xrdp: patch CVE-2023-42822

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822 Pick the patch the references the github advisory[1] and the cve ID also from the nvd report. The patch is a backported version of the patch referenced by the nvd report. [1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit a9fa1c5c2a83d301aa004cd16d18a516ae383042) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-24 07:30:07 +0100
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-02-02 08:13:00 +0530
commit: 9e35ca9108c498d71834c1aba5809402c5749865 (patch)
tree: f85627607d20c736ad8b1805855133071cb95e7f
parent: c3964035a8df9f2df4638a012759a0d18ff12f9b (diff)
download: meta-openembedded-9e35ca9108c498d71834c1aba5809402c5749865.tar.gz
2 files changed, 305 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch
new file mode 100644
index 0000000000..2cf7968f3c
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch
@@ -0,0 +1,304 @@
+From 58c9c1f06aeb5c91386bca20fa1609d68bf37ae0 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Mon, 25 Sep 2023 11:25:04 +0100
+Subject: [PATCH] CVE-2023-42822
+- font_items in struct xrdp_font renamed to chars to catch all
+  accesses to it. This name is consistent with the type of
+  the array elements (struct xrdp_font_char).
+- Additional fields added to struct xrdp_font to allow for range
+  checking and for a default character to be provided
+- Additional checks and logic added to xrdp_font_create()
+- New macro XRDP_FONT_GET_CHAR() added to perform checked access
+  to chars field in struct xrdp_font
+CVE: CVE-2023-42822
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/fd25fc546a68a94163413ff2cf3989c1e239e762]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xrdp/xrdp.h         |   9 ++++
+ xrdp/xrdp_font.c    | 113 +++++++++++++++++++++++++++++++++++++-------
+ xrdp/xrdp_painter.c |  10 ++--
+ xrdp/xrdp_types.h   |   8 +++-
+ 4 files changed, 115 insertions(+), 25 deletions(-)
+diff --git a/xrdp/xrdp.h b/xrdp/xrdp.h
+index 36d8f87a9a..be008aa227 100644
+--- a/xrdp/xrdp.h
+++ b/xrdp/xrdp.h
+@@ -345,6 +345,15 @@ xrdp_font_delete(struct xrdp_font *self);
+ int
+ xrdp_font_item_compare(struct xrdp_font_char *font1,
+                        struct xrdp_font_char *font2);
+/**
+ * Gets a checked xrdp_font_char from a font
+ * @param f Font
+ * @param c32 Unicode codepoint
+ */
+#define XRDP_FONT_GET_CHAR(f, c32) \
+    (((unsigned int)(c32) >= ' ') && ((unsigned int)(c32) < (f)->char_count) \
+     ? ((f)->chars + (unsigned int)(c32)) \
+     : (f)->default_char)
+ 
+ /* funcs.c */
+ int
+diff --git a/xrdp/xrdp_font.c b/xrdp/xrdp_font.c
+index c089db0075..2b34f36ca6 100644
+--- a/xrdp/xrdp_font.c
+++ b/xrdp/xrdp_font.c
+@@ -65,6 +65,12 @@ static char w_char[] =
+ };
+ #endif
+ 
+// Unicode definitions
+#define UNICODE_WHITE_SQUARE 0x25a1
+
+// First character allocated in the 'struct xrdp_font.chars' array
+#define FIRST_CHAR ' '
+
+ /*****************************************************************************/
+ struct xrdp_font *
+ xrdp_font_create(struct xrdp_wm *wm)
+@@ -74,7 +80,7 @@ xrdp_font_create(struct xrdp_wm *wm)
+     int fd;
+     int b;
+     int i;
+-    int index;
+    unsigned int char_count;
+     int datasize;
+     int file_size;
+     struct xrdp_font_char *f;
+@@ -100,17 +106,39 @@ xrdp_font_create(struct xrdp_wm *wm)
+     }
+ 
+     self = (struct xrdp_font *)g_malloc(sizeof(struct xrdp_font), 1);
+    if (self == NULL)
+    {
+        LOG(LOG_LEVEL_ERROR, "xrdp_font_create: "
+            "Can't allocate memory for font");
+        return self;
+    }
+     self->wm = wm;
+     make_stream(s);
+     init_stream(s, file_size + 1024);
+     fd = g_file_open(file_path);
+ 
+-    if (fd != -1)
+    if (fd < 0)
+    {
+        LOG(LOG_LEVEL_ERROR,
+            "xrdp_font_create: Can't open %s - %s", file_path,
+            g_get_strerror());
+        g_free(self);
+        self = NULL;
+    }
+    else
+     {
+         b = g_file_read(fd, s->data, file_size + 1024);
+         g_file_close(fd);
+ 
+-        if (b > 0)
+        // Got at least a header?
