CVE-2018-8787

bitmap->format = gdi->dstFormat;
bitmap->length = DstWidth * DstHeight * GetBytesPerPixel(bitmap->format);
bitmap->data = (BYTE*) _aligned_malloc(bitmap->length, 16);

[15:14:26:436] [16430:16431] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[15:14:26:612] [16430:16431] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[15:14:26:612] [16430:16431] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[15:14:26:668] [16430:16431] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem
=================================================================
==16430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000026428 at pc 0x7f01ff088904 bp 0x7f01efbf9190 sp 0x7f01efbf8938
WRITE of size 174764 at 0x62d000026428 thread T1
    #0 0x7f01ff088903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x7f01fd542393 in freerdp_image_copy (/usr/local/lib/libfreerdp2.so.2+0x200393)
    #2 0x7f01fd3f05ea in gdi_Bitmap_Decompress (/usr/local/lib/libfreerdp2.so.2+0xae5ea)
    #3 0x7f01fd4099ab in update_gdi_cache_bitmap_v3 (/usr/local/lib/libfreerdp2.so.2+0xc79ab)
    #4 0x7f01fd4910bd in update_recv_order (/usr/local/lib/libfreerdp2.so.2+0x14f0bd)
    #5 0x7f01fd4f4b4d in update_recv (/usr/local/lib/libfreerdp2.so.2+0x1b2b4d)
    #6 0x7f01fd4cbe09 in rdp_recv_data_pdu (/usr/local/lib/libfreerdp2.so.2+0x189e09)
    #7 0x7f01fd4cdaf0 in rdp_recv_pdu (/usr/local/lib/libfreerdp2.so.2+0x18baf0)
    #8 0x7f01fd4cf07a in rdp_recv_callback (/usr/local/lib/libfreerdp2.so.2+0x18d07a)
    #9 0x7f01fd4e3a50 in transport_check_fds (/usr/local/lib/libfreerdp2.so.2+0x1a1a50)
    #10 0x7f01fd4cfecf in rdp_check_fds (/usr/local/lib/libfreerdp2.so.2+0x18decf)
    #11 0x7f01fd497eba in freerdp_check_fds (/usr/local/lib/libfreerdp2.so.2+0x155eba)
    #12 0x7f01fd49a107 in freerdp_check_event_handles (/usr/local/lib/libfreerdp2.so.2+0x158107)
    #13 0x449e36 in xf_client_thread (/home/XXX/FreeRDP-2.0.0-rc3/xfreerdp+0x449e36)
    #14 0x7f01fcb06ec5 in thread_launcher (/usr/local/lib/libwinpr2.so.2+0x122ec5)
    #15 0x7f01fc4046b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #16 0x7f01fc72141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x62d000026428 is located 0 bytes to the right of 32808-byte region [0x62d00001e400,0x62d000026428)
allocated by thread T1 here:
    #0 0x7f01ff094602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f01fcb370cf in _aligned_offset_malloc (/usr/local/lib/libwinpr2.so.2+0x1530cf)
    #2 0x7f01fd3f03ed in gdi_Bitmap_Decompress (/usr/local/lib/libfreerdp2.so.2+0xae3ed)
    #3 0x7f01fd4099ab in update_gdi_cache_bitmap_v3 (/usr/local/lib/libfreerdp2.so.2+0xc79ab)
    #4 0x7f01fd4910bd in update_recv_order (/usr/local/lib/libfreerdp2.so.2+0x14f0bd)
    #5 0x7f01fd4f4b4d in update_recv (/usr/local/lib/libfreerdp2.so.2+0x1b2b4d)
    #6 0x7f01fd4cbe09 in rdp_recv_data_pdu (/usr/local/lib/libfreerdp2.so.2+0x189e09)
    #7 0x7f01fd4cdaf0 in rdp_recv_pdu (/usr/local/lib/libfreerdp2.so.2+0x18baf0)
    #8 0x7f01fd4cf07a in rdp_recv_callback (/usr/local/lib/libfreerdp2.so.2+0x18d07a)
    #9 0x7f01fd4e3a50 in transport_check_fds (/usr/local/lib/libfreerdp2.so.2+0x1a1a50)
    #10 0x7f01fd4cfecf in rdp_check_fds (/usr/local/lib/libfreerdp2.so.2+0x18decf)
    #11 0x7f01fd497eba in freerdp_check_fds (/usr/local/lib/libfreerdp2.so.2+0x155eba)
    #12 0x7f01fd49a107 in freerdp_check_event_handles (/usr/local/lib/libfreerdp2.so.2+0x158107)
    #13 0x449e36 in xf_client_thread (/home/XXX/FreeRDP-2.0.0-rc3/xfreerdp+0x449e36)
    #14 0x7f01fcb06ec5 in thread_launcher (/usr/local/lib/libwinpr2.so.2+0x122ec5)
    #15 0x7f01fc4046b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T1 created by T0 here:
    #0 0x7f01ff032253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x7f01fcb06bf4 in winpr_StartThread (/usr/local/lib/libwinpr2.so.2+0x122bf4)
    #2 0x7f01fcb074b7 in CreateThread (/usr/local/lib/libwinpr2.so.2+0x1234b7)
    #3 0x446f7f in xfreerdp_client_start (/home/XXX/FreeRDP-2.0.0-rc3/xfreerdp+0x446f7f)
    #4 0x4079d0 in main (/home/XXX/FreeRDP-2.0.0-rc3/xfreerdp+0x4079d0)
    #5 0x7f01fc63a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c5a7fffcc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffcc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffcc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffcc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffcc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fffcc80: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffcc90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffcca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffccb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffccc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffccd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==16430==ABORTING