Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package freerdp2 for openSUSE:Factory checked in at 2026-03-29 20:00:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freerdp2 (Old) and /work/SRC/openSUSE:Factory/.freerdp2.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freerdp2" Sun Mar 29 20:00:44 2026 rev:9 rq:1343389 version:2.11.7 Changes: -------- --- /work/SRC/openSUSE:Factory/freerdp2/freerdp2.changes 2026-02-24 15:40:24.322907494 +0100 +++ /work/SRC/openSUSE:Factory/.freerdp2.new.8177/freerdp2.changes 2026-03-29 20:00:54.669973089 +0200 @@ -1,0 +2,30 @@ +Thu Mar 26 07:49:22 UTC 2026 - Yifan Jiang <[email protected]> + +- Add patches to fix CVE issues: + + freerdp-CVE-2026-26271.patch (CVE-2026-26271, bsc#1258979) + + freerdp-CVE-2026-26955.patch (CVE-2026-26955, bsc#1258982) + + freerdp-CVE-2026-26965.patch (CVE-2026-26965, bsc#1258985) + + freerdp-CVE-2026-31806.patch (CVE-2026-31806, bsc#1259653) + + freerdp-CVE-2026-31883_31885.patch (CVE-2026-31883, + CVE-2026-31885, bsc#1259679 bsc#1259686) + +------------------------------------------------------------------- +Wed Mar 11 12:06:22 UTC 2026 - [email protected] + +- Fix for SG#71728, bsc#1259251: + * freerdp-CVE-2026-24491.patch: Fix use-after-free that was + accidentally introduced in the backport. + +------------------------------------------------------------------- +Thu Feb 26 03:11:35 UTC 2026 - Yifan Jiang <[email protected]> + +- Add patches to fix CVE issues: + + freerdp-3-macro.patch + + freerdp-CVE-2026-22855.patch (CVE-2026-22855, bsc#1256721) + + freerdp-CVE-2026-22857.patch (CVE-2026-22857, bsc#1256723) + + freerdp-CVE-2026-23533.patch (CVE-2026-23533, bsc#1256943) + + freerdp-CVE-2026-23732.patch (CVE-2026-23732, bsc#1256945) + + freerdp-CVE-2026-23883.patch (CVE-2026-23883, bsc#1256946) + + freerdp-CVE-2026-23884.patch (CVE-2026-23884, bsc#1256947) + +------------------------------------------------------------------- New: ---- freerdp-3-macro.patch freerdp-CVE-2026-22855.patch freerdp-CVE-2026-22857.patch freerdp-CVE-2026-23533.patch freerdp-CVE-2026-23732.patch freerdp-CVE-2026-23883.patch freerdp-CVE-2026-23884.patch freerdp-CVE-2026-26271.patch freerdp-CVE-2026-26955.patch freerdp-CVE-2026-26965.patch freerdp-CVE-2026-31806.patch freerdp-CVE-2026-31883_31885.patch ----------(New B)---------- New:- Add patches to fix CVE issues: + freerdp-3-macro.patch + freerdp-CVE-2026-22855.patch (CVE-2026-22855, bsc#1256721) New: + freerdp-3-macro.patch + freerdp-CVE-2026-22855.patch (CVE-2026-22855, bsc#1256721) + freerdp-CVE-2026-22857.patch (CVE-2026-22857, bsc#1256723) New: + freerdp-CVE-2026-22855.patch (CVE-2026-22855, bsc#1256721) + freerdp-CVE-2026-22857.patch (CVE-2026-22857, bsc#1256723) + freerdp-CVE-2026-23533.patch (CVE-2026-23533, bsc#1256943) New: + freerdp-CVE-2026-22857.patch (CVE-2026-22857, bsc#1256723) + freerdp-CVE-2026-23533.patch (CVE-2026-23533, bsc#1256943) + freerdp-CVE-2026-23732.patch (CVE-2026-23732, bsc#1256945) New: + freerdp-CVE-2026-23533.patch (CVE-2026-23533, bsc#1256943) + freerdp-CVE-2026-23732.patch (CVE-2026-23732, bsc#1256945) + freerdp-CVE-2026-23883.patch (CVE-2026-23883, bsc#1256946) New: + freerdp-CVE-2026-23732.patch (CVE-2026-23732, bsc#1256945) + freerdp-CVE-2026-23883.patch (CVE-2026-23883, bsc#1256946) + freerdp-CVE-2026-23884.patch (CVE-2026-23884, bsc#1256947) New: + freerdp-CVE-2026-23883.patch (CVE-2026-23883, bsc#1256946) + freerdp-CVE-2026-23884.patch (CVE-2026-23884, bsc#1256947) New:- Add patches to fix CVE issues: + freerdp-CVE-2026-26271.patch (CVE-2026-26271, bsc#1258979) + freerdp-CVE-2026-26955.patch (CVE-2026-26955, bsc#1258982) New: + freerdp-CVE-2026-26271.patch (CVE-2026-26271, bsc#1258979) + freerdp-CVE-2026-26955.patch (CVE-2026-26955, bsc#1258982) + freerdp-CVE-2026-26965.patch (CVE-2026-26965, bsc#1258985) New: + freerdp-CVE-2026-26955.patch (CVE-2026-26955, bsc#1258982) + freerdp-CVE-2026-26965.patch (CVE-2026-26965, bsc#1258985) + freerdp-CVE-2026-31806.patch (CVE-2026-31806, bsc#1259653) New: + freerdp-CVE-2026-26965.patch (CVE-2026-26965, bsc#1258985) + freerdp-CVE-2026-31806.patch (CVE-2026-31806, bsc#1259653) + freerdp-CVE-2026-31883_31885.patch (CVE-2026-31883, New: + freerdp-CVE-2026-31806.patch (CVE-2026-31806, bsc#1259653) + freerdp-CVE-2026-31883_31885.patch (CVE-2026-31883, CVE-2026-31885, bsc#1259679 bsc#1259686) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freerdp2.spec ++++++ --- /var/tmp/diff_new_pack.phaJya/_old 2026-03-29 20:00:55.530008522 +0200 +++ /var/tmp/diff_new_pack.phaJya/_new 2026-03-29 20:00:55.534008687 +0200 @@ -58,40 +58,65 @@ Patch9: 0007-server-proxy-deactivate-capture-module.patch # PATCH-FIX-UPSTREAM -- ffmpeg 7 compat Patch10: 0001-Fix-build-with-ffmpeg-7.patch +# PATCH-FIX-UPSTREAM freerdp-3-macro.patch gh#FreeRDP/FreeRDP!10953 -- macros backport, needed for future backport from versions above 3.10 +Patch11: freerdp-3-macro.