Headline
CVE-2023-39353: Missing offset validation leading to Out Of Bound Read
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the libfreerdp/codec/rfx.c
file there is no offset validation in tile->quantIdxY
, tile->quantIdxCb
, and tile->quantIdxCr
. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected versions
<= 2.10.0 , <= 3.0.0-beta2
Patched versions
2.11.0, 3.0.0-beta3
Summary
Missing offset validation leading to Out Of Bound Read
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
Stream_Read_UINT8(sub, tile->quantIdxY); /* quantIdxY (1 byte) */
Stream_Read_UINT8(sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
Stream_Read_UINT8(sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
There’re no offset validation in tile->quantIdxY, tile->quantIdxCb, tile->quantIdxCr.
PoC
- Set tile->quantIdxY >= context->numQuant
Impact
Out Of Bound Read
Asan
==90824==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000024048 at pc 0x00010587d928 bp 0x00016ba7d120 sp 0x00016ba7d118
READ of size 4 at 0x60f000024048 thread T4
#0 0x10587d924 in rfx_quantization_decode+0x6c (libfreerdp3.3.0.0.dylib:arm64+0x2d924) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#1 0x105879274 in rfx_decode_component+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x29274) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#2 0x105879800 in rfx_decode_rgb+0x3dc (libfreerdp3.3.0.0.dylib:arm64+0x29800) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#3 0x1058618a4 in rfx_process_message_tileset+0x39ec (libfreerdp3.3.0.0.dylib:arm64+0x118a4) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#4 0x10585828c in rfx_process_message+0x1304 (libfreerdp3.3.0.0.dylib:arm64+0x828c) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#5 0x1059aa9c8 in gdi_SurfaceCommand_RemoteFX+0x6d8 (libfreerdp3.3.0.0.dylib:arm64+0x15a9c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#6 0x1059a27c8 in gdi_SurfaceCommand+0x54c (libfreerdp3.3.0.0.dylib:arm64+0x1527c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#7 0x104b9e998 in rdpgfx_decode+0x288 (libfreerdp-client3.3.0.0.dylib:arm64+0xaa998) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#8 0x104b8837c in rdpgfx_recv_wire_to_surface_1_pdu+0x1760 (libfreerdp-client3.3.0.0.dylib:arm64+0x9437c) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#9 0x104b85964 in rdpgfx_recv_pdu+0x5d4 (libfreerdp-client3.3.0.0.dylib:arm64+0x91964) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#10 0x104b84854 in rdpgfx_on_data_received+0x448 (libfreerdp-client3.3.0.0.dylib:arm64+0x90854) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#11 0x104b07ca8 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13ca8) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#12 0x104b07b14 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13b14) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#13 0x104b044fc in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0x104fc) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#14 0x104b02770 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xe770) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#15 0x104b021b4 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xe1b4) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#16 0x104b00e9c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xce9c) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#17 0x105aa19c8 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2519c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#18 0x105b530a8 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x3030a8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#19 0x105b03408 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b3408) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#20 0x105b021c8 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b21c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#21 0x105afda30 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2ada30) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#22 0x105afc558 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ac558) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#23 0x105b22d0c in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d2d0c) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#24 0x105afe338 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2ae338) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#25 0x105a99184 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x249184) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#26 0x105a99854 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x249854) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#27 0x10470f130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#28 0x1063a14ac in thread_launcher thread.c:520
#29 0x192413fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#30 0x5f3480019240ed9c (<unknown module>)
0x60f000024048 is located 408 bytes after 176-byte region [0x60f000023e00,0x60f000023eb0)
allocated by thread T4 here:
#0 0x1069295b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x106400f18 in winpr_aligned_offset_malloc alignment.c:114
#2 0x1064015b0 in winpr_aligned_offset_recalloc alignment.c:189
#3 0x106401188 in winpr_aligned_recalloc alignment.c:75
#4 0x10585eb1c in rfx_process_message_tileset+0xc64 (libfreerdp3.3.0.0.dylib:arm64+0xeb1c) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#5 0x10585828c in rfx_process_message+0x1304 (libfreerdp3.3.0.0.dylib:arm64+0x828c) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#6 0x1059aa9c8 in gdi_SurfaceCommand_RemoteFX+0x6d8 (libfreerdp3.3.0.0.dylib:arm64+0x15a9c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#7 0x1059a27c8 in gdi_SurfaceCommand+0x54c (libfreerdp3.3.0.0.dylib:arm64+0x1527c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#8 0x104b9e998 in rdpgfx_decode+0x288 (libfreerdp-client3.3.0.0.dylib:arm64+0xaa998) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#9 0x104b8837c in rdpgfx_recv_wire_to_surface_1_pdu+0x1760 (libfreerdp-client3.3.0.0.dylib:arm64+0x9437c) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#10 0x104b85964 in rdpgfx_recv_pdu+0x5d4 (libfreerdp-client3.3.0.0.dylib:arm64+0x91964) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#11 0x104b84854 in rdpgfx_on_data_received+0x448 (libfreerdp-client3.3.0.0.dylib:arm64+0x90854) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#12 0x104b07ca8 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13ca8) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#13 0x104b07b14 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13b14) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#14 0x104b044fc in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0x104fc) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#15 0x104b02770 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xe770) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#16 0x104b021b4 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xe1b4) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#17 0x104b00e9c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xce9c) (BuildId: 0a140146380c34dc97dc625ae3ee86ba32000000200000000100000000000d00)
