diff options
| -rw-r--r-- | meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch | 49 | ||||
| -rw-r--r-- | meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch new file mode 100644 index 0000000000..80d4af30b9 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From 51929613e6897489736a35eaaf14a3accf143963 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Thu, 15 Jan 2026 12:04:36 +0100 | ||
| 4 | Subject: [PATCH] properly clamp SurfaceToSurface | ||
| 5 | |||
| 6 | From: akallabeth <akallabeth@posteo.net> | ||
| 7 | |||
| 8 | CVE: CVE-2026-23532 | ||
| 9 | Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/c4a7c371342edf0d307cea728f56d3302f0ab38c] | ||
| 10 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 11 | --- | ||
| 12 | libfreerdp/gdi/gfx.c | 9 +++++---- | ||
| 13 | 1 file changed, 5 insertions(+), 4 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c | ||
| 16 | index 3970715e0..812568bbb 100644 | ||
| 17 | --- a/libfreerdp/gdi/gfx.c | ||
| 18 | +++ b/libfreerdp/gdi/gfx.c | ||
| 19 | @@ -1175,7 +1175,6 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, | ||
| 20 | UINT status = ERROR_INTERNAL_ERROR; | ||
| 21 | UINT16 index; | ||
| 22 | BOOL sameSurface; | ||
| 23 | - UINT32 nWidth, nHeight; | ||
| 24 | const RECTANGLE_16* rectSrc; | ||
| 25 | RECTANGLE_16 invalidRect; | ||
| 26 | gdiGfxSurface* surfaceSrc; | ||
| 27 | @@ -1199,8 +1198,8 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, | ||
| 28 | if (!is_rect_valid(rectSrc, surfaceSrc->width, surfaceSrc->height)) | ||
| 29 | goto fail; | ||
| 30 | |||
| 31 | - nWidth = rectSrc->right - rectSrc->left; | ||
| 32 | - nHeight = rectSrc->bottom - rectSrc->top; | ||
| 33 | + const UINT32 nWidth = rectSrc->right - rectSrc->left; | ||
| 34 | + const UINT32 nHeight = rectSrc->bottom - rectSrc->top; | ||
| 35 | |||
| 36 | for (index = 0; index < surfaceToSurface->destPtsCount; index++) | ||
| 37 | { | ||
| 38 | @@ -1209,8 +1208,10 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, | ||
| 39 | if (!is_rect_valid(&rect, surfaceDst->width, surfaceDst->height)) | ||
| 40 | goto fail; | ||
| 41 | |||
| 42 | + const UINT32 rwidth = rect.right - rect.left; | ||
| 43 | + const UINT32 rheight = rect.bottom - rect.top; | ||
| 44 | if (!freerdp_image_copy(surfaceDst->data, surfaceDst->format, surfaceDst->scanline, | ||
| 45 | - destPt->x, destPt->y, nWidth, nHeight, surfaceSrc->data, | ||
| 46 | + destPt->x, destPt->y, rwidth, rheight, surfaceSrc->data, | ||
| 47 | surfaceSrc->format, surfaceSrc->scanline, rectSrc->left, | ||
| 48 | rectSrc->top, NULL, FREERDP_FLIP_NONE)) | ||
| 49 | goto fail; | ||
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb index d4efcccdbd..dff3f6dafe 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb | |||
| @@ -28,6 +28,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https | |||
| 28 | file://CVE-2026-22855.patch \ | 28 | file://CVE-2026-22855.patch \ |
| 29 | file://CVE-2026-22852.patch \ | 29 | file://CVE-2026-22852.patch \ |
| 30 | file://CVE-2026-23530.patch \ | 30 | file://CVE-2026-23530.patch \ |
| 31 | file://CVE-2026-23532.patch \ | ||
| 31 | " | 32 | " |
| 32 | 33 | ||
| 33 | 34 | ||