Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40187: Use-After-Free in avc420_ensure_buffer, avc444_ensure_buffer

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of the 3.x beta branch are subject to a Use-After-Free issue in the avc420_ensure_buffer and avc444_ensure_buffer functions. If the value of piDstSize[x] is 0, ppYUVDstData[x] will be freed. However, in this case ppYUVDstData[x] will not have been updated which leads to a Use-After-Free vulnerability. This issue has been addressed in version 3.0.0-beta3. Users of the 3.x beta releases are advised to upgrade. There are no known workarounds for this vulnerability.

CVE
Open in Source
#vulnerability#mac#apache#c++

Affected versions

>= 3.0.0-beta1, <= 3.0.0beta2

Patched versions

3.0.0-beta3

Summary

Use-After-Free in avc420_ensure_buffer, avc444_ensure_buffer

Affected

FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)

Details

for (x = 0; x < 3; x++)

{

BYTE* tmp1;

BYTE* tmp2;

piDstStride[x] = piMainStride[0];

piDstSize[x] = piDstStride[x] * padDstHeight;

tmp1 = winpr_aligned_recalloc(ppYUVDstData[x], piDstSize[x], 1, 16);

if (tmp1)

ppYUVDstData[x] = tmp1;

tmp2 = winpr_aligned_recalloc(ppOldYUVDstData[x], piDstSize[x], 1, 16);

if (tmp2)

ppOldYUVDstData[x] = tmp2;

if (!tmp1 || !tmp2)

goto fail;

}

If piDstSize[x] is 0, ppYUVDstData[x] will be freed. However, without updating ppYUVDstData[x], this leads to a Use-After-Free (UAF) vulnerability.

PoC

  1. Send piDstSize[x] == 0

Impact

Use-After-Free leading to unexpected behavior

Asan

==73963==ERROR: AddressSanitizer: heap-use-after-free on address 0x62900000a208 at pc 0x000101dfd6a8 bp 0x000170029320 sp 0x000170029318
READ of size 4 at 0x62900000a208 thread T4
    #0 0x101dfd6a4 in winpr_aligned_offset_recalloc alignment.c:202
    #1 0x101dfd188 in winpr_aligned_recalloc alignment.c:75
    #2 0x101292260 in avc444_ensure_buffer+0x34c (libfreerdp3.3.0.0.dylib:arm64+0x66260) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #3 0x101292b90 in avc444_process_rects+0x288 (libfreerdp3.3.0.0.dylib:arm64+0x66b90) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #4 0x1012928c4 in avc444_decompress+0x228 (libfreerdp3.3.0.0.dylib:arm64+0x668c4) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #5 0x10138d8d8 in gdi_SurfaceCommand_AVC444+0x94c (libfreerdp3.3.0.0.dylib:arm64+0x1618d8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #6 0x1013825e8 in gdi_SurfaceCommand+0x5b0 (libfreerdp3.3.0.0.dylib:arm64+0x1565e8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #7 0x10055c238 in rdpgfx_decode_AVC444+0xa0c (libfreerdp-client3.3.0.0.dylib:arm64+0xa8238) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #8 0x10055b0bc in rdpgfx_decode+0x178 (libfreerdp-client3.3.0.0.dylib:arm64+0xa70bc) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #9 0x100546a20 in rdpgfx_recv_wire_to_surface_1_pdu+0x14ec (libfreerdp-client3.3.0.0.dylib:arm64+0x92a20) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #10 0x10054427c in rdpgfx_recv_pdu+0x424 (libfreerdp-client3.3.0.0.dylib:arm64+0x9027c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #11 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #12 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #13 0x1004c6710 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x12710) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #14 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #15 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #16 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #17 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #18 0x1014839ec in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2579ec) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #19 0x1015352a0 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x3092a0) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #20 0x1014e5600 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b9600) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #21 0x1014e43c0 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b83c0) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #22 0x1014dfc28 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b3c28) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #23 0x1014de750 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b2750) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #24 0x101504f04 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d8f04) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #25 0x1014e0530 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b4530) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #26 0x10147b1a8 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24f1a8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #27 0x10147b878 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24f878) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #28 0x1000d7700 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13700) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #29 0x101d9d4ac in thread_launcher thread.c:520
    #30 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
    #31 0x6a050001a20c6d9c  (<unknown module>)

