From c8468cdc5b916ea8213c717b71a09380be6a1cd9515d6214981b7302a5e1893e Mon Sep 17 00:00:00 2001
From: Xiaoguang Wang <sun.wxg@gmail.com>
Date: Mon, 2 Feb 2026 10:44:57 +0800
Subject: [PATCH] Add xrdp-CVE-2025-68670.patch

---
 xrdp-CVE-2025-68670.patch | 68 +++++++++++++++++++++++++++++++++++++++
 xrdp.changes              |  6 ++++
 xrdp.spec                 |  3 ++
 3 files changed, 77 insertions(+)
 create mode 100644 xrdp-CVE-2025-68670.patch

diff --git a/xrdp-CVE-2025-68670.patch b/xrdp-CVE-2025-68670.patch
new file mode 100644
index 0000000..67fec6f
--- /dev/null
+++ b/xrdp-CVE-2025-68670.patch
@@ -0,0 +1,68 @@
+diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
+index 5df3232..018b38b 100644
+--- a/xrdp/xrdp_login_wnd.c
++++ b/xrdp/xrdp_login_wnd.c
+@@ -277,7 +277,8 @@ xrdp_wm_ok_clicked(struct xrdp_bitmap *wnd)
+ */
+ static int
+ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+-                                 int decode, char *resultBuffer)
++                                 int decode,
++                                 char *resultBuffer, unsigned int resultSize)
+ {
+     int ret;
+     int pos;
+@@ -287,8 +288,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+     /* If the first char in the domain name is '_' we use the domain
+        name as IP*/
+     ret = 0; /* default return value */
+-    /* resultBuffer assumed to be 256 chars */
+-    g_memset(resultBuffer, 0, 256);
++    g_memset(resultBuffer, 0, resultSize);
+     if (originalDomainInfo[0] == '_')
+     {
+         /* we try to locate a number indicating what combobox index the user
+@@ -298,7 +298,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+          * Invalid chars are ignored in microsoft client therefore we use '_'
+          * again. this sec '__' contains the split for index.*/
+         pos = g_pos(&originalDomainInfo[1], "__");
+-        if (pos > 0)
++        if (pos > 0 && (unsigned int)pos < resultSize)
+         {
+             /* an index is found we try to use it */
+             LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
+@@ -320,12 +320,12 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+                 }
+             }
+             /* pos limit the String to only contain the IP */
+-            g_strncpy(resultBuffer, &originalDomainInfo[1], pos);
++            strlcpy(resultBuffer, &originalDomainInfo[1], pos + 1);
+         }
+         else
+         {
+             LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
+-            g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
++            strlcpy(resultBuffer, &originalDomainInfo[1], resultSize);
+         }
+     }
+     return ret;
+@@ -450,7 +450,8 @@ xrdp_wm_show_edits(struct xrdp_wm *self, struct xrdp_bitmap *combo)
+                     {
+                         xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+-                            combo->data_list->count, 0, resultIP);
++                            combo->data_list->count, 0,
++                            resultIP, sizeof(resultIP));
+                         g_strncpy(b->caption1, resultIP, 255);
+                         b->edit_pos = g_mbstowcs(0, b->caption1, 0);
+                     }
+@@ -875,7 +876,8 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
+     combo->item_index = xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+                             combo->data_list->count, 1,
+-                            resultIP /* just a dummy place holder, we ignore */ );
++                            resultIP,/* just a dummy place holder, we ignore */
++                            sizeof(resultIP));
+     xrdp_wm_show_edits(self, combo);
+ 
+     return 0;
diff --git a/xrdp.changes b/xrdp.changes
index 29fce7b..14dc944 100644
--- a/xrdp.changes
+++ b/xrdp.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jan 30 06:19:37 UTC 2026 - Xiaoguang Wang <xiaoguang.wang@suse.com>
+
+- Add xrdp-CVE-2025-68670.patch: Fix a potential overflow
+  (bsc#1257362 CVE-2025-68670).
+
 -------------------------------------------------------------------
 Sat May  3 20:51:12 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/xrdp.spec b/xrdp.spec
index 306d891..867e1c0 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -43,6 +43,8 @@ Patch4:         xrdp-disable-8-bpp-vnc-support.patch
 Patch5:         xrdp-support-KillDisconnected-for-Xvnc.patch
 # PATCH-FIX-OPENSUSE xrdp-systemd-services.patch boo#1138954 boo#1144327 - fezhang@suse.com -- Let systemd handle the daemons
 Patch6:         xrdp-systemd-services.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2025-68670.patch bsc#1257362 - xwang@suse.com -- Fix a potential overflow
+Patch7:        xrdp-CVE-2025-68670.patch
 
 # Keep SLE only patches on the bottom starting from patch number 1001
 # PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfiguiere@novell.com -- Add Avahi support.
@@ -105,6 +107,7 @@ This package contains libraries for the JPEG2000 codec for RDP.
 %patch -P 4 -p1
 %patch -P 5 -p1
 %patch -P 6 -p1
+%patch -P 7 -p1
 %if 0%{?sle_version}
 %patch -P 1001 -p1
 %patch -P 1002 -p1
-- 
2.51.1