#18 0x105aa19c8 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x2519c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#19 0x105b530a8 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x3030a8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#20 0x105b03408 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b3408) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#21 0x105b021c8 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b21c8) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#22 0x105afda30 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2ada30) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#23 0x105afc558 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ac558) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#24 0x105b22d0c in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d2d0c) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#25 0x105afe338 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2ae338) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#26 0x105a99184 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x249184) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#27 0x105a99854 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x249854) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00)
#28 0x10470f130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#29 0x1063a14ac in thread_launcher thread.c:520
Thread T4 created by T0 here:
#0 0x10692291c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x10639e52c in winpr_StartThread thread.c:568
#2 0x10639dc00 in CreateThread thread.c:650
#3 0x10470e894 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12894) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#4 0x10470dce4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x11ce4) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#5 0x104701bbc in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x5bbc) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
#6 0x10463e78c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
#7 0x1924e717c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
#8 0xd34e000192582ee8 (<unknown module>)
#9 0x1770800192582e30 (<unknown module>)
#10 0xa5108001924b84c8 (<unknown module>)
#11 0xae5a0001934168f0 (<unknown module>)
#12 0x8537800195719154 (<unknown module>)
#13 0x215000195718f04 (<unknown module>)
#14 0xfd44000195716fa0 (<unknown module>)
#15 0x6100800195716b9c (<unknown module>)
#16 0x405b000193440b60 (<unknown module>)
#17 0x9f008001934409c0 (<unknown module>)
#18 0x8147800198819514 (<unknown module>)
#19 0x3865800198818e40 (<unknown module>)
#20 0xee6b800198811f14 (<unknown module>)
#21 0xc92500019bd4ab40 (<unknown module>)
#22 0xb709000195712044 (<unknown module>)
#23 0x8617000195710edc (<unknown module>)
#24 0xf267800195705340 (<unknown module>)
#25 0x60490001956dc790 (<unknown module>)
#26 0xba5200010463e020 (<unknown module>)
#27 0x1920bbf24 (<unknown module>)
#28 0x1804fffffffffffc (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libfreerdp3.3.0.0.dylib:arm64+0x2d924) (BuildId: 03d344cd48293f13b14188b4c9e45b3332000000200000000100000000000d00) in rfx_quantization_decode+0x6c
Shadow bytes around the buggy address:
0x60f000023d80: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
0x60f000023e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x60f000023e80: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x60f000023f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000023f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x60f000024000: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
0x60f000024080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000024100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000024180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000024200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000024280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==90824==ABORTING
[16:06:06:269] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [fatal_handler]: Caught signal 'Abort trap: 6' [6]
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 0: 0 libwinpr3.3.0.0.dylib 0x00000001062ff6e4 winpr_execinfo_backtrace + 336
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 1: 1 libwinpr3.3.0.0.dylib 0x00000001062f921c winpr_backtrace + 24
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 2: 2 libwinpr3.3.0.0.dylib 0x00000001062f9578 winpr_log_backtrace_ex + 304
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 3: 3 libwinpr3.3.0.0.dylib 0x00000001062f943c winpr_log_backtrace + 44
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 4: 4 libfreerdp3.3.0.0.dylib 0x000000010590b480 fatal_handler + 460
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 5: 5 libsystem_platform.dylib 0x0000000192442a24 _sigtramp + 56
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 6: 6 libsystem_pthread.dylib 0x0000000192413c28 pthread_kill + 288
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 7: 7 libsystem_c.dylib 0x0000000192321ae8 abort + 180
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 8: 8 libclang_rt.asan_osx_dynamic.dylib 0x000000010694c9b8 _ZN11__sanitizer6AtexitEPFvvE + 0
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 9: 9 libclang_rt.asan_osx_dynamic.dylib 0x000000010694c124 _ZN11__sanitizer22SetCheckUnwindCallbackEPFvvE + 0
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 10: 10 libclang_rt.asan_osx_dynamic.dylib 0x0000000106931658 _ZN6__asan16ErrorDescription5PrintEv + 0
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 11: 11 libclang_rt.asan_osx_dynamic.dylib 0x000000010693099c _ZN6__asan18ReportGenericErrorEmmmmbmjb + 1452
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 12: 12 libclang_rt.asan_osx_dynamic.dylib 0x0000000106931ba0 __asan_report_load4 + 52
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 13: 13 libfreerdp3.3.0.0.dylib 0x000000010587d928 rfx_quantization_decode + 112
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 14: 14 libfreerdp3.3.0.0.dylib 0x0000000105879278 rfx_decode_component + 372
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 15: 15 libfreerdp3.3.0.0.dylib 0x0000000105879804 rfx_decode_rgb + 992
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 16: 16 libfreerdp3.3.0.0.dylib 0x00000001058618a8 rfx_process_message_tileset + 14832
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 17: 17 libfreerdp3.3.0.0.dylib 0x0000000105858290 rfx_process_message + 4872
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 18: 18 libfreerdp3.3.0.0.dylib 0x00000001059aa9cc gdi_SurfaceCommand_RemoteFX + 1756
[16:06:06:270] [90824:6ba7f000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 19: 19 libfreerdp3.3.0.0.dylib 0x00000001059a27cc gdi_SurfaceCommand + 1360
Related news
Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.
Ubuntu Security Notice 6401-1 - It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly execute arbitrary code.