Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package freerdp2 for openSUSE:Factory checked in at 2026-02-11 18:48:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freerdp2 (Old) and /work/SRC/openSUSE:Factory/.freerdp2.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freerdp2" Wed Feb 11 18:48:55 2026 rev:7 rq:1332395 version:2.11.7 Changes: -------- --- /work/SRC/openSUSE:Factory/freerdp2/freerdp2.changes 2025-10-24 17:25:32.896746839 +0200 +++ /work/SRC/openSUSE:Factory/.freerdp2.new.1670/freerdp2.changes 2026-02-11 18:50:14.000869209 +0100 @@ -1,0 +2,13 @@ +Fri Feb 6 07:57:57 UTC 2026 - Yifan Jiang <[email protected]> + +- Add patches to fix CVE issues: + + freerdp-CVE-2026-22852.patch (CVE-2026-22852, bsc#1256718) + + freerdp-CVE-2026-22854.patch (CVE-2026-22854, bsc#1256720) + + freerdp-CVE-2026-22856.patch (CVE-2026-22856, bsc#1256722) + + freerdp-CVE-2026-22859.patch (CVE-2026-22859, bsc#1256725) + + freerdp-CVE-2026-23530.patch (CVE-2026-23530, bsc#1256940) + + freerdp-CVE-2026-23531.patch (CVE-2026-23531, bsc#1256941) + + freerdp-CVE-2026-23532.patch (CVE-2026-23532, bsc#1256942) + + freerdp-CVE-2026-23534.patch (CVE-2026-23534, bsc#1256944) + +------------------------------------------------------------------- @@ -83 +96 @@ - * Fix integer overflow in progressive decoder + * Fix integer overflow in progressive decoder (bsc#1219049, CVE-2024-22211) New: ---- freerdp-CVE-2026-22852.patch freerdp-CVE-2026-22854.patch freerdp-CVE-2026-22856.patch freerdp-CVE-2026-22859.patch freerdp-CVE-2026-23530.patch freerdp-CVE-2026-23531.patch freerdp-CVE-2026-23532.patch freerdp-CVE-2026-23534.patch ----------(New B)---------- New:- Add patches to fix CVE issues: + freerdp-CVE-2026-22852.patch (CVE-2026-22852, bsc#1256718) + freerdp-CVE-2026-22854.patch (CVE-2026-22854, bsc#1256720) New: + freerdp-CVE-2026-22852.patch (CVE-2026-22852, bsc#1256718) + freerdp-CVE-2026-22854.patch (CVE-2026-22854, bsc#1256720) + freerdp-CVE-2026-22856.patch (CVE-2026-22856, bsc#1256722) New: + freerdp-CVE-2026-22854.patch (CVE-2026-22854, bsc#1256720) + freerdp-CVE-2026-22856.patch (CVE-2026-22856, bsc#1256722) + freerdp-CVE-2026-22859.patch (CVE-2026-22859, bsc#1256725) New: + freerdp-CVE-2026-22856.patch (CVE-2026-22856, bsc#1256722) + freerdp-CVE-2026-22859.patch (CVE-2026-22859, bsc#1256725) + freerdp-CVE-2026-23530.patch (CVE-2026-23530, bsc#1256940) New: + freerdp-CVE-2026-22859.patch (CVE-2026-22859, bsc#1256725) + freerdp-CVE-2026-23530.patch (CVE-2026-23530, bsc#1256940) + freerdp-CVE-2026-23531.patch (CVE-2026-23531, bsc#1256941) New: + freerdp-CVE-2026-23530.patch (CVE-2026-23530, bsc#1256940) + freerdp-CVE-2026-23531.patch (CVE-2026-23531, bsc#1256941) + freerdp-CVE-2026-23532.patch (CVE-2026-23532, bsc#1256942) New: + freerdp-CVE-2026-23531.patch (CVE-2026-23531, bsc#1256941) + freerdp-CVE-2026-23532.patch (CVE-2026-23532, bsc#1256942) + freerdp-CVE-2026-23534.patch (CVE-2026-23534, bsc#1256944) New: + freerdp-CVE-2026-23532.patch (CVE-2026-23532, bsc#1256942) + freerdp-CVE-2026-23534.patch (CVE-2026-23534, bsc#1256944) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freerdp2.spec ++++++ --- /var/tmp/diff_new_pack.MNJYCE/_old 2026-02-11 18:50:16.976994190 +0100 +++ /var/tmp/diff_new_pack.MNJYCE/_new 2026-02-11 18:50:16.992994862 +0100 @@ -1,7 +1,7 @@ # # spec file for package freerdp2 # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -58,6 +58,22 @@ Patch9: 0007-server-proxy-deactivate-capture-module.patch # PATCH-FIX-UPSTREAM -- ffmpeg 7 compat Patch10: 0001-Fix-build-with-ffmpeg-7.