Yjk0805

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.24.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A size t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to a heap-buffer-overflow write via the RDPSND audio channel. The issue occurs in `libfreerdp/codec/dsp.c` where the decoders subtract block header sizes from a size t variable without checking for underflow. Specifically, when `nBlockAlign` (received from the server) is set in a way that triggers header parsing at a point where the size is smaller than the header (4 or 8 bytes), the subtraction wraps the size to a large value. This causes the `while (size > 0)` loop to iterate excessively. **Recommendations** Update to version 3.24.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.24.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A division by zero error exists in the MS-ADPCM and IMA-ADPCM decoders when the `nBlockAlign` variable is 0, resulting in a crash. The issue occurs in `libfreerdp/codec/dsp.c` where the decoders use `size % block size`, with `block size` equal to `context->common.format.nBlockAlign`. The `nBlockAlign` value originates from the Server Audio Formats PDU on the RDPSND channel and is not validated before being used in the decoder. When `nBlockAlign` is 0, a SIGFPE (floating point exception) crash occurs. **Recommendations** Versions prior to 3.24.0 should be updated to version 3.24.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.24.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. Versions before 3.24.0 contain an out-of-bounds read in the MS-ADPCM and IMA-ADPCM decoders. This issue is caused by unchecked `predictor` and `step index` values received from input data. **Recommendations** Update to version 3.24.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.24.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists in the `freerdp bitmap decompress planar` function where an out-of-bounds read can occur when the `SrcSize` is 0. The function dereferences a pointer without verifying that `SrcSize` is greater than or equal to 1. When `SrcSize` is 0, reading from the source buffer can access memory beyond its boundaries. **Recommendations** Update to version 3.24.0 or later.