FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, "planar_decompress_plane_rle()" writes into "pDstData" at "((nYDst+y) * nDstStep) + (4*nXDst) + nChannel" without verifying that "(nYDst+nSrcHeight)" fits in the destination height or that "(nXDst+nSrcWidth)" fits in the destination stride. When "TempFormat != DstFormat", "pDstData" becomes "planar->pTempData" (sized for the desktop), while "nYDst" is only validated against the surface by "is_within_surface()". A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent "NSC_CONTEXT" struct's "decode" function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout ("nsc->decode = 0xFF414141FF414141"). Version 3.23.0 fixes the vulnerability.