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-22852.patch bsc#1256718 [email protected] -- free up old audio formats Patch12: freerdp-CVE-2026-22852.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-22854.patch bsc#1256720 [email protected] -- fix constant type -Patch13: freerdp-CVE-2026-22854.patch +Patch14: freerdp-CVE-2026-22854.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-22855.patch bsc#1256721 [email protected] -- add length validity checks +Patch15: freerdp-CVE-2026-22855.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-22856.patch bsc#1256722 [email protected] -- explicitly lock serial->IrpThreads -Patch15: freerdp-CVE-2026-22856.patch +Patch16: freerdp-CVE-2026-22856.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-22857.patch bsc#1256723 [email protected] -- fix use after free +Patch17: freerdp-CVE-2026-22857.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-22859.patch bsc#1256725 [email protected] -- check interface indices before use -Patch17: freerdp-CVE-2026-22859.patch +Patch18: freerdp-CVE-2026-22859.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-23530.patch bsc#1256940 [email protected] -- [codec,planar] fix decoder length checks -Patch18: freerdp-CVE-2026-23530.patch +Patch19: freerdp-CVE-2026-23530.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-23531.patch bsc#1256941 [email protected] -- [codec,clear] fix missing length checks -Patch19: freerdp-CVE-2026-23531.patch +Patch20: freerdp-CVE-2026-23531.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-23532.patch bsc#1256942 [email protected] -- [gdi,gfx] properly clamp SurfaceToSurface -Patch20: freerdp-CVE-2026-23532.patch +Patch21: freerdp-CVE-2026-23532.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23533.patch bsc#1256943 [email protected] -- [codec,clear] fix clear_resize_buffer checks +Patch22: freerdp-CVE-2026-23533.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-23534.patch bsc#1256944 [email protected] -- [codec,clear] fix off by one length check -Patch22: freerdp-CVE-2026-23534.patch +Patch23: freerdp-CVE-2026-23534.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23732.patch bsc#1256945 [email protected] -- [codec,color] add freerdp_glyph_convert_ex +Patch24: freerdp-CVE-2026-23732.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23883.patch bsc#1256946 [email protected] -- [client,x11] fix double free in case of invalid pointer +Patch25: freerdp-CVE-2026-23883.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-23884.patch bsc#1256947 [email protected] -- [cache,offscreen] invalidate bitmap before free +Patch26: freerdp-CVE-2026-23884.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24491.patch bsc#1257981 [email protected] -- [channels,drdynvc] reset channel_callback before close -Patch23: freerdp-CVE-2026-24491.patch +Patch27: freerdp-CVE-2026-24491.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24675.patch bsc#1257982 [email protected] -- [channels,urbdrc] do not free MsConfig on failure -Patch24: freerdp-CVE-2026-24675.patch +Patch28: freerdp-CVE-2026-24675.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24676.patch bsc#1257983 [email protected] -- [channels,audin] reset audin->format -Patch25: freerdp-CVE-2026-24676.patch +Patch29: freerdp-CVE-2026-24676.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24679.patch bsc#1257986 [email protected] -- [channels,urbdrc] ensure InterfaceNumber is within range -Patch26: freerdp-CVE-2026-24679.patch +Patch30: freerdp-CVE-2026-24679.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24681.patch bsc#1257988 [email protected] -- [channels,urbdrc] cancel all usb transfers on channel close -Patch27: freerdp-CVE-2026-24681.patch +Patch31: freerdp-CVE-2026-24681.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24682.patch bsc#1257989 [email protected] -- [channels,audin] fix audin_server_recv_formats cleanup -Patch28: freerdp-CVE-2026-24682.patch +Patch32: freerdp-CVE-2026-24682.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24683.patch bsc#1257990 [email protected] -- [channels,ainput] lock context when updating listener -Patch29: freerdp-CVE-2026-24683.patch +Patch33: freerdp-CVE-2026-24683.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24684.patch bsc#1257991 [email protected] -- [channels,rdpsnd] terminate thread before free -Patch30: freerdp-CVE-2026-24684.patch +Patch34: freerdp-CVE-2026-24684.patch # PATCH-FIX-UPSTREAM freerdp-CVE-2026-24684-2.patch bsc#1257991 [email protected] -- [channel,rdpsnd] only clean up thread before free -Patch31: freerdp-CVE-2026-24684-2.patch +Patch35: freerdp-CVE-2026-24684-2.