0x62900000a208 is located 8 bytes inside of 18472-byte region [0x62900000a200,0x62900000ea28)
freed by thread T4 here:
    #0 0x1023256e4 in wrap_free+0x90 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x516e4) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101dfdb50 in winpr_aligned_free alignment.c:264
    #2 0x101dfd96c in winpr_aligned_offset_recalloc alignment.c:227
    #3 0x101dfd188 in winpr_aligned_recalloc alignment.c:75
    #4 0x101292260 in avc444_ensure_buffer+0x34c (libfreerdp3.3.0.0.dylib:arm64+0x66260) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #5 0x101292b90 in avc444_process_rects+0x288 (libfreerdp3.3.0.0.dylib:arm64+0x66b90) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #6 0x1012928c4 in avc444_decompress+0x228 (libfreerdp3.3.0.0.dylib:arm64+0x668c4) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #7 0x10138d8d8 in gdi_SurfaceCommand_AVC444+0x94c (libfreerdp3.3.0.0.dylib:arm64+0x1618d8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #8 0x1013825e8 in gdi_SurfaceCommand+0x5b0 (libfreerdp3.3.0.0.dylib:arm64+0x1565e8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #9 0x10055c238 in rdpgfx_decode_AVC444+0xa0c (libfreerdp-client3.3.0.0.dylib:arm64+0xa8238) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #10 0x10055b0bc in rdpgfx_decode+0x178 (libfreerdp-client3.3.0.0.dylib:arm64+0xa70bc) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #11 0x100546a20 in rdpgfx_recv_wire_to_surface_1_pdu+0x14ec (libfreerdp-client3.3.0.0.dylib:arm64+0x92a20) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #12 0x10054427c in rdpgfx_recv_pdu+0x424 (libfreerdp-client3.3.0.0.dylib:arm64+0x9027c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #13 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #14 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #15 0x1004c6710 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x12710) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #16 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #17 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #18 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #19 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #20 0x1014839ec in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2579ec) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #21 0x1015352a0 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x3092a0) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #22 0x1014e5600 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b9600) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #23 0x1014e43c0 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b83c0) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #24 0x1014dfc28 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b3c28) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #25 0x1014de750 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b2750) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #26 0x101504f04 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d8f04) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #27 0x1014e0530 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b4530) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #28 0x10147b1a8 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24f1a8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #29 0x10147b878 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24f878) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)

