Dirk Mueller
b9b46cb552
+ freerdp-CVE-2026-22852.patch (CVE-2026-22852, bsc#1256718) + freerdp-CVE-2026-22854.patch (CVE-2026-22854, bsc#1256720) + freerdp-CVE-2026-22856.patch (CVE-2026-22856, bsc#1256722) + freerdp-CVE-2026-22859.patch (CVE-2026-22859, bsc#1256725) + freerdp-CVE-2026-23530.patch (CVE-2026-23530, bsc#1256940) + freerdp-CVE-2026-23531.patch (CVE-2026-23531, bsc#1256941) + freerdp-CVE-2026-23532.patch (CVE-2026-23532, bsc#1256942) + freerdp-CVE-2026-23534.patch (CVE-2026-23534, bsc#1256944) * Fix integer overflow in progressive decoder (bsc#1219049, CVE-2024-22211) OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/freerdp2?expand=0&rev=21
70 lines
2.1 KiB
Diff
70 lines
2.1 KiB
Diff
From 25102b432fb37916a1a553d7ef8fd940c6e52c3f Mon Sep 17 00:00:00 2001
|
|
From: akallabeth <akallabeth@posteo.net>
|
|
Date: Thu, 15 Jan 2026 12:17:33 +0100
|
|
Subject: [PATCH] [codec,clear] fix missing length checks
|
|
|
|
---
|
|
libfreerdp/codec/clear.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
Index: freerdp-2.11.7/libfreerdp/codec/clear.c
|
|
===================================================================
|
|
--- freerdp-2.11.7.orig/libfreerdp/codec/clear.c
|
|
+++ freerdp-2.11.7/libfreerdp/codec/clear.c
|
|
@@ -1141,7 +1141,54 @@ INT32 clear_decompress(CLEAR_CONTEXT* cl
|
|
|
|
if (glyphData)
|
|
{
|
|
- if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, nWidth, nHeight, pDstData,
|
|
+ uint32_t w = MIN(nWidth, nDstWidth);
|
|
+ if (nXDst > nDstWidth)
|
|
+ {
|
|
+ WLog_WARN(TAG, "glyphData copy area x exceeds destination: x=%" PRIu32 " > %" PRIu32,
|
|
+ nXDst, nDstWidth);
|
|
+ w = 0;
|
|
+ }
|
|
+ else if (nXDst + w > nDstWidth)
|
|
+ {
|
|
+ WLog_WARN(TAG,
|
|
+ "glyphData copy area x + width exceeds destination: x=%" PRIu32 " + %" PRIu32
|
|
+ " > %" PRIu32,
|
|
+ nXDst, w, nDstWidth);
|
|
+ w = nDstWidth - nXDst;
|
|
+ }
|
|
+
|
|
+ if (w != nWidth)
|
|
+ {
|
|
+ WLog_WARN(TAG,
|
|
+ "glyphData copy area width truncated: requested=%" PRIu32
|
|
+ ", truncated to %" PRIu32,
|
|
+ nWidth, w);
|
|
+ }
|
|
+
|
|
+ uint32_t h = MIN(nHeight, nDstHeight);
|
|
+ if (nYDst > nDstHeight)
|
|
+ {
|
|
+ WLog_WARN(TAG, "glyphData copy area y exceeds destination: y=%" PRIu32 " > %" PRIu32,
|
|
+ nYDst, nDstHeight);
|
|
+ h = 0;
|
|
+ }
|
|
+ else if (nYDst + h > nDstHeight)
|
|
+ {
|
|
+ WLog_WARN(TAG,
|
|
+ "glyphData copy area y + height exceeds destination: x=%" PRIu32 " + %" PRIu32
|
|
+ " > %" PRIu32,
|
|
+ nYDst, h, nDstHeight);
|
|
+ h = nDstHeight - nYDst;
|
|
+ }
|
|
+
|
|
+ if (h != nHeight)
|
|
+ {
|
|
+ WLog_WARN(TAG,
|
|
+ "glyphData copy area height truncated: requested=%" PRIu32
|
|
+ ", truncated to %" PRIu32,
|
|
+ nHeight, h);
|
|
+ }
|
|
+ if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, w, h, pDstData,
|
|
DstFormat, nDstStep, nXDst, nYDst, palette, FREERDP_FLIP_NONE))
|
|
goto fail;
|
|
}
|