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-26271.patch bsc#1258979 [email protected] -- fix buffer overread in FreeRDP Icon Processing +Patch36: freerdp-CVE-2026-26271.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-26955.patch bsc#1258982 [email protected] -- fix out-of-bounds write +Patch37: freerdp-CVE-2026-26955.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-26965.patch bsc#1258985 [email protected] -- fix out-of-bounds write +Patch38: freerdp-CVE-2026-26965.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-31806.patch bsc#1259653 [email protected] -- fix improper validation of server messages +Patch39: freerdp-CVE-2026-31806.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2026-31883_31885.patch bsc#1259679 bsc#1259686 [email protected] -- fix array bounds check in IMA-ADPCM and MS-ADPCM audio decoders +Patch40: freerdp-CVE-2026-31883_31885.patch + BuildRequires: cmake >= 2.8 BuildRequires: cups-devel BuildRequires: ed ++++++ freerdp-3-macro.patch ++++++ Index: freerdp-2.11.7/winpr/include/winpr/assert.h =================================================================== --- freerdp-2.11.7.orig/winpr/include/winpr/assert.h +++ freerdp-2.11.7/winpr/include/winpr/assert.h @@ -47,6 +47,41 @@ } while (0) #endif +/** + * @brief C++ safe cast macro + * @since version 3.10.1 + */ +#ifdef __cplusplus +#define WINPR_CXX_COMPAT_CAST(t, val) static_cast<t>(val) +#else +#define WINPR_CXX_COMPAT_CAST(t, val) (t)(val) +#endif + +/** + * @brief A macro to do checked integer casts. + * will check if the value does change by casting to and from the target type and comparing the + * values. will also check if the sign of a value changes during conversion. + * + * @param type the type to cast to + * @param var the integer of unknown type to cast + * @return The casted integer + * @since version 3.10.1 + */ +#if defined(__GNUC__) || defined(__clang__) +#define WINPR_ASSERTING_INT_CAST(type, ivar) \ + __extension__({ \ + __typeof(ivar) var = ivar; \ + WINPR_ASSERT((var) == \ + WINPR_CXX_COMPAT_CAST(__typeof(var), WINPR_CXX_COMPAT_CAST(type, (var)))); \ + WINPR_ASSERT((((var) > 0) && (WINPR_CXX_COMPAT_CAST(type, (var)) > 0)) || \ + (((var) <= 0) && WINPR_CXX_COMPAT_CAST(type, (var)) <= 0)); \ + WINPR_CXX_COMPAT_CAST(type, (var)); \ + }) + +#else +#define WINPR_ASSERTING_INT_CAST(type, var) WINPR_CXX_COMPAT_CAST(type, var) +#endif + #ifdef __cplusplus extern "C" { ++++++ freerdp-CVE-2026-22855.patch ++++++ >From 57c5647d98c2a026de8b681159cb188ca0439ef8 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Sun, 11 Jan 2026 09:03:57 +0100 Subject: [PATCH] [utils,smartcard] add length validity checks in smartcard_unpack_set_attrib_call input length validity checks were missing. --- libfreerdp/utils/smartcard_pack.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) Index: freerdp-2.11.7/channels/smartcard/client/smartcard_pack.c =================================================================== --- freerdp-2.11.7.orig/channels/smartcard/client/smartcard_pack.c +++ freerdp-2.11.7/channels/smartcard/client/smartcard_pack.c @@ -98,13 +98,16 @@ static BOOL smartcard_ndr_pointer_read_( return TRUE; } -static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize, - ndr_ptr_t type) +static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t elementSize, + ndr_ptr_t type, size_t* plen) { size_t len, offset, len2; void* r; size_t required; + if (plen) + *plen = 0; + switch (type) { case NDR_PTR_FULL: @@ -181,11 +184,20 @@ static LONG smartcard_ndr_read(wStream* if (!r) return SCARD_E_NO_MEMORY; Stream_Read(s, r, len); - smartcard_unpack_read_size_align(NULL, s, len, 4); + const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4); + len += (size_t)pad; *data = r; + if (plen) + *plen = len; return STATUS_SUCCESS; } +static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize, + ndr_ptr_t type) +{ + return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL); +} + static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD length) { const UINT32 ndrPtr = 0x20000 + (*index) * 4; @@ -3427,12 +3439,15 @@ LONG smartcard_unpack_set_attrib_call(SM if (ndrPtr) { - // TODO: call->cbAttrLen was larger than the pointer value. - // TODO: Maybe need to refine the checks? - status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE); + size_t len = 0; + status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE, &len); if (status != SCARD_S_SUCCESS) return status; + if (call->cbAttrLen > len) + call->cbAttrLen = WINPR_ASSERTING_INT_CAST(DWORD, len); } + else + call->cbAttrLen = 0; smartcard_trace_set_attrib_call(smartcard, call); return SCARD_S_SUCCESS; } ++++++ freerdp-CVE-2026-22857.patch ++++++ >From e99e33aea8c5e480e224f4a167947dfacf4584a2 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Sun, 11 Jan 2026 09:12:37 +0100 Subject: [PATCH] [channels,serial] fix use after free --- channels/serial/client/serial_main.