previously allocated by thread T4 here:
    #0 0x1023255b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101dfcf18 in winpr_aligned_offset_malloc alignment.c:114
    #2 0x101dfd5b0 in winpr_aligned_offset_recalloc alignment.c:189
    #3 0x101dfd188 in winpr_aligned_recalloc alignment.c:75
    #4 0x101292260 in avc444_ensure_buffer+0x34c (libfreerdp3.3.0.0.dylib:arm64+0x66260) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #5 0x101292b90 in avc444_process_rects+0x288 (libfreerdp3.3.0.0.dylib:arm64+0x66b90) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #6 0x101292870 in avc444_decompress+0x1d4 (libfreerdp3.3.0.0.dylib:arm64+0x66870) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #7 0x10138d8d8 in gdi_SurfaceCommand_AVC444+0x94c (libfreerdp3.3.0.0.dylib:arm64+0x1618d8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #8 0x1013825e8 in gdi_SurfaceCommand+0x5b0 (libfreerdp3.3.0.0.dylib:arm64+0x1565e8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #9 0x10055c238 in rdpgfx_decode_AVC444+0xa0c (libfreerdp-client3.3.0.0.dylib:arm64+0xa8238) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #10 0x10055b0bc in rdpgfx_decode+0x178 (libfreerdp-client3.3.0.0.dylib:arm64+0xa70bc) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #11 0x100546a20 in rdpgfx_recv_wire_to_surface_1_pdu+0x14ec (libfreerdp-client3.3.0.0.dylib:arm64+0x92a20) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #12 0x10054427c in rdpgfx_recv_pdu+0x424 (libfreerdp-client3.3.0.0.dylib:arm64+0x9027c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #13 0x1005433b0 in rdpgfx_on_data_received+0x444 (libfreerdp-client3.3.0.0.dylib:arm64+0x8f3b0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #14 0x1004c68a4 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x128a4) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #15 0x1004c6694 in dvcman_receive_channel_data+0x3c4 (libfreerdp-client3.3.0.0.dylib:arm64+0x12694) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #16 0x1004c30f8 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xf0f8) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #17 0x1004c136c in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xd36c) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #18 0x1004c0db0 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xcdb0) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #19 0x1004bfa98 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xba98) (BuildId: 81736ad6ceca33b393c7b6a3c46ded1f32000000200000000100000000000d00)
    #20 0x1014839ec in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2579ec) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #21 0x1015352a0 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x3092a0) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #22 0x1014e5600 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b9600) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #23 0x1014e43c0 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b83c0) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #24 0x1014dfc28 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b3c28) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #25 0x1014de750 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b2750) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #26 0x101504f04 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d8f04) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #27 0x1014e0530 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b4530) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #28 0x10147b1a8 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24f1a8) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)
    #29 0x10147b878 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24f878) (BuildId: d53c29501ead3efda935d2a95dab72b332000000200000000100000000000d00)

Thread T4 created by T0 here:
    #0 0x10231e91c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101d9a52c in winpr_StartThread thread.c:568
    #2 0x101d99c00 in CreateThread thread.c:650
    #3 0x1000d6e64 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12e64) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #4 0x1000d62b4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x122b4) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #5 0x1000ca18c in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x618c) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
    #6 0x10000678c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
    #7 0x1a219f17c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
    #8 0xeb690001a223aee8  (<unknown module>)
    #9 0x76370001a223ae30  (<unknown module>)
    #10 0x1d138001a21704c8  (<unknown module>)
    #11 0x677b8001a30ce8f0  (<unknown module>)
    #12 0x52530001a53d1154  (<unknown module>)
    #13 0xd7578001a53d0f04  (<unknown module>)
    #14 0xe9100001a53cefa0  (<unknown module>)
    #15 0xb6280001a53ceb9c  (<unknown module>)
    #16 0xf3510001a30f8b60  (<unknown module>)
    #17 0x3f298001a30f89c0  (<unknown module>)
    #18 0xc93d0001a84d1514  (<unknown module>)
    #19 0xb5018001a84d0e40  (<unknown module>)
    #20 0xba448001a84c9f14  (<unknown module>)
    #21 0x85e8001aba02b40  (<unknown module>)
    #22 0x3d738001a53ca044  (<unknown module>)
    #23 0xfb5d8001a53c8edc  (<unknown module>)
    #24 0xfb7d0001a53bd340  (<unknown module>)
    #25 0x450f8001a5394790  (<unknown module>)
    #26 0x6a74000100006020  (<unknown module>)
    #27 0x1a1d73f24  (<unknown module>)
    #28 0x56347ffffffffffc  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free alignment.c:202 in winpr_aligned_offset_recalloc
Shadow bytes around the buggy address:
  0x629000009f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62900000a000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62900000a080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62900000a100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62900000a180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x62900000a200: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62900000a280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62900000a300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62900000a380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62900000a400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62900000a480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Related news

Gentoo Linux Security Advisory 202401-16

Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE