[oe] [meta-oe][kirkstone][PATCH 2/5] freerdp: patch CVE-2024-32458

Thu, 22 Jan 2026 22:43:40 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32458

Pick the patch that is marked to resolve this vulnerbility by the
relevant Github advisory[1].

[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vvr6-h646-mp4p

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../freerdp/freerdp/CVE-2024-32458.patch      | 118 ++++++++++++++++++
 .../recipes-support/freerdp/freerdp_2.6.1.bb  |   1 +
 2 files changed, 119 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch 
b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch
new file mode 100644
index 0000000000..eeba767d91
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch
@@ -0,0 +1,118 @@
+From f04f5fc28869140079c3c5edca614e495493b9ba Mon Sep 17 00:00:00 2001
+From: akallabeth <[email protected]>
+Date: Tue, 16 Apr 2024 08:42:52 +0200
+Subject: [PATCH] fix missing input length checks
+
+(cherry picked from commit 52d75f6f4078143951e8a4976bc5af30a5556cb6)
+
+CVE: CVE-2024-32458
+Upstream-Status: Backport 
[https://github.com/FreeRDP/FreeRDP/commit/9bc624c721ecde8251cfabd1edf069bc713ccc97]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ libfreerdp/codec/planar.c | 53 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
+index 58d4e4bae..9f891b9c7 100644
+--- a/libfreerdp/codec/planar.c
++++ b/libfreerdp/codec/planar.c
+@@ -679,6 +679,13 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, 
const BYTE* pSrcData, UINT
+               rawHeights[3] = nSrcHeight;
+       }
+ 
++      const size_t diff = srcp - pSrcData;
++      if (SrcSize < diff)
++      {
++              WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, 
diff);
++              return FALSE;
++      }
++
+       if (!rle) /* RAW */
+       {
+               UINT32 base = planeSize * 3;
+@@ -687,8 +694,12 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, 
const BYTE* pSrcData, UINT
+ 
+               if (alpha)
+               {
+-                      if ((SrcSize - (srcp - pSrcData)) < (planeSize + base))
++                      if ((SrcSize - diff) < (planeSize + base))
++                      {
++                              WLog_ERR(TAG, "Alpha plane size mismatch %" 
PRIuz " < %" PRIu32, SrcSize - diff,
++                                       (planeSize + base));
+                               return FALSE;
++                      }
+ 
+                       planes[3] = srcp;                    /* AlphaPlane */
+                       planes[0] = planes[3] + rawSizes[3]; /* LumaOrRedPlane 
*/
+@@ -700,8 +711,11 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, 
const BYTE* pSrcData, UINT
+               }
+               else
+               {
+-                      if ((SrcSize - (srcp - pSrcData)) < base)
++                      if ((SrcSize - diff) < base)
++                      {
++                              WLog_ERR(TAG, "plane size mismatch %" PRIu32 " 
< %" PRIu32, SrcSize - diff, base);
+                               return FALSE;
++                      }
+ 
+                       planes[0] = srcp;                    /* LumaOrRedPlane 
*/
+                       planes[1] = planes[0] + rawSizes[0]; /* 
OrangeChromaOrGreenPlane */
+@@ -716,8 +730,8 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, 
const BYTE* pSrcData, UINT
+               if (alpha)
+               {
+                       planes[3] = srcp;
+-                      rleSizes[3] = planar_skip_plane_rle(planes[3], SrcSize 
- (planes[3] - pSrcData),
+-                                                          rawWidths[3], 
rawHeights[3]); /* AlphaPlane */
++                      rleSizes[3] = planar_skip_plane_rle(planes[3], SrcSize 
- diff, rawWidths[3],
++                                                          rawHeights[3]); /* 
AlphaPlane */
+ 
+                       if (rleSizes[3] < 0)
+                               return FALSE;
+@@ -727,22 +741,41 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, 
const BYTE* pSrcData, UINT
+               else
+                       planes[0] = srcp;
+ 
+-              rleSizes[0] = planar_skip_plane_rle(planes[0], SrcSize - 
(planes[0] - pSrcData),
+-                                                  rawWidths[0], 
rawHeights[0]); /* RedPlane */
++              const size_t diff0 = (planes[0] - pSrcData);
++              if (SrcSize < diff0)
++              {
++                      WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, 
SrcSize, diff0);
++                      return FALSE;
++              }
++              rleSizes[0] = planar_skip_plane_rle(planes[0], SrcSize - diff0, 
rawWidths[0],
++                                                  rawHeights[0]); /* RedPlane 
*/
+ 
+               if (rleSizes[0] < 0)
+                       return FALSE;
+ 
+               planes[1] = planes[0] + rleSizes[0];
+-              rleSizes[1] = planar_skip_plane_rle(planes[1], SrcSize - 
(planes[1] - pSrcData),
+-                                                  rawWidths[1], 
rawHeights[1]); /* GreenPlane */
++
++              const size_t diff1 = (planes[1] - pSrcData);
++              if (SrcSize < diff1)
++              {
++                      WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, 
SrcSize, diff1);
++                      return FALSE;
++              }
++              rleSizes[1] = planar_skip_plane_rle(planes[1], SrcSize - diff1, 
rawWidths[1],
++                                                  rawHeights[1]); /* 
GreenPlane */
+ 
+               if (rleSizes[1] < 1)
+                       return FALSE;
+ 
+               planes[2] = planes[1] + rleSizes[1];
+-              rleSizes[2] = planar_skip_plane_rle(planes[2], SrcSize - 
(planes[2] - pSrcData),
+-                                                  rawWidths[2], 
rawHeights[2]); /* BluePlane */
++              const size_t diff2 = (planes[2] - pSrcData);
++              if (SrcSize < diff2)
++              {
++                      WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, 
SrcSize, diff);
++                      return FALSE;
++              }
++              rleSizes[2] = planar_skip_plane_rle(planes[2], SrcSize - diff2, 
rawWidths[2],
++                                                  rawHeights[2]); /* 
BluePlane */
+ 
+               if (rleSizes[2] < 1)
+                       return FALSE;
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb 
b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
index 06aac0325f..0a01b2095a 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
@@ -34,6 +34,7 @@ SRC_URI = 
"git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://CVE-2024-22211.patch \
            file://CVE-2024-32039.patch \
            file://CVE-2024-32040.patch \
+           file://CVE-2024-32458.patch \
            "
 
 S = "${WORKDIR}/git"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123765): 
https://lists.openembedded.org/g/openembedded-devel/message/123765
Mute This Topic: https://lists.openembedded.org/mt/117414249/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to