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) Index: freerdp-2.11.7/channels/serial/client/serial_main.c =================================================================== --- freerdp-2.11.7.orig/channels/serial/client/serial_main.c +++ freerdp-2.11.7/channels/serial/client/serial_main.c @@ -489,12 +489,13 @@ static UINT serial_process_irp(SERIAL_DE static DWORD WINAPI irp_thread_func(LPVOID arg) { IRP_THREAD_DATA* data = (IRP_THREAD_DATA*)arg; - UINT error; /* blocks until the end of the request */ - if ((error = serial_process_irp(data->serial, data->irp))) + UINT error = serial_process_irp(data->serial, data->irp); + if (error) { WLog_ERR(TAG, "serial_process_irp failed with error %" PRIu32 "", error); + data->irp->Discard(data->irp); goto error_out; } ++++++ freerdp-CVE-2026-23533.patch ++++++ >From c4391827d7facfc874ca7f61a92afb82232a5748 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Thu, 15 Jan 2026 12:11:57 +0100 Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks --- libfreerdp/codec/clear.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) Index: freerdp-2.11.7/libfreerdp/codec/clear.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/clear.c +++ freerdp-2.11.7/libfreerdp/codec/clear.c @@ -62,7 +62,7 @@ struct _CLEAR_CONTEXT NSC_CONTEXT* nsc; UINT32 seqNumber; BYTE* TempBuffer; - UINT32 TempSize; + size_t TempSize; UINT32 nTempStep; UINT32 TempFormat; UINT32 format; @@ -313,12 +313,17 @@ static BOOL clear_decompress_subcode_rle static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height) { - UINT32 size; + UINT32 size; + const UINT64 area = 1ull * (width + 16ull) * (height + 16ull); + const UINT32 bpp = GetBytesPerPixel(clear->format); - if (!clear) - return FALSE; + if (!clear) + return FALSE; + + if (area > UINT32_MAX / bpp) + return FALSE; - size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format)); + size = (UINT32)(area * bpp); if (size > clear->TempSize) { ++++++ freerdp-CVE-2026-23732.patch ++++++ >From 3bc1eeb4f63ceec9a696af194e4c1ea0e67ff60c Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Fri, 16 Jan 2026 12:00:15 +0100 Subject: [PATCH] [codec,color] add freerdp_glyph_convert_ex The function freerdp_glyph_convert does not check input buffer length, deprecate it and provide a replacement that does properly check. --- include/freerdp/codec/color.h | 23 +++++++++++++++++++++-- libfreerdp/codec/color.c | 21 ++++++++++++++++++++- 2 files changed, 41 insertions(+), 3 deletions(-) Index: freerdp-2.11.7/include/freerdp/codec/color.h =================================================================== --- freerdp-2.11.7.orig/include/freerdp/codec/color.h +++ freerdp-2.11.7/include/freerdp/codec/color.h @@ -900,6 +900,20 @@ extern "C" /*** * + * @param width width to copy in pixels + * @param height height to copy in pixels + * @param data source buffer, must be (nWidth + 7) / 8 bytes long + * @param len the length of \ref data in bytes + * + * @return A buffer allocated with winpr_aligned_malloc(width * height, 16) + * if successful, NULL otherwise. + * @since version 3.21.0 + */ + FREERDP_API BYTE* freerdp_glyph_convert_ex(UINT32 width, UINT32 height, + const BYTE* data, size_t len); + + /*** + * * @param pDstData destination buffer * @param DstFormat destination buffer format * @param nDstStep destination buffer stride (line in bytes) 0 for default Index: freerdp-2.11.7/libfreerdp/codec/color.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/color.c +++ freerdp-2.11.7/libfreerdp/codec/color.c @@ -45,17 +45,33 @@ BYTE* freerdp_glyph_convert(UINT32 width, UINT32 height, const BYTE* data) { + const size_t scanline = (width + 7ull) / 8ull; + const size_t required = scanline * height; + return freerdp_glyph_convert_ex(width, height, data, required); +} + +BYTE* freerdp_glyph_convert_ex(UINT32 width, UINT32 height, const BYTE* data, + size_t len) +{ UINT32 x, y; const BYTE* srcp; BYTE* dstp; BYTE* dstData; - UINT32 scanline; /* * converts a 1-bit-per-pixel glyph to a one-byte-per-pixel glyph: * this approach uses a little more memory, but provides faster * means of accessing individual pixels in blitting operations */ - scanline = (width + 7) / 8; + const size_t scanline = (width + 7ull) / 8ull; + const size_t required = scanline * height; + if (len < required) + return NULL; + + if ((len == 0) || (width == 0) || (height == 0)) + return NULL; + + WINPR_ASSERT(data); + dstData = (BYTE*)_aligned_malloc(1ull * width * height, 16); if (!dstData) ++++++ freerdp-CVE-2026-23883.patch ++++++ >From 0421b53fcb4a80c95f51342e4a2c40c68a4101d3 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Mon, 19 Jan 2026 08:52:51 +0100 Subject: [PATCH] [client,x11] fix double free in case of invalid pointer --- client/X11/xf_graphics.