Pwn2Carr

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Out-Of-Bounds Read in the `general YUV444ToRGB 8u P3AC4R BGRX` function, likely due to insufficient data for the `pSrc` variable, resulting in crashes. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 to resolve the issue. As a temporary workaround, consider disabling the `general YUV444ToRGB 8u P3AC4R BGRX` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Out-Of-Bounds Write in the `writePixelBGRX` function of the FreeRDP client, which is caused by incorrect calculations of the `nHeight` and `srcStep` variables. This can allow a remote attacker to cause a denial of service. **Recommendations** For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `writePixelBGRX` function until a patch is applied. However, since an upgrade is available, this should be the preferred course of action.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Out-Of-Bounds Write in the `clear decompress bands data` function due to a lack of offset validation. This can be exploited by a remote attacker to cause an out of bounds write, potentially leading to a denial of service. **Recommendations** For versions prior to 2.11.0, upgrade to version 2.11.0 or later. For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider restricting access to the `clear decompress bands data` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Out-Of-Bounds Read in the `nsc rle decompress data` function. This occurs because the function processes `context->Planes` without checking if it contains data of sufficient length. An attacker may be able to cause a crash by leveraging this vulnerability. **Recommendations** For versions prior to 2.11.0, upgrade to version 2.11.0 or later. For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider disabling the `nsc rle decompress data` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to a Null Pointer Dereference in the RemoteFX (rfx) handling of FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). This occurs inside the `rfx process message tileset` function when the program allocates tiles using `rfx allocate tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer, which may be accessed in further processing and cause a program crash. **Recommendations** For versions prior to 2.11.0, upgrade to version 2.11.0 or later. For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider restricting access to the RemoteFX (rfx) handling until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue affects FreeRDP clients only and is related to an integer underflow leading to a Denial of Service (DOS) vulnerability. When an insufficient `blockLen` is provided and proper length validation is not performed, an integer underflow occurs. This can cause the program to abort due to `WINPR ASSERT` with default compilation flags. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.11.0, upgrade to version 2.11.0 or later. For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider restricting the use of the FreeRDP client until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue affects FreeRDP based clients only, due to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi CreateSurface` function. This may allow a remote attacker to cause a denial of service. FreeRDP proxies are not affected as image decoding is not done by a proxy. **Recommendations** For FreeRDP versions prior to 2.11.0, upgrade to version 2.11.0 or later. For FreeRDP versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider disabling the `gdi CreateSurface` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to a Global-Buffer-Overflow in the `ncrush decompress` function. Feeding crafted input into this function can trigger the overflow, which has only been shown to cause a crash. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.11.0, upgrade to version 2.11.0 or later. For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider disabling the `ncrush decompress` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Out-Of-Bounds Write in the `progressive decompress` function, likely due to incorrect calculations of the `nXSrc` and `nYSrc` variables. This can allow a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.11.0, upgrade to version 2.11.0 or later. For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider disabling the `progressive decompress` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Out-Of-Bounds Read in the `RleDecompress` function. This occurs because FreeRDP processes the `pbSrcBuffer` variable without checking if it contains data of sufficient length. Insufficient data in the `pbSrcBuffer` variable may cause errors or crashes. The issue can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later to address the issue. As a temporary workaround, consider restricting access to the `RleDecompress` function until a patch is available. There are no known workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to a Use-After-Free problem in the `avc420 ensure buffer` and `avc444 ensure buffer` functions of the FreeRDP client. This occurs when the value of `piDstSize[x]` is 0, causing `ppYUVDstData[x]` to be freed without being updated, leading to a Use-After-Free vulnerability. Exploitation of this issue could allow a remote attacker to cause a denial of service or other impact. **Recommendations** For FreeRDP versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later to address the issue. As a temporary workaround, consider restricting the use of the `avc420 ensure buffer` and `avc444 ensure buffer` functions until a patch is available. However, it is advised that there are no known workarounds for this vulnerability, and upgrading is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Out-Of-Bounds Read in the `general LumaToYUV444` function. This occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. The issue can be exploited by a remote attacker to cause a denial of service. **Recommendations** For FreeRDP versions prior to 2.11.0, upgrade to version 2.11.0 or later. For FreeRDP versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider disabling the `general LumaToYUV444` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx decompress segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For FreeRDP versions prior to 2.11.0, upgrade to version 2.11.0 or later. For FreeRDP versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider restricting the use of the `zgfx decompress segment` function until a patch is available. Avoid using the `CopyMemory` function in the context of the `zgfx decompress segment` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to an invalid offset validation leading to Out Of Bound Write in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). This can be triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and `surface->height`. In practice, this should cause a crash. There are no known workarounds for this issue. **Recommendations** For FreeRDP versions prior to 2.11.0, upgrade to version 2.11.0 or later. For FreeRDP versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to a Use-After-Free in processing `RDPGFX CMDID RESETGRAPHICS` packets. If `context->maxPlaneSize` is 0, `context->planesBuffer` will be freed, but without updating `context->planesBuffer`, this leads to a Use-After-Free exploit vector. In most environments, this should only result in a crash. **Recommendations** For FreeRDP versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later to address the issue. As a temporary workaround, consider restricting access to the `RDPGFX CMDID RESETGRAPHICS` packet processing functionality until a patch is available. However, since this issue has been addressed in version 3.0.0-beta3, the best course of action is to upgrade to this version or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to a missing offset validation in the `gdi multi opaque rect` function, which can lead to an Out Of Bound Read error. This occurs when the value of `multi opaque rect->numRectangles` is not properly validated, allowing for looping through `multi opaque rect->numRectangles` without boundary checks. This can result in a crash. **Recommendations** For versions prior to 2.11.0, upgrade to version 2.11.0 or later. For versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider restricting access to the `gdi multi opaque rect` function until a patch is available. Avoid using the `multi opaque rect->numRectangles` variable in the affected function without proper boundary checks until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.11.0 FreeRDP versions prior to 3.0.0-beta3 **Description** The issue is related to a missing offset validation in the `libfreerdp/codec/rfx.c` file, specifically in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. This can lead to an out of bounds read access, causing a crash when crafted input is processed. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** For FreeRDP versions prior to 2.11.0, upgrade to version 2.11.0 or later. For FreeRDP versions prior to 3.0.0-beta3, upgrade to version 3.0.0-beta3 or later. As a temporary workaround, consider restricting access to the `libfreerdp/codec/rfx.c` file until a patch is available. Avoid using the parameters `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr` in the affected code until the issue is resolved.