Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40574: Out-Of-Bounds Write in general_YUV444ToRGB_8u_P3AC4R_BGRX

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the writePixelBGRX function. This issue is likely down to incorrect calculations of the nHeight and srcStep variables. This issue has been addressed in version 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.

CVE
#mac#apache#c++

Affected versions

>= 3.0.0-beta1, <= 3.0.0beta2

Patched versions

3.0.0-beta3

Summary

Out-Of-Bounds Write in writePixelBGRX

Affected

FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)

Details

static pstatus_t general_YUV444ToRGB_8u_P3AC4R_BGRX(const BYTE* const pSrc[3],

const UINT32 srcStep[3], BYTE* pDst,

UINT32 dstStep, UINT32 DstFormat,

const prim_size_t* roi)

{

UINT32 x, y;

UINT32 nWidth, nHeight;

const DWORD formatSize = FreeRDPGetBytesPerPixel(DstFormat);

nWidth = roi->width;

nHeight = roi->height;

for (y = 0; y < nHeight; y++)

{

const BYTE* pY = pSrc[0] + y * srcStep[0];

const BYTE* pU = pSrc[1] + y * srcStep[1];

const BYTE* pV = pSrc[2] + y * srcStep[2];

BYTE* pRGB = pDst + y * dstStep;

for (x = 0; x < nWidth; x++)

{

const BYTE Y = pY[x];

const BYTE U = pU[x];

const BYTE V = pV[x];

const BYTE r = YUV2R(Y, U, V);

const BYTE g = YUV2G(Y, U, V);

const BYTE b = YUV2B(Y, U, V);

pRGB = writePixelBGRX(pRGB, formatSize, DstFormat, r, g, b, 0);

}

}

return PRIMITIVES_SUCCESS;

}

I might not have the exact cause, but it seems like the issue could be related to incorrect calculations of nHeight or srcStep, or possibly due to inadequate offset verification.

PoC

If reproducing the issue is not possible, I would appreciate it if you could send me the packet file you have for analysis.

Impact

Out-Of-Bounds Write

Asan

==22428==ERROR: AddressSanitizer: heap-use-after-free on address 0x000128615c0c at pc 0x0001015e6040 bp 0x000171006a90 sp 0x000171006a88
WRITE of size 1 at 0x000128615c0c thread T42
[19:15:40:552] [22428:700b7000] [ERROR][com.freerdp.codec] - [pool_decode]: YUV decoder: invalid number of tiles, only support 2112, got 2112
    #0 0x1015e603c in writePixelBGRX+0x6c (libfreerdp3.3.0.0.dylib:arm64+0x3b603c) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #1 0x1015e6610 in general_YUV444ToRGB_8u_P3AC4R_BGRX+0x398 (libfreerdp3.3.0.0.dylib:arm64+0x3b6610) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #2 0x1015e3510 in general_YUV444ToRGB_8u_P3AC4R+0x58 (libfreerdp3.3.0.0.dylib:arm64+0x3b3510) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #3 0x101292f10 in avc444_yuv_to_rgb+0x76c (libfreerdp3.3.0.0.dylib:arm64+0x62f10) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #4 0x10128daec in yuv444_process_work_callback+0x120 (libfreerdp3.3.0.0.dylib:arm64+0x5daec) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #5 0x101d9a8c4 in thread_pool_work_func pool.c:88
    #6 0x101da54ac in thread_launcher thread.c:520
    #7 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
    #8 0x8b2f0001a20c6d9c  (<unknown module>)

0x000128615c0c is located 889868 bytes inside of 1667112-byte region [0x00012853c800,0x0001286d3828)
freed by thread T5 here:
    #0 0x10232d6e4 in wrap_free+0x90 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x516e4) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101e05b50 in winpr_aligned_free alignment.c:264
    #2 0x1013883b4 in gdi_DeleteSurface+0x264 (libfreerdp3.3.0.0.dylib:arm64+0x1583b4) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #3 0x10054c980 in rdpgfx_recv_delete_surface_pdu+0x3f4 (libfreerdp-client3.3.0.0.dylib:arm64+0x98980) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #4 0x1005449a8 in rdpgfx_recv_pdu+0xb50 (libfreerdp-client3.3.0.0.dylib:arm64+0x909a8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #5 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #6 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #7 0x1004c6710 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x12710) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #8 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #9 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #10 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #11 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #12 0x1014887bc in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2587bc) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #13 0x10153a070 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x30a070) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #14 0x1014ea3d0 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2ba3d0) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #15 0x1014e9190 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b9190) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #16 0x1014e49f8 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b49f8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #17 0x1014e3520 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b3520) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #18 0x101509cd4 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d9cd4) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #19 0x1014e5300 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b5300) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #20 0x10147ff78 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24ff78) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #21 0x101480648 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x250648) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #22 0x1000d7700 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13700) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #23 0x101da54ac in thread_launcher thread.c:520
    #24 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
    #25 0x11330001a20c6d9c  (<unknown module>)