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) Index: freerdp-2.11.7/client/X11/xf_graphics.c =================================================================== --- freerdp-2.11.7.orig/client/X11/xf_graphics.c +++ freerdp-2.11.7/client/X11/xf_graphics.c @@ -406,7 +406,6 @@ static BOOL xf_Pointer_New(rdpContext* c BOOL rc = FALSE; #ifdef WITH_XCURSOR UINT32 CursorFormat; - size_t size; xfContext* xfc = (xfContext*)context; xfPointer* xpointer = (xfPointer*)pointer; @@ -421,19 +420,19 @@ static BOOL xf_Pointer_New(rdpContext* c xpointer->nCursors = 0; xpointer->mCursors = 0; - size = 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat); + const size_t size = + 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat); - if (!(xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16))) + xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16); + if (!xpointer->cursorPixels) goto fail; if (!freerdp_image_copy_from_pointer_data( (BYTE*)xpointer->cursorPixels, CursorFormat, 0, 0, 0, pointer->width, pointer->height, pointer->xorMaskData, pointer->lengthXorMask, pointer->andMaskData, pointer->lengthAndMask, pointer->xorBpp, &context->gdi->palette)) - { - _aligned_free(xpointer->cursorPixels); - return FALSE; - } + goto fail; + rc = TRUE; #endif ++++++ freerdp-CVE-2026-23884.patch ++++++ >From 52106a26726a2aba77aa6d86014d2eb3507f0783 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Mon, 19 Jan 2026 08:58:22 +0100 Subject: [PATCH] [cache,offscreen] invalidate bitmap before free First ensure the bitmap is no longer used for drawing before calling the free function. --- libfreerdp/cache/offscreen.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) Index: freerdp-2.11.7/libfreerdp/cache/offscreen.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/cache/offscreen.c +++ freerdp-2.11.7/libfreerdp/cache/offscreen.c @@ -160,18 +160,22 @@ void offscreen_cache_put(rdpOffscreenCac void offscreen_cache_delete(rdpOffscreenCache* offscreenCache, UINT32 index) { - rdpBitmap* prevBitmap; - if (index >= offscreenCache->maxEntries) { WLog_ERR(TAG, "invalid offscreen bitmap index (delete): 0x%08" PRIX32 "", index); return; } - prevBitmap = offscreenCache->entries[index]; + rdpBitmap* prevBitmap = offscreenCache->entries[index]; if (prevBitmap != NULL) + { + WINPR_ASSERT(offscreenCache->update->context); + + /* Ensure that the bitmap is no longer used in GDI */ + IFCALL(prevBitmap->SetSurface, offscreenCache->update->context, NULL, FALSE); Bitmap_Free(offscreenCache->update->context, prevBitmap); + } offscreenCache->entries[index] = NULL; } ++++++ freerdp-CVE-2026-24491.patch ++++++ --- /var/tmp/diff_new_pack.phaJya/_old 2026-03-29 20:00:55.834021048 +0200 +++ /var/tmp/diff_new_pack.phaJya/_new 2026-03-29 20:00:55.838021212 +0200 @@ -10,9 +10,10 @@ channels/drdynvc/client/drdynvc_main.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) -diff -rup freerdp-2.11.7.orig/channels/drdynvc/client/drdynvc_main.c freerdp-2.11.7/channels/drdynvc/client/drdynvc_main.c ---- freerdp-2.11.7.orig/channels/drdynvc/client/drdynvc_main.c 2024-04-22 04:26:59.000000000 -0500 -+++ freerdp-2.11.7/channels/drdynvc/client/drdynvc_main.c 2026-02-18 13:43:43.788110262 -0600 +Index: freerdp-2.11.7/channels/drdynvc/client/drdynvc_main.c +=================================================================== +--- freerdp-2.11.7.orig/channels/drdynvc/client/drdynvc_main.c ++++ freerdp-2.11.7/channels/drdynvc/client/drdynvc_main.c @@ -346,10 +346,11 @@ static void dvcman_channel_free(void* ar if (channel) @@ -24,7 +25,7 @@ { - IFCALL(channel->channel_callback->OnClose, channel->channel_callback); - channel->channel_callback = NULL; -+ IFCALL(channel->channel_callback->OnClose, cb); ++ IFCALL(cb->OnClose, cb); } if (channel->status == CHANNEL_RC_OK) ++++++ freerdp-CVE-2026-26271.patch ++++++ >From f5e20403d6e325e11b68129803f967fb5aeec1cb Mon Sep 17 00:00:00 2001 From: Armin Novak <[email protected]> Date: Fri, 13 Feb 2026 19:38:20 +0100 Subject: [PATCH] [codec,color] fix input length checks * check cbBitsMask meets expected length * Add logging for length failures --- libfreerdp/codec/color.c | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) Index: freerdp-2.11.7/libfreerdp/codec/color.