+        if (b < (4 + 32 + 2 + 2 + 8))
+        {
+            LOG(LOG_LEVEL_ERROR,
+                "xrdp_font_create: Font %s is truncated", file_path);
+            g_free(self);
+            self = NULL;
+        }
+        else
+         {
+             s->end = s->data + b;
+             in_uint8s(s, 4);
+@@ -118,11 +146,27 @@ xrdp_font_create(struct xrdp_wm *wm)
+             in_uint16_le(s, self->size);
+             in_uint16_le(s, self->style);
+             in_uint8s(s, 8);
+-            index = 32;
+            char_count = FIRST_CHAR;
+ 
+-            while (s_check_rem(s, 16))
+            while (!s_check_end(s))
+             {
+-                f = self->font_items + index;
+                if (!s_check_rem(s, 16))
+                {
+                    LOG(LOG_LEVEL_WARNING,
+                        "xrdp_font_create: "
+                        "Can't parse header for character U+%X", char_count);
+                    break;
+                }
+
+                if (char_count >= MAX_FONT_CHARS)
+                {
+                    LOG(LOG_LEVEL_WARNING,
+                        "xrdp_font_create: "
+                        "Ignoring characters >= U+%x", MAX_FONT_CHARS);
+                    break;
+                }
+
+                f = self->chars + char_count;
+                 in_sint16_le(s, i);
+                 f->width = i;
+                 in_sint16_le(s, i);
+@@ -139,23 +183,56 @@ xrdp_font_create(struct xrdp_wm *wm)
+                 if (datasize < 0 || datasize > 512)
+                 {
+                     /* shouldn't happen */
+-                    LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create, datasize wrong "
+-                        "width %d, height %d, datasize %d, index %d",
+-                        f->width, f->height, datasize, index);
+                    LOG(LOG_LEVEL_ERROR,
+                        "xrdp_font_create: "
+                        "datasize for U+%x wrong "
+                        "width %d, height %d, datasize %d",
+                        char_count, f->width, f->height, datasize);
+                     break;
+                 }
+ 
+-                if (s_check_rem(s, datasize))
+                if (!s_check_rem(s, datasize))
+                 {
+-                    f->data = (char *)g_malloc(datasize, 0);
+-                    in_uint8a(s, f->data, datasize);
+                    LOG(LOG_LEVEL_ERROR,
+                        "xrdp_font_create: "
+                        "Not enough data for character U+%X", char_count);
+                    break;
+                 }
+-                else
+
+                if ((f->data = (char *)g_malloc(datasize, 0)) == NULL)
+                 {
+-                    LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create");
+                    LOG(LOG_LEVEL_ERROR,
+                        "xrdp_font_create: "
+                        "Allocation error for character U+%X", char_count);
+                    break;
+                 }
+                in_uint8a(s, f->data, datasize);
+
+                ++char_count;
+            }
+ 
+-                index++;
+            self->char_count = char_count;
+            if (char_count <= FIRST_CHAR)
+            {
+                /* We read no characters from the font */
+                xrdp_font_delete(self);
+                self = NULL;
+            }
+            else
+            {
+                // Find a default glyph
+                if (char_count > UNICODE_WHITE_SQUARE)
+                {
+                    self->default_char = &self->chars[UNICODE_WHITE_SQUARE];
+                }
+                else if (char_count > '?')
