Ppcavalcante

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** A missing bounds check in the `smartcard unpack read size align()` function within `libfreerdp/utils/smartcard pack.c` can cause the FreeRDP client to crash when connecting to a malicious RDP server. This crash is triggered by a reachable `WINPR ASSERT` leading to an `abort()` condition. The issue occurs in builds where `WITH VERBOSE WINPR ASSERT` is enabled, which is the default setting in FreeRDP 3.22.0 and current WinPR CMake configurations. To be affected, smartcard redirection must be explicitly enabled by the user, for example, using the `/smartcard` option or `/smartcard-logon`. **Recommendations** Update to FreeRDP version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** A malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline, such as `xfreerdp`. This occurs when sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi SurfaceCommand ClearCodec()` handler lacks validation of the command rectangle against the destination surface dimensions. This allows attacker-controlled `cmd->left` and `cmd->top` values to reach image copy routines that write into `surface->data` without bounds enforcement. Corruption of the `codecs*` pointer leads to an indirect function pointer call at `NSC CONTEXT.decode` in `nsc.c:500`, potentially resulting in full instruction pointer control. **Recommendations** Upgrade to version 3.23.0 to receive a patch.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists in the RLE planar decode path within the `planar decompress plane rle()` function, where it writes to memory without proper bounds checking. Specifically, it writes to `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits within the destination height or that `(nXDst+nSrcWidth)` fits within the destination stride. When `TempFormat` is not equal to `DstFormat`, `pDstData` becomes `planar->pTempData`, and `nYDst` is only validated against the surface using `is within surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The out-of-bounds write can reach up to 132,096 bytes past the end of the temporary buffer. On the brk heap, the `decode` function pointer within an adjacent `NSC CONTEXT` struct can be overwritten with attacker-controlled pixel data, leading to control-flow corruption. **Recommendations** FreeRDP versions prior to 3.23.0 should be updated to version 3.23.0 or later.