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/color.c +++ freerdp-2.11.7/libfreerdp/codec/color.c @@ -217,6 +217,9 @@ BOOL freerdp_image_copy_from_icon_data(B if (!pDstData || !bitsColor) return FALSE; + if ((nWidth == 0) || (nHeight == 0)) + return TRUE; + /* * Color formats used by icons are DIB bitmap formats (2-bit format * is not used by MS-RDPERP). Note that 16-bit is RGB555, not RGB565, @@ -259,7 +262,13 @@ BOOL freerdp_image_copy_from_icon_data(B /* Ensure we have enough source data bytes for image copy. */ if (cbBitsColor < nWidth * nHeight * GetBytesPerPixel(format)) + { + WLog_ERR(TAG, + "cbBitsColor{%" PRIu32 "} < nWidth{%" PRIu32 "} * nHeight{%" PRIu32 + "} * bpp{%" PRIu32 "}", + cbBitsColor, nWidth, nHeight, GetBytesPerPixel(format)); return FALSE; + } fill_gdi_palette_for_icon(colorTable, cbColorTable, &palette); if (!freerdp_image_copy(pDstData, DstFormat, nDstStep, nXDst, nYDst, nWidth, nHeight, bitsColor, @@ -267,13 +276,9 @@ BOOL freerdp_image_copy_from_icon_data(B return FALSE; /* apply alpha mask */ - if (ColorHasAlpha(DstFormat) && cbBitsMask) + if (ColorHasAlpha(DstFormat) && (cbBitsMask > 0)) { - BYTE nextBit; - const BYTE* maskByte; UINT32 x, y; - UINT32 stride; - BYTE r, g, b; BYTE* dstBuf = pDstData; UINT32 dstBpp = GetBytesPerPixel(DstFormat); @@ -282,20 +287,29 @@ BOOL freerdp_image_copy_from_icon_data(B * And due to hysterical raisins, stride of DIB bitmaps must be * a multiple of 4 bytes. */ - stride = round_up(div_ceil(nWidth, 8), 4); + const size_t stride = round_up(div_ceil(nWidth, 8), 4); + if (cbBitsMask < stride * (nHeight - 1ULL)) + { + WLog_ERR(TAG, + "cbBitsMask{%" PRIu32 "} < stride{%" PRIuz "} * (nHeight{%" PRIu32 "} - 1)", + cbBitsMask, stride, nHeight); + return FALSE; + } for (y = 0; y < nHeight; y++) { - maskByte = &bitsMask[stride * (nHeight - 1 - y)]; - nextBit = 0x80; + const BYTE* maskByte = &bitsMask[stride * (nHeight - 1ULL - y)]; + BYTE nextBit = 0x80; for (x = 0; x < nWidth; x++) { - UINT32 color; + BYTE r = 0; + BYTE g = 0; + BYTE b = 0; BYTE alpha = (*maskByte & nextBit) ? 0x00 : 0xFF; /* read color back, add alpha and write it back */ - color = ReadColor(dstBuf, DstFormat); + UINT32 color = ReadColor(dstBuf, DstFormat); SplitColor(color, DstFormat, &r, &g, &b, NULL, &palette); color = FreeRDPGetColor(DstFormat, r, g, b, alpha); WriteColor(dstBuf, DstFormat, color); ++++++ freerdp-CVE-2026-26955.patch ++++++ >From 7d8fdce2d0ef337cb86cb37fc0c436c905e04d77 Mon Sep 17 00:00:00 2001 From: Armin Novak <[email protected]> Date: Mon, 16 Feb 2026 19:56:55 +0100 Subject: [PATCH] [codec,clear] fix destination checks check against the correct nDstWidth/nDstHeight --- libfreerdp/codec/clear.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) Index: freerdp-2.11.7/libfreerdp/codec/clear.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/clear.c +++ freerdp-2.11.7/libfreerdp/codec/clear.c @@ -471,9 +471,6 @@ static BOOL clear_decompress_subcodecs_d while (suboffset < subcodecByteCount) { - UINT32 nXDstRel; - UINT32 nYDstRel; - if (Stream_GetRemainingLength(s) < 13) { WLog_ERR(TAG, "stream short %" PRIuz " [13 expected]", Stream_GetRemainingLength(s)); @@ -495,8 +492,20 @@ static BOOL clear_decompress_subcodecs_d return FALSE; } - nXDstRel = nXDst + xStart; - nYDstRel = nYDst + yStart; + const UINT32 nXDstRel = nXDst + xStart; + const UINT32 nYDstRel = nYDst + yStart; + if (1ull * nXDstRel + width > nDstWidth) + { + WLog_ERR(TAG, "nXDstRel %" PRIu32 " + width %" PRIu16 " > nDstWidth %" PRIu32 "", + nXDstRel, width, nDstWidth); + FALSE; + } + if (1ull * nYDstRel + height > nDstHeight) + { + WLog_ERR(TAG, "nYDstRel %" PRIu32 " + height %" PRIu16 " > nDstHeight %" PRIu32 "", + nYDstRel, height, nDstHeight); + return FALSE; + } if (width > nWidth) { @@ -1051,6 +1060,18 @@ INT32 clear_decompress(CLEAR_CONTEXT* cl if ((nWidth > 0xFFFF) || (nHeight > 0xFFFF)) return -1004; + if (nXDst > nDstWidth) + { + WLog_WARN(TAG, "nXDst %" PRIu32 " > nDstWidth %" PRIu32, nXDst, nDstWidth); + return -1005; + } + + if (nYDst > nDstHeight) + { + WLog_WARN(TAG, "nYDst %" PRIu32 " > nDstHeight %" PRIu32, nYDst, nDstHeight); + return -1006; + } + s = Stream_New((BYTE*)pSrcData, SrcSize); if (!s) ++++++ freerdp-CVE-2026-26965.patch ++++++ >From a0be5cb87d760bb1c803ad1bb835aa1e73e62abc Mon Sep 17 00:00:00 2001 From: Armin Novak <[email protected]> Date: Mon, 16 Feb 2026 09:45:58 +0100 Subject: [PATCH] [codec,planar] fix missing destination bounds checks --- libfreerdp/codec/planar.