+                {
+                    self->default_char = &self->chars['?'];
+                }
+                else
+                {
+                    self->default_char = &self->chars[FIRST_CHAR];
+                }
+             }
+         }
+     }
+@@ -178,16 +255,16 @@ xrdp_font_create(struct xrdp_wm *wm)
+ void
+ xrdp_font_delete(struct xrdp_font *self)
+ {
+-    int i;
+    unsigned int i;
+ 
+     if (self == 0)
+     {
+         return;
+     }
+ 
+-    for (i = 0; i < NUM_FONTS; i++)
+    for (i = FIRST_CHAR; i < self->char_count; i++)
+     {
+-        g_free(self->font_items[i].data);
+        g_free(self->chars[i].data);
+     }
+ 
+     g_free(self);
+diff --git a/xrdp/xrdp_painter.c b/xrdp/xrdp_painter.c
+index b02c9072b6..832186ff22 100644
+--- a/xrdp/xrdp_painter.c
+++ b/xrdp/xrdp_painter.c
+@@ -455,7 +455,7 @@ xrdp_painter_text_width(struct xrdp_painter *self, const char *text)
+ 
+     for (index = 0; index < len; index++)
+     {
+-        font_item = self->font->font_items + wstr[index];
+        font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]);
+         rv = rv + font_item->incby;
+     }
+ 
+@@ -493,7 +493,7 @@ xrdp_painter_text_height(struct xrdp_painter *self, const char *text)
+ 
+     for (index = 0; index < len; index++)
+     {
+-        font_item = self->font->font_items + wstr[index];
+        font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]);
+         rv = MAX(rv, font_item->height);
+     }
+ 
+@@ -870,7 +870,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
+             total_height = 0;
+             for (index = 0; index < len; index++)
+             {
+-                font_item = font->font_items + wstr[index];
+                font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
+                 k = font_item->incby;
+                 total_width += k;
+                 total_height = MAX(total_height, font_item->height);
+@@ -904,7 +904,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
+                                      draw_rect.bottom - draw_rect.top);
+                     for (index = 0; index < len; index++)
+                     {
+-                        font_item = font->font_items + wstr[index];
+                        font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
+                         g_memset(&pat, 0, sizeof(pat));
+                         pat.format = PT_FORMAT_c1;
+                         pat.width = font_item->width;
+@@ -946,7 +946,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
+ 
+     for (index = 0; index < len; index++)
+     {
+-        font_item = font->font_items + wstr[index];
+        font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
+         i = xrdp_cache_add_char(self->wm->cache, font_item);
+         f = HIWORD(i);
+         c = LOWORD(i);
+diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h
+index 41b65702f0..b794890b08 100644
+--- a/xrdp/xrdp_types.h
+++ b/xrdp/xrdp_types.h
+@@ -574,7 +574,7 @@ struct xrdp_bitmap
+     int crc16;
+ };
+ 
+-#define NUM_FONTS 0x4e00
+#define MAX_FONT_CHARS 0x4e00
+ #define DEFAULT_FONT_NAME "sans-10.fv1"
+ 
+ #define DEFAULT_ELEMENT_TOP   35
+@@ -594,7 +594,11 @@ struct xrdp_bitmap
+ struct xrdp_font
+ {
+     struct xrdp_wm *wm;
+-    struct xrdp_font_char font_items[NUM_FONTS];
+    // Font characters, accessed by Unicode codepoint. The first 32
+    // entries are unused.
+    struct xrdp_font_char chars[MAX_FONT_CHARS];
+    unsigned int char_count; // # elements in above array
+    struct xrdp_font_char *default_char; // Pointer into above array
+     char name[32];
+     int size;
+     int style;
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index 4ede3d285c..bcadd03adf 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
           file://CVE-2022-23484.patch \
           file://CVE-2022-23493.patch \
           file://CVE-2023-40184.patch \
+           file://CVE-2023-42822.patch \
           "
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-24 07:30:07 +0100
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:00 +0530
commit	9e35ca9108c498d71834c1aba5809402c5749865 (patch)
tree	f85627607d20c736ad8b1805855133071cb95e7f
parent	c3964035a8df9f2df4638a012759a0d18ff12f9b (diff)
download	meta-openembedded-9e35ca9108c498d71834c1aba5809402c5749865.tar.gz

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch new file mode 100644 index 0000000000..2cf7968f3c --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch
@@ -0,0 +1,304 @@
		1	From 58c9c1f06aeb5c91386bca20fa1609d68bf37ae0 Mon Sep 17 00:00:00 2001
		2	From: matt335672 <30179339+matt335672@users.noreply.github.com>
		3	Date: Mon, 25 Sep 2023 11:25:04 +0100
		4	Subject: [PATCH] CVE-2023-42822
		5
		6	- font_items in struct xrdp_font renamed to chars to catch all
		7	accesses to it. This name is consistent with the type of
		8	the array elements (struct xrdp_font_char).
