Summary
Use-After-Free in RDPGFX_CMDID_RESETGRAPHICS
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
|
BOOL freerdp_bitmap_planar_context_reset(BITMAP_PLANAR_CONTEXT* context, UINT32 width, |
|
UINT32 height) |
|
{ |
|
if (!context) |
|
return FALSE; |
|
|
|
context->bgr = FALSE; |
|
context->maxWidth = PLANAR_ALIGN(width, 4); |
|
context->maxHeight = PLANAR_ALIGN(height, 4); |
|
context->maxPlaneSize = context->maxWidth * context->maxHeight; |
|
context->nTempStep = context->maxWidth * 4; |
|
|
|
void* tmp = winpr_aligned_recalloc(context->planesBuffer, context->maxPlaneSize, 4, 32); |
|
if (!tmp) |
|
return FALSE; |
|
context->planesBuffer = tmp; |
If context->maxPlaneSize is 0, context->planesBuffer will be freed. However, without updating context->planesBuffer, this leads to a Use-After-Free (UAF) vulnerability.
PoC
- Send
RDPGFX_CMDID_RESETGRAPHICS packet with height == 0 or width == 0
- Send
RDPGFX_CMDID_RESETGRAPHICS packet again, crashed
Impact
Use-After-Free leading to unexpected behavior
Summary
Use-After-Free in
RDPGFX_CMDID_RESETGRAPHICSAffected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
FreeRDP/libfreerdp/codec/planar.c
Lines 1648 to 1663 in 63a2f65
If
context->maxPlaneSizeis 0,context->planesBufferwill be freed. However, without updatingcontext->planesBuffer, this leads to a Use-After-Free (UAF) vulnerability.PoC
RDPGFX_CMDID_RESETGRAPHICSpacket withheight== 0 orwidth== 0RDPGFX_CMDID_RESETGRAPHICSpacket again, crashedImpact
Use-After-Free leading to unexpected behavior