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) Index: freerdp-2.11.7/libfreerdp/codec/planar.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/planar.c +++ freerdp-2.11.7/libfreerdp/codec/planar.c @@ -621,8 +621,10 @@ BOOL planar_decompress(BITMAP_PLANAR_CON if (planar->maxHeight < nSrcHeight) return FALSE; + const UINT32 bpp = GetBytesPerPixel(DstFormat); + if (nDstStep <= 0) - nDstStep = nDstWidth * GetBytesPerPixel(DstFormat); + nDstStep = nDstWidth * bpp; srcp = pSrcData; @@ -831,6 +833,24 @@ BOOL planar_decompress(BITMAP_PLANAR_CON } else /* RLE */ { + if (nYDst + nSrcHeight > nTotalHeight) + { + WLog_ERR(TAG, + "planar plane destination Y %" PRIu32 " + height %" PRIu32 + " exceeds totalHeight %" PRIu32, + nYDst, nSrcHeight, nTotalHeight); + return FALSE; + } + + if ((nXDst + nSrcWidth) * bpp > nDstStep) + { + WLog_ERR(TAG, + "planar plane destination (X %" PRIu32 " + width %" PRIu32 + ") * bpp %" PRIu32 " exceeds stride %" PRIu32, + nXDst, nSrcWidth, bpp, nDstStep); + return FALSE; + } + status = planar_decompress_plane_rle(planes[0], rleSizes[0], pTempData, nTempStep, nXDst, nYDst, nSrcWidth, nSrcHeight, 2, vFlip); /* RedPlane */ ++++++ freerdp-CVE-2026-31806.patch ++++++ >From 83d9aedea278a74af3e490ff5eeb889c016dbb2b Mon Sep 17 00:00:00 2001 From: Armin Novak <[email protected]> Date: Mon, 9 Mar 2026 08:11:19 +0100 Subject: [PATCH] [codec,nsc] limit copy area in nsc_process_message the rectangle decoded might not fit into the destination buffer. Limit width and height of the area to copy to the one fitting. --- libfreerdp/codec/nsc.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) Index: freerdp-2.11.7/libfreerdp/codec/nsc.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/nsc.c +++ freerdp-2.11.7/libfreerdp/codec/nsc.c @@ -515,7 +515,15 @@ BOOL nsc_process_message(NSC_CONTEXT* co return FALSE; } - if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, width, height, + uint32_t cwidth = width; + if (1ull * nXDst + width > nWidth) + cwidth = nWidth - nXDst; + + uint32_t cheight = height; + if (1ull * nYDst + height > nHeight) + cheight = nHeight - nYDst; + + if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, cwidth, cheight, context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0, 0, NULL, flip)) return FALSE; ++++++ freerdp-CVE-2026-31883_31885.patch ++++++ >From 16df2300e1e3f5a51f68fb1626429e58b531b7c8 Mon Sep 17 00:00:00 2001 From: Armin Novak <[email protected]> Date: Tue, 10 Mar 2026 10:21:40 +0100 Subject: [PATCH] [codec,dsp] fix array bounds checks * assert array indices where caller value is an internal constant * add missing length/bounds checks --- libfreerdp/codec/dsp.c | 79 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 70 insertions(+), 9 deletions(-) Index: freerdp-2.11.7/libfreerdp/codec/dsp.c =================================================================== --- freerdp-2.11.7.orig/libfreerdp/codec/dsp.c +++ freerdp-2.11.7/libfreerdp/codec/dsp.c @@ -294,9 +294,15 @@ static const INT16 ima_step_size_table[] static UINT16 dsp_decode_ima_adpcm_sample(ADPCM* adpcm, unsigned int channel, BYTE sample) { - INT32 ss; INT32 d; - ss = ima_step_size_table[adpcm->ima.last_step[channel]]; + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ima.last_step)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ima.last_sample)); + + const INT16 offset = adpcm->ima.last_step[channel]; + WINPR_ASSERT(offset >= 0); + WINPR_ASSERT(offset < ARRAYSIZE(ima_step_size_table)); + + const INT32 ss = ima_step_size_table[offset]; d = (ss >> 3); if (sample & 1) @@ -319,6 +325,7 @@ static UINT16 dsp_decode_ima_adpcm_sampl d = 32767; adpcm->ima.last_sample[channel] = (INT16)d; + WINPR_ASSERT(sample < ARRAYSIZE(ima_step_index_table)); adpcm->ima.last_step[channel] += ima_step_index_table[sample]; if (adpcm->ima.last_step[channel] < 0) @@ -350,6 +357,9 @@ static BOOL freerdp_dsp_decode_ima_adpcm { if (size % block_size == 0) { + if (size < 4) + return FALSE; + context->adpcm.ima.last_sample[0] = (INT16)(((UINT16)(*src)) | (((UINT16)(*(src + 1))) << 8)); context->adpcm.ima.last_step[0] = (INT16)(*(src + 2)); @@ -359,6 +369,8 @@ static BOOL freerdp_dsp_decode_ima_adpcm if (channels > 1) { + if (size < 4) + return FALSE; context->adpcm.ima.last_sample[1] = (INT16)(((UINT16)(*src)) | (((UINT16)(*(src + 1))) << 8)); context->adpcm.ima.last_step[1] = (INT16)(*(src + 2)); @@ -370,6 +382,8 @@ static BOOL freerdp_dsp_decode_ima_adpcm if (channels > 1) { + if (size < 8) + return FALSE; for (i = 0; i < 8; i++) { channel = (i < 4 ? 