Headline
CVE-2023-40575: Out-Of-Bounds Read in general_YUV444ToRGB_8u_P3AC4R_BGRX
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the general_YUV444ToRGB_8u_P3AC4R_BGRX function. This issue is likely down to insufficient data for the pSrc variable and results in crashes. This issue has been addressed in version 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
Affected versions
>= 3.0.0-beta1, <= 3.0.0beta2
Patched versions
3.0.0-beta3
Summary
Out-Of-Bounds Read in general_YUV444ToRGB_8u_P3AC4R_BGRX
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
static pstatus_t general_YUV444ToRGB_8u_P3AC4R_BGRX(const BYTE* const pSrc[3],
const UINT32 srcStep[3], BYTE* pDst,
UINT32 dstStep, UINT32 DstFormat,
const prim_size_t* roi)
{
UINT32 x, y;
UINT32 nWidth, nHeight;
const DWORD formatSize = FreeRDPGetBytesPerPixel(DstFormat);
nWidth = roi->width;
nHeight = roi->height;
for (y = 0; y < nHeight; y++)
{
const BYTE* pY = pSrc[0] + y * srcStep[0];
const BYTE* pU = pSrc[1] + y * srcStep[1];
const BYTE* pV = pSrc[2] + y * srcStep[2];
BYTE* pRGB = pDst + y * dstStep;
for (x = 0; x < nWidth; x++)
{
const BYTE Y = pY[x];
const BYTE U = pU[x];
const BYTE V = pV[x];
const BYTE r = YUV2R(Y, U, V);
const BYTE g = YUV2G(Y, U, V);
const BYTE b = YUV2B(Y, U, V);
pRGB = writePixelBGRX(pRGB, formatSize, DstFormat, r, g, b, 0);
}
}
return PRIMITIVES_SUCCESS;
}
I might not have the exact cause, but it seems like the issue could be insufficient data for pSrc.
PoC
If reproducing the issue is not possible, I would appreciate it if you could send me the packet file you have for analysis.
Impact
Out-Of-Bounds Read
Asan
==23070==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00012b5eb828 at pc 0x0001015e6518 bp 0x000170dd6ac0 sp 0x000170dd6ab8
READ of size 1 at 0x00012b5eb828 thread T55
#0 0x1015e6514 in general_YUV444ToRGB_8u_P3AC4R_BGRX+0x29c (libfreerdp3.3.0.0.dylib:arm64+0x3b6514) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#1 0x1015e3510 in general_YUV444ToRGB_8u_P3AC4R+0x58 (libfreerdp3.3.0.0.dylib:arm64+0x3b3510) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#2 0x101292f10 in avc444_yuv_to_rgb+0x76c (libfreerdp3.3.0.0.dylib:arm64+0x62f10) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#3 0x10128daec in yuv444_process_work_callback+0x120 (libfreerdp3.3.0.0.dylib:arm64+0x5daec) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#4 0x101d9a8c4 in thread_pool_work_func pool.c:88
#5 0x101da54ac in thread_launcher thread.c:520
#6 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#7 0x12008001a20c6d9c (<unknown module>)
0x00012b5eb828 is located 0 bytes after 208936-byte region [0x00012b5b8800,0x00012b5eb828)
allocated by thread T4 here:
#0 0x10232d5b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x101e04f18 in winpr_aligned_offset_malloc alignment.c:114
#2 0x101e055b0 in winpr_aligned_offset_recalloc alignment.c:189
#3 0x101e05188 in winpr_aligned_recalloc alignment.c:75
#4 0x101297030 in avc444_ensure_buffer+0x34c (libfreerdp3.3.0.0.dylib:arm64+0x67030) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#5 0x101297960 in avc444_process_rects+0x288 (libfreerdp3.3.0.0.dylib:arm64+0x67960) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#6 0x101297694 in avc444_decompress+0x228 (libfreerdp3.3.0.0.dylib:arm64+0x67694) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#7 0x1013926a8 in gdi_SurfaceCommand_AVC444+0x94c (libfreerdp3.3.0.0.dylib:arm64+0x1626a8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#8 0x1013873b8 in gdi_SurfaceCommand+0x5b0 (libfreerdp3.3.0.0.dylib:arm64+0x1573b8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#9 0x10055c238 in rdpgfx_decode_AVC444+0xa0c (libfreerdp-client3.3.0.0.dylib:arm64+0xa8238) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#10 0x10055b0bc in rdpgfx_decode+0x178 (libfreerdp-client3.3.0.0.dylib:arm64+0xa70bc) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#11 0x100546a20 in rdpgfx_recv_wire_to_surface_1_pdu+0x14ec (libfreerdp-client3.3.0.0.dylib:arm64+0x92a20) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#12 0x10054427c in rdpgfx_recv_pdu+0x424 (libfreerdp-client3.3.0.0.dylib:arm64+0x9027c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#13 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#14 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#15 0x1004c6710 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x12710) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#16 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#17 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#18 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#19 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#20 0x1014887bc in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2587bc) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#21 0x10153a070 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x30a070) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#22 0x1014ea3d0 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2ba3d0) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#23 0x1014e9190 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b9190) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#24 0x1014e49f8 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b49f8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#25 0x1014e3520 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b3520) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#26 0x101509cd4 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d9cd4) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#27 0x1014e5300 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b5300) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#28 0x10147ff78 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24ff78) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#29 0x101480648 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x250648) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
Thread T55 created by T4 here:
#0 0x10232691c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x101da252c in winpr_StartThread thread.c:568
#2 0x101da1c00 in CreateThread thread.c:650
#3 0x101d99dd8 in InitializeThreadpool pool.c:134
#4 0x101d99ef0 in winpr_CreateThreadpool pool.c:177
#5 0x10128bba0 in yuv_context_new+0x2e8 (libfreerdp3.3.0.0.dylib:arm64+0x5bba0) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#6 0x101297e38 in h264_context_new+0x13c (libfreerdp3.3.0.0.dylib:arm64+0x67e38) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#7 0x101392084 in gdi_SurfaceCommand_AVC444+0x328 (libfreerdp3.3.0.0.dylib:arm64+0x162084) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#8 0x1013873b8 in gdi_SurfaceCommand+0x5b0 (libfreerdp3.3.0.0.dylib:arm64+0x1573b8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#9 0x10055c238 in rdpgfx_decode_AVC444+0xa0c (libfreerdp-client3.3.0.0.dylib:arm64+0xa8238) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#10 0x10055b0bc in rdpgfx_decode+0x178 (libfreerdp-client3.3.0.0.dylib:arm64+0xa70bc) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#11 0x100546a20 in rdpgfx_recv_wire_to_surface_1_pdu+0x14ec (libfreerdp-client3.3.0.0.dylib:arm64+0x92a20) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#12 0x10054427c in rdpgfx_recv_pdu+0x424 (libfreerdp-client3.3.0.0.dylib:arm64+0x9027c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#13 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#14 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#15 0x1004c6710 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x12710) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#16 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#17 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#18 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#19 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
#20 0x1014887bc in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2587bc) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#21 0x10153a070 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x30a070) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#22 0x1014ea3d0 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2ba3d0) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#23 0x1014e9190 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b9190) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#24 0x1014e49f8 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b49f8) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#25 0x1014e3520 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b3520) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#26 0x101509cd4 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d9cd4) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#27 0x1014e5300 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b5300) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#28 0x10147ff78 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24ff78) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#29 0x101480648 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x250648) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00)
#30 0x1000d7700 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13700) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
#31 0x101da54ac in thread_launcher thread.c:520
#32 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#33 0xa7790001a20c6d9c (<unknown module>)
Thread T4 created by T0 here:
#0 0x10232691c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x101da252c in winpr_StartThread thread.c:568
#2 0x101da1c00 in CreateThread thread.c:650
#3 0x1000d6e64 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12e64) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
#4 0x1000d62b4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x122b4) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
#5 0x1000ca18c in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x618c) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
#6 0x10000678c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
#7 0x1a219f17c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
#8 0x6a470001a223aee8 (<unknown module>)
#9 0xed170001a223ae30 (<unknown module>)
#10 0xac5d0001a21704c8 (<unknown module>)
#11 0x243a0001a30ce8f0 (<unknown module>)
#12 0x8a4f0001a53d1154 (<unknown module>)
#13 0xda138001a53d0f04 (<unknown module>)
#14 0xc0000001a53cefa0 (<unknown module>)
#15 0x19698001a53ceb9c (<unknown module>)
#16 0xb1478001a30f8b60 (<unknown module>)
#17 0x1d768001a30f89c0 (<unknown module>)
#18 0xc26e8001a84d1514 (<unknown module>)
#19 0x800f8001a84d0e40 (<unknown module>)
#20 0xd5280001a84c9f14 (<unknown module>)
#21 0xd61b0001aba02b40 (<unknown module>)
#22 0x23160001a53ca044 (<unknown module>)
#23 0x433a8001a53c8edc (<unknown module>)
#24 0x57030001a53bd340 (<unknown module>)
#25 0x85588001a5394790 (<unknown module>)
#26 0xe739800100006020 (<unknown module>)
#27 0x1a1d73f24 (<unknown module>)
#28 0x1339fffffffffffc (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libfreerdp3.3.0.0.dylib:arm64+0x3b6514) (BuildId: 6065c8e6088137a4909a9600b1279a0b32000000200000000100000000000d00) in general_YUV444ToRGB_8u_P3AC4R_BGRX+0x29c
Shadow bytes around the buggy address:
0x00012b5eb580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00012b5eb600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00012b5eb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00012b5eb700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00012b5eb780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00012b5eb800: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
0x00012b5eb880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00012b5eb900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00012b5eb980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00012b5eba00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00012b5eba80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cbRelated news
Gentoo Linux Security Advisory 202401-16
Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.