		9	- Additional fields added to struct xrdp_font to allow for range
		10	checking and for a default character to be provided
		11	- Additional checks and logic added to xrdp_font_create()
		12	- New macro XRDP_FONT_GET_CHAR() added to perform checked access
		13	to chars field in struct xrdp_font
		14
		15	CVE: CVE-2023-42822
		16	Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/fd25fc546a68a94163413ff2cf3989c1e239e762]
		17	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		18	---
		19	xrdp/xrdp.h \| 9 ++++
		20	xrdp/xrdp_font.c \| 113 +++++++++++++++++++++++++++++++++++++-------
		21	xrdp/xrdp_painter.c \| 10 ++--
		22	xrdp/xrdp_types.h \| 8 +++-
		23	4 files changed, 115 insertions(+), 25 deletions(-)
		24
		25	diff --git a/xrdp/xrdp.h b/xrdp/xrdp.h
		26	index 36d8f87a9a..be008aa227 100644
		27	--- a/xrdp/xrdp.h
		28	+++ b/xrdp/xrdp.h
		29	@@ -345,6 +345,15 @@ xrdp_font_delete(struct xrdp_font *self);
		30	int
		31	xrdp_font_item_compare(struct xrdp_font_char *font1,
		32	struct xrdp_font_char *font2);
		33	+/**
		34	+ * Gets a checked xrdp_font_char from a font
		35	+ * @param f Font
		36	+ * @param c32 Unicode codepoint
		37	+ */
		38	+#define XRDP_FONT_GET_CHAR(f, c32) \
		39	+ (((unsigned int)(c32) >= ' ') && ((unsigned int)(c32) < (f)->char_count) \
		40	+ ? ((f)->chars + (unsigned int)(c32)) \
		41	+ : (f)->default_char)
		42
		43	/* funcs.c */
		44	int
		45	diff --git a/xrdp/xrdp_font.c b/xrdp/xrdp_font.c
		46	index c089db0075..2b34f36ca6 100644
		47	--- a/xrdp/xrdp_font.c
		48	+++ b/xrdp/xrdp_font.c
		49	@@ -65,6 +65,12 @@ static char w_char[] =
		50	};
		51	#endif
		52
		53	+// Unicode definitions
		54	+#define UNICODE_WHITE_SQUARE 0x25a1
		55	+
		56	+// First character allocated in the 'struct xrdp_font.chars' array
		57	+#define FIRST_CHAR ' '
		58	+
		59	/*****************************************************************************/
		60	struct xrdp_font *
		61	xrdp_font_create(struct xrdp_wm *wm)
		62	@@ -74,7 +80,7 @@ xrdp_font_create(struct xrdp_wm *wm)
		63	int fd;
		64	int b;
		65	int i;
		66	- int index;
		67	+ unsigned int char_count;
		68	int datasize;
		69	int file_size;
		70	struct xrdp_font_char *f;
		71	@@ -100,17 +106,39 @@ xrdp_font_create(struct xrdp_wm *wm)
		72	}
		73
		74	self = (struct xrdp_font *)g_malloc(sizeof(struct xrdp_font), 1);
		75	+ if (self == NULL)
		76	+ {
		77	+ LOG(LOG_LEVEL_ERROR, "xrdp_font_create: "
		78	+ "Can't allocate memory for font");
		79	+ return self;
		80	+ }
		81	self->wm = wm;
		82	make_stream(s);
		83	init_stream(s, file_size + 1024);
		84	fd = g_file_open(file_path);
		85
		86	- if (fd != -1)
		87	+ if (fd < 0)
		88	+ {
		89	+ LOG(LOG_LEVEL_ERROR,
		90	+ "xrdp_font_create: Can't open %s - %s", file_path,
		91	+ g_get_strerror());
		92	+ g_free(self);
		93	+ self = NULL;
		94	+ }
		95	+ else
		96	{
		97	b = g_file_read(fd, s->data, file_size + 1024);
		98	g_file_close(fd);
		99
		100	- if (b > 0)
		101	+ // Got at least a header?