previously allocated by thread T5 here:
    #0 0x10232d5b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101e04f18 in winpr_aligned_offset_malloc alignment.c:114
    #2 0x101e04df0 in winpr_aligned_malloc alignment.c:60
    #3 0x101387f40 in gdi_CreateSurface+0x82c (libfreerdp3.3.0.0.dylib:arm64+0x157f40) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #4 0x10054c414 in rdpgfx_recv_create_surface_pdu+0x90c (libfreerdp-client3.3.0.0.dylib:arm64+0x98414) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #5 0x1005448dc in rdpgfx_recv_pdu+0xa84 (libfreerdp-client3.3.0.0.dylib:arm64+0x908dc) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #6 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #7 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #8 0x1004c6710 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x12710) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #9 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #10 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #11 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #12 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #13 0x1014887bc in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2587bc) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #14 0x10153a070 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x30a070) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #15 0x1014ea3d0 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2ba3d0) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #16 0x1014e9190 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b9190) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #17 0x1014e49f8 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b49f8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #18 0x1014e3520 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b3520) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #19 0x101509cd4 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d9cd4) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #20 0x1014e5300 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b5300) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #21 0x10147ff78 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24ff78) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #22 0x101480648 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x250648) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #23 0x1000d7700 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13700) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #24 0x101da54ac in thread_launcher thread.c:520
    #25 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
    #26 0x11330001a20c6d9c  (<unknown module>)

Thread T42 created by T5 here:
    #0 0x10232691c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101da252c in winpr_StartThread thread.c:568
    #2 0x101da1c00 in CreateThread thread.c:650
    #3 0x101d99dd8 in InitializeThreadpool pool.c:134
    #4 0x101d99ef0 in winpr_CreateThreadpool pool.c:177
    #5 0x10128bba0 in yuv_context_new+0x2e8 (libfreerdp3.3.0.0.dylib:arm64+0x5bba0) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #6 0x101297e38 in h264_context_new+0x13c (libfreerdp3.3.0.0.dylib:arm64+0x67e38) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #7 0x101392084 in gdi_SurfaceCommand_AVC444+0x328 (libfreerdp3.3.0.0.dylib:arm64+0x162084) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #8 0x1013873b8 in gdi_SurfaceCommand+0x5b0 (libfreerdp3.3.0.0.dylib:arm64+0x1573b8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #9 0x10055c238 in rdpgfx_decode_AVC444+0xa0c (libfreerdp-client3.3.0.0.dylib:arm64+0xa8238) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #10 0x10055b0bc in rdpgfx_decode+0x178 (libfreerdp-client3.3.0.0.dylib:arm64+0xa70bc) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #11 0x100546a20 in rdpgfx_recv_wire_to_surface_1_pdu+0x14ec (libfreerdp-client3.3.0.0.dylib:arm64+0x92a20) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #12 0x10054427c in rdpgfx_recv_pdu+0x424 (libfreerdp-client3.3.0.0.dylib:arm64+0x9027c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #13 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #14 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #15 0x1004c6694 in dvcman_receive_channel_data+0x3c4 (libfreerdp-client3.3.0.0.dylib:arm64+0x12694) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #16 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #17 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #18 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #19 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #20 0x1014887bc in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2587bc) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #21 0x10153a070 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x30a070) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #22 0x1014ea3d0 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2ba3d0) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #23 0x1014e9190 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b9190) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #24 0x1014e49f8 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b49f8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #25 0x1014e3520 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b3520) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #26 0x101509cd4 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d9cd4) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #27 0x1014e5300 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b5300) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #28 0x10147ff78 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24ff78) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #29 0x101480648 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x250648) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
    #30 0x1000d7700 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13700) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #31 0x101da54ac in thread_launcher thread.c:520
    #32 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
    #33 0x11330001a20c6d9c  (<unknown module>)

Thread T5 created by T0 here:
    #0 0x10232691c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101da252c in winpr_StartThread thread.c:568
    #2 0x101da1c00 in CreateThread thread.c:650
    #3 0x1000d6e64 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12e64) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #4 0x1000d62b4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x122b4) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #5 0x1000ca18c in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x618c) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #6 0x10000678c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
    #7 0x1a219f17c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
    #8 0x6b398001a223aee8  (<unknown module>)
    #9 0xb95d8001a223ae30  (<unknown module>)
    #10 0x3e6f0001a21704c8  (<unknown module>)
    #11 0x90010001a30ce8f0  (<unknown module>)
    #12 0xfe6a0001a53d1154  (<unknown module>)
    #13 0x1e6e8001a53d0f04  (<unknown module>)
    #14 0xd2480001a53cefa0  (<unknown module>)
    #15 0x3a580001a53ceb9c  (<unknown module>)
    #16 0x856f8001a30f8b60  (<unknown module>)
    #17 0x4e288001a30f89c0  (<unknown module>)
    #18 0x500001a84d1514  (<unknown module>)
    #19 0xca698001a84d0e40  (<unknown module>)
    #20 0x90001a84c9f14  (<unknown module>)
    #21 0xf6358001aba02b40  (<unknown module>)
    #22 0xe87f0001a53ca044  (<unknown module>)
    #23 0xb36d8001a53c8edc  (<unknown module>)
    #24 0x3a3f0001a53bd340  (<unknown module>)
    #25 0xc35f0001a5394790  (<unknown module>)
    #26 0x561a000100006020  (<unknown module>)
    #27 0x1a1d73f24  (<unknown module>)
    #28 0x5d2c7ffffffffffc  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free (libfreerdp3.3.0.0.dylib:arm64+0x3b603c) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00) in writePixelBGRX+0x6c
Shadow bytes around the buggy address:
  0x000128615980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x000128615c00: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000128615e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Related news

Gentoo Linux Security Advisory 202401-16

Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907