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-22852.patch bsc#1256718 [email protected] -- free up old audio formats +Patch12: freerdp-CVE-2026-22852.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-22854.patch bsc#1256720 [email protected] -- fix constant type +Patch13: freerdp-CVE-2026-22854.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-22856.patch bsc#1256722 [email protected] -- explicitly lock serial->IrpThreads +Patch15: freerdp-CVE-2026-22856.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-22859.patch bsc#1256725 [email protected] -- check interface indices before use +Patch17: freerdp-CVE-2026-22859.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23530.patch bsc#1256940 [email protected] -- [codec,planar] fix decoder length checks +Patch18: freerdp-CVE-2026-23530.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23531.patch bsc#1256941 [email protected] -- [codec,clear] fix missing length checks +Patch19: freerdp-CVE-2026-23531.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23532.patch bsc#1256942 [email protected] -- [gdi,gfx] properly clamp SurfaceToSurface +Patch20: freerdp-CVE-2026-23532.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23534.patch bsc#1256944 [email protected] -- [codec,clear] fix off by one length check +Patch22: freerdp-CVE-2026-23534.patch BuildRequires: cmake >= 2.8 BuildRequires: cups-devel BuildRequires: ed ++++++ freerdp-CVE-2026-22852.patch ++++++ >From cd1ffa112cfbe1b40a9fd57e299a8ea12e23df0d Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Sat, 10 Jan 2026 08:36:38 +0100 Subject: [PATCH] [channels,audin] free up old audio formats --- channels/audin/client/audin_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/channels/audin/client/audin_main.c b/channels/audin/client/audin_main.c index bcaf1a646265..b4c8ba58073a 100644 --- a/channels/audin/client/audin_main.c +++ b/channels/audin/client/audin_main.c @@ -206,6 +206,10 @@ static UINT audin_process_formats(AUDIN_PLUGIN* audin, AUDIN_CHANNEL_CALLBACK* c } Stream_Seek_UINT32(s); /* cbSizeFormatsPacket */ + + audio_formats_free(callback->formats, callback->formats_count); + callback->formats_count = 0; + callback->formats = audio_formats_new(NumFormats); if (!callback->formats) ++++++ freerdp-CVE-2026-22854.patch ++++++ >From 3da319570c8a6be0a79b3306f1ed354c4a943259 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Mon, 12 Jan 2026 03:44:06 +0100 Subject: [PATCH] [channels,drive] fix constant type ensure constant is of 64bit integer type --- channels/drive/client/drive_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/channels/drive/client/drive_main.c b/channels/drive/client/drive_main.c index 1dce5c348a61..13188fbc6427 100644 --- a/channels/drive/client/drive_main.c +++ b/channels/drive/client/drive_main.c @@ -302,7 +302,7 @@ static UINT drive_process_irp_read(DRIVE_DEVICE* drive, IRP* irp) Length = 0; } - if (!Stream_EnsureRemainingCapacity(irp->output, Length + 4)) + if (!Stream_EnsureRemainingCapacity(irp->output, 4ull + Length)) { WLog_ERR(TAG, "Stream_EnsureRemainingCapacity failed!"); return ERROR_INTERNAL_ERROR; ++++++ freerdp-CVE-2026-22856.patch ++++++ >From 675c20f08f32ca5ec06297108bdf30147d6e2cd9 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Tue, 13 Jan 2026 09:39:33 +0100 Subject: [PATCH] [channels,serial] explicitly lock serial->IrpThreads --- channels/serial/client/serial_main.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) Index: freerdp-2.11.7/channels/serial/client/serial_main.c =================================================================== --- freerdp-2.11.7.orig/channels/serial/client/serial_main.c +++ freerdp-2.11.7/channels/serial/client/serial_main.c @@ -595,7 +595,9 @@ static void create_irp_thread(SERIAL_DEV * observed with FreeRDP). */ key = irp->CompletionId; + ListDictionary_Lock(serial->IrpThreads); previousIrpThread = ListDictionary_GetItemValue(serial->IrpThreads, (void*)key); + ListDictionary_Unlock(serial->IrpThreads); if (previousIrpThread) { @@ -693,7 +695,9 @@ static void terminate_pending_irp_thread WLog_Print(serial->log, WLOG_DEBUG, "IRP thread terminated, CompletionId %p", (void*)id); } + ListDictionary_Lock(serial->IrpThreads); ListDictionary_Clear(serial->IrpThreads); + ListDictionary_Unlock(serial->IrpThreads); free(ids); } ++++++ freerdp-CVE-2026-22859.patch ++++++ >From 7b7e6de8fe427a2f01d331056774aec69710590b Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Sat, 10 Jan 2026 08:43:40 +0100 Subject: [PATCH] [channels,urbdrc] check interface indices before use --- channels/urbdrc/client/data_transfer.c | 6 +- .../urbdrc/client/libusb/libusb_udevice.c | 78 ++++++++++++------- channels/urbdrc/common/msusb.c | 6 +- 3 files changed, 54 insertions(+), 36 deletions(-) Index: freerdp-2.11.7/channels/urbdrc/client/data_transfer.c =================================================================== --- freerdp-2.11.7.orig/channels/urbdrc/client/data_transfer.c +++ freerdp-2.11.7/channels/urbdrc/client/data_transfer.c @@ -397,13 +397,12 @@ static void func_select_all_interface_fo { UINT32 inum; MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces; - BYTE InterfaceNumber, AlternateSetting; UINT32 NumInterfaces = MsConfig->NumInterfaces; for (inum = 0; inum < NumInterfaces; inum++) { - InterfaceNumber = MsInterfaces[inum]->InterfaceNumber; - AlternateSetting = MsInterfaces[inum]->AlternateSetting; + const BYTE InterfaceNumber = MsInterfaces[inum]->InterfaceNumber; + const BYTE AlternateSetting = MsInterfaces[inum]->AlternateSetting; pdev->select_interface(pdev, InterfaceNumber, AlternateSetting); } } Index: freerdp-2.11.7/channels/urbdrc/client/libusb/libusb_udevice.c =================================================================== --- freerdp-2.11.7.orig/channels/urbdrc/client/libusb/libusb_udevice.c +++ freerdp-2.11.7/channels/urbdrc/client/libusb/libusb_udevice.c @@ -571,25 +571,13 @@ static MSUSB_CONFIG_DESCRIPTOR* libusb_udev_complete_msconfig_setup(IUDEVICE* idev, MSUSB_CONFIG_DESCRIPTOR* MsConfig) { UDEVICE* pdev = (UDEVICE*)idev; - MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces; - MSUSB_INTERFACE_DESCRIPTOR* MsInterface; - MSUSB_PIPE_DESCRIPTOR** MsPipes; - MSUSB_PIPE_DESCRIPTOR* MsPipe; - MSUSB_PIPE_DESCRIPTOR** t_MsPipes; - MSUSB_PIPE_DESCRIPTOR* t_MsPipe; - LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig; - const LIBUSB_INTERFACE* LibusbInterface; - const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting; - const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint; - BYTE LibusbNumEndpoint; - URBDRC_PLUGIN* urbdrc; UINT32 inum = 0, pnum = 0, MsOutSize = 0; if (!pdev || !pdev->LibusbConfig || !pdev->urbdrc || !MsConfig) return NULL; - urbdrc = pdev->urbdrc; - LibusbConfig = pdev->LibusbConfig; + URBDRC_PLUGIN* urbdrc = pdev->urbdrc; + LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig = pdev->LibusbConfig; if (LibusbConfig->bNumInterfaces != MsConfig->NumInterfaces) { @@ -597,28 +585,56 @@ libusb_udev_complete_msconfig_setup(IUDE "Select Configuration: Libusb NumberInterfaces(%" PRIu8 ") is different " "with MsConfig NumberInterfaces(%" PRIu32 ")", LibusbConfig->bNumInterfaces, MsConfig->NumInterfaces); + return NULL; } /* replace MsPipes for libusb */ - MsInterfaces = MsConfig->MsInterfaces; + MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces; for (inum = 0; inum < MsConfig->NumInterfaces; inum++) { - MsInterface = MsInterfaces[inum]; + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum]; + if (MsInterface->InterfaceNumber >= MsConfig->NumInterfaces) + { + WLog_Print(urbdrc->log, WLOG_ERROR, + "MSUSB_CONFIG_DESCRIPTOR::NumInterfaces (%" PRIu32 + " <= MSUSB_INTERFACE_DESCRIPTOR::InterfaceNumber( %" PRIu8 ")", + MsConfig->NumInterfaces, MsInterface->InterfaceNumber); + return NULL; + } + + const LIBUSB_INTERFACE* LibusbInterface = + &LibusbConfig->interface[MsInterface->InterfaceNumber]; + if (MsInterface->AlternateSetting >= LibusbInterface->num_altsetting) + { + WLog_Print(urbdrc->log, WLOG_ERROR, + "LIBUSB_INTERFACE::num_altsetting (%" PRId32 + " <= MSUSB_INTERFACE_DESCRIPTOR::AlternateSetting( %" PRIu8 ")", + LibusbInterface->num_altsetting, MsInterface->AlternateSetting); + return NULL; + } + } + + for (UINT32 inum = 0; inum < MsConfig->NumInterfaces; inum++) + { + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum]; /* get libusb's number of endpoints */ - LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber]; - LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting]; - LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; - t_MsPipes = + const LIBUSB_INTERFACE* LibusbInterface = + &LibusbConfig->interface[MsInterface->InterfaceNumber]; + const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting = + &LibusbInterface->altsetting[MsInterface->AlternateSetting]; + const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; + MSUSB_PIPE_DESCRIPTOR** t_MsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(LibusbNumEndpoint, sizeof(MSUSB_PIPE_DESCRIPTOR*)); for (pnum = 0; pnum < LibusbNumEndpoint; pnum++) { - t_MsPipe = (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR)); + MSUSB_PIPE_DESCRIPTOR* t_MsPipe = + (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR)); if (pnum < MsInterface->NumberOfPipes && MsInterface->MsPipes) { - MsPipe = MsInterface->MsPipes[pnum]; + MSUSB_PIPE_DESCRIPTOR* MsPipe = MsInterface->MsPipes[pnum]; t_MsPipe->MaximumPacketSize = MsPipe->MaximumPacketSize; t_MsPipe->MaximumTransferSize = MsPipe->MaximumTransferSize; t_MsPipe->PipeFlags = MsPipe->PipeFlags; @@ -656,10 +671,12 @@ libusb_udev_complete_msconfig_setup(IUDE for (inum = 0; inum < MsConfig->NumInterfaces; inum++) { MsOutSize += 16; - MsInterface = MsInterfaces[inum]; + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum]; /* get libusb's interface */ - LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber]; - LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting]; + const LIBUSB_INTERFACE* LibusbInterface = + &LibusbConfig->interface[MsInterface->InterfaceNumber]; + const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting = + &LibusbInterface->altsetting[MsInterface->AlternateSetting]; /* InterfaceHandle: 4 bytes * --------------------------------------------------------------- * ||<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>|| @@ -674,15 +691,15 @@ libusb_udev_complete_msconfig_setup(IUDE MsInterface->bInterfaceSubClass = LibusbAltsetting->bInterfaceSubClass; MsInterface->bInterfaceProtocol = LibusbAltsetting->bInterfaceProtocol; MsInterface->InitCompleted = 1; - MsPipes = MsInterface->MsPipes; - LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; + MSUSB_PIPE_DESCRIPTOR** MsPipes = MsInterface->MsPipes; + const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints; for (pnum = 0; pnum < LibusbNumEndpoint; pnum++) { MsOutSize += 20; - MsPipe = MsPipes[pnum]; + MSUSB_PIPE_DESCRIPTOR* MsPipe = MsPipes[pnum]; /* get libusb's endpoint */ - LibusbEndpoint = &LibusbAltsetting->endpoint[pnum]; + const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint = &LibusbAltsetting->endpoint[pnum]; /* PipeHandle: 4 bytes * --------------------------------------------------------------- * ||<<< 1 byte >>>|<<< 1 byte >>>|<<<<<<<<<< 2 byte >>>>>>>>>>>|| Index: freerdp-2.11.7/channels/urbdrc/common/msusb.c =================================================================== --- freerdp-2.11.7.orig/channels/urbdrc/common/msusb.c +++ freerdp-2.11.7/channels/urbdrc/common/msusb.c @@ -139,6 +139,8 @@ BOOL msusb_msinterface_replace(MSUSB_CON { if (!MsConfig || !MsConfig->MsInterfaces) return FALSE; + if (MsConfig->NumInterfaces <= InterfaceNumber) + return FALSE; msusb_msinterface_free(MsConfig->MsInterfaces[InterfaceNumber]); MsConfig->MsInterfaces[InterfaceNumber] = NewMsInterface; @@ -147,12 +149,10 @@ BOOL msusb_msinterface_replace(MSUSB_CON MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* s) { - MSUSB_INTERFACE_DESCRIPTOR* MsInterface; - if (Stream_GetRemainingCapacity(s) < 12) return NULL; - MsInterface = msusb_msinterface_new(); + MSUSB_INTERFACE_DESCRIPTOR* MsInterface = msusb_msinterface_new(); if (!MsInterface) return NULL; ++++++ freerdp-CVE-2026-23530.patch ++++++ >From 1bab198a2edd0d0e6e1627d21a433151ea190500 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Thu, 15 Jan 2026 12:02:02 +0100 Subject: [PATCH] [codec,planar] fix decoder length checks --- libfreerdp/codec/planar.c | 5 +++++ 1 file changed, 5 insertions(+) Index: freerdp-2.11.7/libfreerdp/codec/planar.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/planar.c +++ freerdp-2.11.7/libfreerdp/codec/planar.c @@ -616,6 +616,11 @@ BOOL planar_decompress(BITMAP_PLANAR_CON WINPR_ASSERT(planar); WINPR_ASSERT(prims); + if (planar->maxWidth < nSrcWidth) + return FALSE; + if (planar->maxHeight < nSrcHeight) + return FALSE; + if (nDstStep <= 0) nDstStep = nDstWidth * GetBytesPerPixel(DstFormat); ++++++ freerdp-CVE-2026-23531.patch ++++++ >From 25102b432fb37916a1a553d7ef8fd940c6e52c3f Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Thu, 15 Jan 2026 12:17:33 +0100 Subject: [PATCH] [codec,clear] fix missing length checks --- libfreerdp/codec/clear.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) Index: freerdp-2.11.7/libfreerdp/codec/clear.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/clear.c +++ freerdp-2.11.7/libfreerdp/codec/clear.c @@ -1141,7 +1141,54 @@ INT32 clear_decompress(CLEAR_CONTEXT* cl if (glyphData) { - if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, nWidth, nHeight, pDstData, + uint32_t w = MIN(nWidth, nDstWidth); + if (nXDst > nDstWidth) + { + WLog_WARN(TAG, "glyphData copy area x exceeds destination: x=%" PRIu32 " > %" PRIu32, + nXDst, nDstWidth); + w = 0; + } + else if (nXDst + w > nDstWidth) + { + WLog_WARN(TAG, + "glyphData copy area x + width exceeds destination: x=%" PRIu32 " + %" PRIu32 + " > %" PRIu32, + nXDst, w, nDstWidth); + w = nDstWidth - nXDst; + } + + if (w != nWidth) + { + WLog_WARN(TAG, + "glyphData copy area width truncated: requested=%" PRIu32 + ", truncated to %" PRIu32, + nWidth, w); + } + + uint32_t h = MIN(nHeight, nDstHeight); + if (nYDst > nDstHeight) + { + WLog_WARN(TAG, "glyphData copy area y exceeds destination: y=%" PRIu32 " > %" PRIu32, + nYDst, nDstHeight); + h = 0; + } + else if (nYDst + h > nDstHeight) + { + WLog_WARN(TAG, + "glyphData copy area y + height exceeds destination: x=%" PRIu32 " + %" PRIu32 + " > %" PRIu32, + nYDst, h, nDstHeight); + h = nDstHeight - nYDst; + } + + if (h != nHeight) + { + WLog_WARN(TAG, + "glyphData copy area height truncated: requested=%" PRIu32 + ", truncated to %" PRIu32, + nHeight, h); + } + if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, w, h, pDstData, DstFormat, nDstStep, nXDst, nYDst, palette, FREERDP_FLIP_NONE)) goto fail; } ++++++ freerdp-CVE-2026-23532.patch ++++++ >From c4a7c371342edf0d307cea728f56d3302f0ab38c Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Thu, 15 Jan 2026 12:04:36 +0100 Subject: [PATCH] [gdi,gfx] properly clamp SurfaceToSurface --- libfreerdp/gdi/gfx.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) Index: freerdp-2.11.7/libfreerdp/gdi/gfx.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/gdi/gfx.c +++ freerdp-2.11.7/libfreerdp/gdi/gfx.c @@ -1175,7 +1175,6 @@ static UINT gdi_SurfaceToSurface(RdpgfxC UINT status = ERROR_INTERNAL_ERROR; UINT16 index; BOOL sameSurface; - UINT32 nWidth, nHeight; const RECTANGLE_16* rectSrc; RECTANGLE_16 invalidRect; gdiGfxSurface* surfaceSrc; @@ -1199,8 +1198,8 @@ static UINT gdi_SurfaceToSurface(RdpgfxC if (!is_rect_valid(rectSrc, surfaceSrc->width, surfaceSrc->height)) goto fail; - nWidth = rectSrc->right - rectSrc->left; - nHeight = rectSrc->bottom - rectSrc->top; + const UINT32 nWidth = rectSrc->right - rectSrc->left; + const UINT32 nHeight = rectSrc->bottom - rectSrc->top; for (index = 0; index < surfaceToSurface->destPtsCount; index++) { @@ -1209,8 +1208,10 @@ static UINT gdi_SurfaceToSurface(RdpgfxC if (!is_rect_valid(&rect, surfaceDst->width, surfaceDst->height)) goto fail; + const UINT32 rwidth = rect.right - rect.left; + const UINT32 rheight = rect.bottom - rect.top; if (!freerdp_image_copy(surfaceDst->data, surfaceDst->format, surfaceDst->scanline, - destPt->x, destPt->y, nWidth, nHeight, surfaceSrc->data, + destPt->x, destPt->y, rwidth, rheight, surfaceSrc->data, surfaceSrc->format, surfaceSrc->scanline, rectSrc->left, rectSrc->top, NULL, FREERDP_FLIP_NONE)) goto fail; ++++++ freerdp-CVE-2026-23534.patch ++++++ >From f8688b57f6cfad9a0b05475a6afbde355ffab720 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Thu, 15 Jan 2026 12:19:53 +0100 Subject: [PATCH] [codec,clear] fix off by one length check --- libfreerdp/codec/clear.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: freerdp-2.11.7/libfreerdp/codec/clear.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/clear.c +++ freerdp-2.11.7/libfreerdp/codec/clear.c @@ -883,11 +883,13 @@ static BOOL clear_decompress_bands_data( if (count > nHeight) count = nHeight; - if (nXDstRel + i > nDstWidth) + if (nXDstRel + i >= nDstWidth) return FALSE; for (UINT32 y = 0; y < count; y++) { + if (nYDstRel + y >= nDstHeight) + return FALSE; BYTE* pDstPixel8 = &pDstData[((nYDstRel + y) * nDstStep) + ((nXDstRel + i) * GetBytesPerPixel(DstFormat))]; UINT32 color = ReadColor(cpSrcPixel, clear->format);