		102	+ if (b < (4 + 32 + 2 + 2 + 8))
		103	+ {
		104	+ LOG(LOG_LEVEL_ERROR,
		105	+ "xrdp_font_create: Font %s is truncated", file_path);
		106	+ g_free(self);
		107	+ self = NULL;
		108	+ }
		109	+ else
		110	{
		111	s->end = s->data + b;
		112	in_uint8s(s, 4);
		113	@@ -118,11 +146,27 @@ xrdp_font_create(struct xrdp_wm *wm)
		114	in_uint16_le(s, self->size);
		115	in_uint16_le(s, self->style);
		116	in_uint8s(s, 8);
		117	- index = 32;
		118	+ char_count = FIRST_CHAR;
		119
		120	- while (s_check_rem(s, 16))
		121	+ while (!s_check_end(s))
		122	{
		123	- f = self->font_items + index;
		124	+ if (!s_check_rem(s, 16))
		125	+ {
		126	+ LOG(LOG_LEVEL_WARNING,
		127	+ "xrdp_font_create: "
		128	+ "Can't parse header for character U+%X", char_count);
		129	+ break;
		130	+ }
		131	+
		132	+ if (char_count >= MAX_FONT_CHARS)
		133	+ {
		134	+ LOG(LOG_LEVEL_WARNING,
		135	+ "xrdp_font_create: "
		136	+ "Ignoring characters >= U+%x", MAX_FONT_CHARS);
		137	+ break;
		138	+ }
		139	+
		140	+ f = self->chars + char_count;
		141	in_sint16_le(s, i);
		142	f->width = i;
		143	in_sint16_le(s, i);
		144	@@ -139,23 +183,56 @@ xrdp_font_create(struct xrdp_wm *wm)
		145	if (datasize < 0 \|\| datasize > 512)
		146	{
		147	/* shouldn't happen */
		148	- LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create, datasize wrong "
		149	- "width %d, height %d, datasize %d, index %d",
		150	- f->width, f->height, datasize, index);
		151	+ LOG(LOG_LEVEL_ERROR,
		152	+ "xrdp_font_create: "
		153	+ "datasize for U+%x wrong "
		154	+ "width %d, height %d, datasize %d",
		155	+ char_count, f->width, f->height, datasize);
		156	break;
		157	}
		158
		159	- if (s_check_rem(s, datasize))
		160	+ if (!s_check_rem(s, datasize))
		161	{
		162	- f->data = (char *)g_malloc(datasize, 0);
		163	- in_uint8a(s, f->data, datasize);
		164	+ LOG(LOG_LEVEL_ERROR,
		165	+ "xrdp_font_create: "
		166	+ "Not enough data for character U+%X", char_count);
		167	+ break;
		168	}
		169	- else
		170	+
		171	+ if ((f->data = (char *)g_malloc(datasize, 0)) == NULL)
		172	{
		173	- LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create");
		174	+ LOG(LOG_LEVEL_ERROR,
		175	+ "xrdp_font_create: "
		176	+ "Allocation error for character U+%X", char_count);
		177	+ break;
		178	}
		179	+ in_uint8a(s, f->data, datasize);
		180	+
		181	+ ++char_count;
		182	+ }
		183
		184	- index++;
		185	+ self->char_count = char_count;
		186	+ if (char_count <= FIRST_CHAR)
		187	+ {
		188	+ /* We read no characters from the font */
		189	+ xrdp_font_delete(self);
		190	+ self = NULL;
		191	+ }
		192	+ else
		193	+ {
		194	+ // Find a default glyph
		195	+ if (char_count > UNICODE_WHITE_SQUARE)
		196	+ {
		197	+ self->default_char = &self->chars[UNICODE_WHITE_SQUARE];
		198	+ }
		199	+ else if (char_count > '?')
