dylib:arm64+0x8ffd4) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#12 0x100e8f428 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13428) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#13 0x100e8f294 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13294) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#14 0x100e8bc7c in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc7c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#15 0x100e89ef0 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef0) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#16 0x100e89934 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd934) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#17 0x100e8861c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc61c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#18 0x101e3bc98 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x253c98) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#19 0x101eed664 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x305664) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#20 0x101e9d74c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b574c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#21 0x101e9c50c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b450c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#22 0x101e97d74 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2afd74) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#23 0x101e9689c in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ae89c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#24 0x101ebd088 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d5088) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#25 0x101e9867c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b067c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#26 0x101e33454 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24b454) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#27 0x101e33b24 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24bb24) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#28 0x100a97130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#29 0x102745320 in thread_launcher thread.c:520
#30 0x192413fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#31 0x2a5800019240ed9c (<unknown module>)
0x616000080e3a is located 2708 bytes after 550-byte region [0x616000080180,0x6160000803a6)
allocated by thread T5 here:
#0 0x102ccd5b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x101c0d188 in aligned_zgfx_malloc+0x18 (libfreerdp3.3.0.0.dylib:arm64+0x25188) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#2 0x101c0ad88 in zgfx_decompress+0x4ac (libfreerdp3.3.0.0.dylib:arm64+0x22d88) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#3 0x100f0bdbc in rdpgfx_on_data_received+0x230 (libfreerdp-client3.3.0.0.dylib:arm64+0x8fdbc) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#4 0x100e8f428 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13428) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#5 0x100e8f294 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13294) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#6 0x100e8bc7c in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc7c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#7 0x100e89ef0 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef0) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#8 0x100e89934 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd934) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#9 0x100e8861c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc61c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
#10 0x101e3bc98 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x253c98) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#11 0x101eed664 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x305664) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#12 0x101e9d74c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b574c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#13 0x101e9c50c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b450c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#14 0x101e97d74 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2afd74) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#15 0x101e9689c in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ae89c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#16 0x101ebd088 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d5088) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#17 0x101e9867c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b067c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#18 0x101e33454 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24b454) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#19 0x101e33b24 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24bb24) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
#20 0x100a97130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#21 0x102745320 in thread_launcher thread.c:520
#22 0x192413fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#23 0x2a5800019240ed9c (<unknown module>)
Thread T5 created by T0 here:
#0 0x102cc691c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x1027423a0 in winpr_StartThread thread.c:568
#2 0x102741a74 in CreateThread thread.c:650
#3 0x100a96894 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12894) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#4 0x100a95ce4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x11ce4) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#5 0x100a89bbc in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x5bbc) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#6 0x1009c678c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
#7 0x1924e717c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
#8 0x8253800192582ee8 (<unknown module>)
#9 0x640000192582e30 (<unknown module>)
#10 0x13e0001924b84c8 (<unknown module>)
#11 0xb048001934168f0 (<unknown module>)
#12 0xcc04800195719154 (<unknown module>)
#13 0x140f000195718f04 (<unknown module>)
#14 0x655f800195716fa0 (<unknown module>)
#15 0xdd07000195716b9c (<unknown module>)
#16 0x8c5c800193440b60 (<unknown module>)
#17 0xbd580001934409c0 (<unknown module>)
#18 0x5e2f800198819514 (<unknown module>)
#19 0x731e800198818e40 (<unknown module>)
#20 0x2d61000198811f14 (<unknown module>)
#21 0xa41d00019bd4ab40 (<unknown module>)
#22 0x4a66800195712044 (<unknown module>)
#23 0xc87e800195710edc (<unknown module>)
#24 0x6e57000195705340 (<unknown module>)
#25 0xab4f8001956dc790 (<unknown module>)
#26 0xc06a0001009c6020 (<unknown module>)
#27 0x1920bbf24 (<unknown module>)
#28 0xe81f7ffffffffffc (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f774) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00) in __asan_memcpy+0x37c
Shadow bytes around the buggy address:
0x616000080b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000080c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000080c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000080d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000080d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x616000080e00: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
0x616000080e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000080f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000080f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000081000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x616000081080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18171==ABORTING
[16:29:49:388] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [fatal_handler]: Caught signal 'Abort trap: 6' [6]
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 0: 0 libwinpr3.3.0.0.dylib 0x00000001026a3558 winpr_execinfo_backtrace + 336
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 1: 1 libwinpr3.3.0.0.dylib 0x000000010269d090 winpr_backtrace + 24
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 2: 2 libwinpr3.3.0.0.dylib 0x000000010269d3ec winpr_log_backtrace_ex + 304
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 3: 3 libwinpr3.3.0.0.dylib 0x000000010269d2b0 winpr_log_backtrace + 44
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 4: 4 libfreerdp3.3.0.0.dylib 0x0000000101ca42c8 fatal_handler + 460
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 5: 5 libsystem_platform.dylib 0x0000000192442a24 _sigtramp + 56
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 6: 6 libsystem_pthread.dylib 0x0000000192413c28 pthread_kill + 288
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 7: 7 libsystem_c.dylib 0x0000000192321ae8 abort + 180
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 8: 8 libclang_rt.asan_osx_dynamic.dylib 0x0000000102cf09b8 _ZN11__sanitizer6AtexitEPFvvE + 0
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 9: 9 libclang_rt.asan_osx_dynamic.dylib 0x0000000102cf0124 _ZN11__sanitizer22SetCheckUnwindCallbackEPFvvE + 0
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 10: 10 libclang_rt.asan_osx_dynamic.dylib 0x0000000102cd5658 _ZN6__asan16ErrorDescription5PrintEv + 0
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 11: 11 libclang_rt.asan_osx_dynamic.dylib 0x0000000102cd499c _ZN6__asan18ReportGenericErrorEmmmmbmjb + 1452
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 12: 12 libclang_rt.asan_osx_dynamic.dylib 0x0000000102ccb798 __asan_memcpy + 928
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 13: 13 libfreerdp3.3.0.0.dylib 0x0000000101c03918 nsc_rle_decompress_data + 960
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 14: 14 libfreerdp3.3.0.0.dylib 0x0000000101c02b64 nsc_process_message + 1020
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 15: 15 libfreerdp3.3.0.0.dylib 0x0000000101c3f3ec clear_decompress_nscodec + 244
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 16: 16 libfreerdp3.3.0.0.dylib 0x0000000101c3deec clear_decompress_subcodecs_data + 4108
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 17: 17 libfreerdp3.3.0.0.dylib 0x0000000101c38520 clear_decompress + 4516
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 18: 18 libfreerdp3.3.0.0.dylib 0x0000000101d44ba4 gdi_SurfaceCommand_ClearCodec + 1792
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 19: 19 libfreerdp3.3.0.0.dylib 0x0000000101d3bf24 gdi_SurfaceCommand + 1384
pwn2carr Reporter
Summary
Out-Of-Bounds Read in
nsc_rle_decompress_dataAffected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
FreeRDP/libfreerdp/codec/nsc.c
Lines 221 to 236 in 63a2f65
context->Planesis assigned in thensc_stream_initializefunction.FreeRDP/libfreerdp/codec/nsc.c
Lines 177 to 219 in 63a2f65
In the
nsc_rle_decompress_datafunction, Out-Of-Bounds Read occurs because it processescontext->Planeswithout checking if it contains data of sufficient length.PoC
Insufficient data for
context->Planesmay cause errors or crashes.Impact
Out-Of-Bounds Read
Asan