0 : 1); @@ -389,6 +403,8 @@ static BOOL freerdp_dsp_decode_ima_adpcm } else { + if (size < 1) + return FALSE; sample = ((*src) & 0x0f); decoded = dsp_decode_ima_adpcm_sample(&context->adpcm, 0, sample); *dst++ = (decoded & 0xFF); @@ -647,10 +663,16 @@ static BYTE dsp_encode_ima_adpcm_sample( { INT32 e; INT32 d; - INT32 ss; BYTE enc; INT32 diff; - ss = ima_step_size_table[adpcm->ima.last_step[channel]]; + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ima.last_step)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ima.last_sample)); + + const INT16 offset = adpcm->ima.last_step[channel]; + WINPR_ASSERT(offset >= 0); + WINPR_ASSERT(offset < ARRAYSIZE(ima_step_size_table)); + + INT32 ss = ima_step_size_table[offset]; d = e = sample - adpcm->ima.last_sample[channel]; diff = ss >> 3; enc = 0; @@ -696,6 +718,8 @@ static BYTE dsp_encode_ima_adpcm_sample( diff = 32767; adpcm->ima.last_sample[channel] = (INT16)diff; + + WINPR_ASSERT(enc < ARRAYSIZE(ima_step_index_table)); adpcm->ima.last_step[channel] += ima_step_index_table[enc]; if (adpcm->ima.last_step[channel] < 0) @@ -790,12 +814,23 @@ static const INT32 ms_adpcm_coeffs2[7] = static INLINE INT16 freerdp_dsp_decode_ms_adpcm_sample(ADPCM* adpcm, BYTE sample, int channel) { + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.sample1)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.sample2)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.delta)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.predictor)); INT8 nibble; INT32 presample; nibble = (sample & 0x08 ? (INT8)sample - 16 : (INT8)sample); - presample = ((adpcm->ms.sample1[channel] * ms_adpcm_coeffs1[adpcm->ms.predictor[channel]]) + - (adpcm->ms.sample2[channel] * ms_adpcm_coeffs2[adpcm->ms.predictor[channel]])) / - 256; + const BYTE predictor = adpcm->ms.predictor[channel]; + INT32 coeff1 = 0; + if (predictor < ARRAYSIZE(ms_adpcm_coeffs1)) + coeff1 = ms_adpcm_coeffs1[predictor]; + + INT32 coeff2 = 0; + if (predictor < ARRAYSIZE(ms_adpcm_coeffs2)) + coeff2 = ms_adpcm_coeffs2[predictor]; + presample = + ((adpcm->ms.sample1[channel] * coeff1) + (adpcm->ms.sample2[channel] * coeff2)) / 256; presample += nibble * adpcm->ms.delta[channel]; if (presample > 32767) @@ -805,7 +840,12 @@ static INLINE INT16 freerdp_dsp_decode_m adpcm->ms.sample2[channel] = adpcm->ms.sample1[channel]; adpcm->ms.sample1[channel] = presample; - adpcm->ms.delta[channel] = adpcm->ms.delta[channel] * ms_adpcm_adaptation_table[sample] / 256; + + INT32 tableval = 0; + if (sample < ARRAYSIZE(ms_adpcm_adaptation_table)) + tableval = ms_adpcm_adaptation_table[sample]; + + adpcm->ms.delta[channel] = adpcm->ms.delta[channel] * tableval / 256; if (adpcm->ms.delta[channel] < 16) adpcm->ms.delta[channel] = 16; @@ -833,6 +873,9 @@ static BOOL freerdp_dsp_decode_ms_adpcm( { if (channels > 1) { + if (size < 14) + return FALSE; + context->adpcm.ms.predictor[0] = *src++; context->adpcm.ms.predictor[1] = *src++; context->adpcm.ms.delta[0] = read_int16(src); @@ -859,6 +902,9 @@ static BOOL freerdp_dsp_decode_ms_adpcm( } else { + if (size < 7) + return FALSE; + context->adpcm.ms.predictor[0] = *src++; context->adpcm.ms.delta[0] = read_int16(src); src += 2; @@ -876,6 +922,8 @@ static BOOL freerdp_dsp_decode_ms_adpcm( if (channels > 1) { + if (size < 1) + return FALSE; sample = *src++; size--; write_int16(dst, freerdp_dsp_decode_ms_adpcm_sample(&context->adpcm, sample >> 4, 0)); @@ -891,6 +939,8 @@ static BOOL freerdp_dsp_decode_ms_adpcm( } else { + if (size < 1) + return FALSE; sample = *src++; size--; write_int16(dst, freerdp_dsp_decode_ms_adpcm_sample(&context->adpcm, sample >> 4, 0)); @@ -904,8 +954,12 @@ static BOOL freerdp_dsp_decode_ms_adpcm( return TRUE; } -static BYTE freerdp_dsp_encode_ms_adpcm_sample(ADPCM* adpcm, INT32 sample, int channel) +static BYTE freerdp_dsp_encode_ms_adpcm_sample(ADPCM* adpcm, INT32 sample, size_t channel) { + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.sample1)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.sample2)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.delta)); + WINPR_ASSERT(channel < ARRAYSIZE(adpcm->ms.predictor)); INT32 presample; INT32 errordelta; presample = ((adpcm->ms.sample1[channel] * ms_adpcm_coeffs1[adpcm->ms.predictor[channel]]) + @@ -930,8 +984,9 @@ static BYTE freerdp_dsp_encode_ms_adpcm_ adpcm->ms.sample2[channel] = adpcm->ms.sample1[channel]; adpcm->ms.sample1[channel] = presample; - adpcm->ms.delta[channel] = - adpcm->ms.delta[channel] * ms_adpcm_adaptation_table[(((BYTE)errordelta) & 0x0F)] / 256; + const size_t offset = (((BYTE)errordelta) & 0x0F); + WINPR_ASSERT(offset < ARRAYSIZE(ms_adpcm_adaptation_table)); + adpcm->ms.delta[channel] = adpcm->ms.delta[channel] * ms_adpcm_adaptation_table[offset] / 256; if (adpcm->ms.delta[channel] < 16) adpcm->ms.delta[channel] = 16;