		200	+ {
		201	+ self->default_char = &self->chars['?'];
		202	+ }
		203	+ else
		204	+ {
		205	+ self->default_char = &self->chars[FIRST_CHAR];
		206	+ }
		207	}
		208	}
		209	}
		210	@@ -178,16 +255,16 @@ xrdp_font_create(struct xrdp_wm *wm)
		211	void
		212	xrdp_font_delete(struct xrdp_font *self)
		213	{
		214	- int i;
		215	+ unsigned int i;
		216
		217	if (self == 0)
		218	{
		219	return;
		220	}
		221
		222	- for (i = 0; i < NUM_FONTS; i++)
		223	+ for (i = FIRST_CHAR; i < self->char_count; i++)
		224	{
		225	- g_free(self->font_items[i].data);
		226	+ g_free(self->chars[i].data);
		227	}
		228
		229	g_free(self);
		230	diff --git a/xrdp/xrdp_painter.c b/xrdp/xrdp_painter.c
		231	index b02c9072b6..832186ff22 100644
		232	--- a/xrdp/xrdp_painter.c
		233	+++ b/xrdp/xrdp_painter.c
		234	@@ -455,7 +455,7 @@ xrdp_painter_text_width(struct xrdp_painter self, const char text)
		235
		236	for (index = 0; index < len; index++)
		237	{
		238	- font_item = self->font->font_items + wstr[index];
		239	+ font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]);
		240	rv = rv + font_item->incby;
		241	}
		242
		243	@@ -493,7 +493,7 @@ xrdp_painter_text_height(struct xrdp_painter self, const char text)
		244
		245	for (index = 0; index < len; index++)
		246	{
		247	- font_item = self->font->font_items + wstr[index];
		248	+ font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]);
		249	rv = MAX(rv, font_item->height);
		250	}
		251
		252	@@ -870,7 +870,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
		253	total_height = 0;
		254	for (index = 0; index < len; index++)
		255	{
		256	- font_item = font->font_items + wstr[index];
		257	+ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
		258	k = font_item->incby;
		259	total_width += k;
		260	total_height = MAX(total_height, font_item->height);
		261	@@ -904,7 +904,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
		262	draw_rect.bottom - draw_rect.top);
		263	for (index = 0; index < len; index++)
		264	{
		265	- font_item = font->font_items + wstr[index];
		266	+ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
		267	g_memset(&pat, 0, sizeof(pat));
		268	pat.format = PT_FORMAT_c1;
		269	pat.width = font_item->width;
		270	@@ -946,7 +946,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
		271
		272	for (index = 0; index < len; index++)
		273	{
		274	- font_item = font->font_items + wstr[index];
		275	+ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
		276	i = xrdp_cache_add_char(self->wm->cache, font_item);
		277	f = HIWORD(i);
		278	c = LOWORD(i);
		279	diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h
		280	index 41b65702f0..b794890b08 100644
		281	--- a/xrdp/xrdp_types.h
		282	+++ b/xrdp/xrdp_types.h
		283	@@ -574,7 +574,7 @@ struct xrdp_bitmap
		284	int crc16;
		285	};
		286
		287	-#define NUM_FONTS 0x4e00
		288	+#define MAX_FONT_CHARS 0x4e00
		289	#define DEFAULT_FONT_NAME "sans-10.fv1"
		290
		291	#define DEFAULT_ELEMENT_TOP 35
		292	@@ -594,7 +594,11 @@ struct xrdp_bitmap
		293	struct xrdp_font
		294	{
		295	struct xrdp_wm *wm;
		296	- struct xrdp_font_char font_items[NUM_FONTS];
		297	+ // Font characters, accessed by Unicode codepoint. The first 32
		298	+ // entries are unused.
		299	+ struct xrdp_font_char chars[MAX_FONT_CHARS];
		300	+ unsigned int char_count; // # elements in above array
		301	+ struct xrdp_font_char *default_char; // Pointer into above array
		302	char name[32];
		303	int size;
		304	int style;


diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 4ede3d285c..bcadd03adf 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
28	file://CVE-2022-23484.patch \	28	file://CVE-2022-23484.patch \
29	file://CVE-2022-23493.patch \	29	file://CVE-2022-23493.patch \
30	file://CVE-2023-40184.patch \	30	file://CVE-2023-40184.patch \
		31	file://CVE-2023-42822.patch \
31	"	32	"
32		33
33	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"	34	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"