From 009269c4caeecb0c29c4769ca0db321289910025 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 31 Mar 2026 07:34:47 +0200
Subject: [PATCH] Fix use of nsc_process_message

Resolves: RHEL-155984
---
 ...c-nsc-fix-use-of-nsc_process_message.patch | 90 +++++++++++++++++++
 freerdp.spec                                  |  8 +-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 codec-nsc-fix-use-of-nsc_process_message.patch

diff --git a/codec-nsc-fix-use-of-nsc_process_message.patch b/codec-nsc-fix-use-of-nsc_process_message.patch
new file mode 100644
index 0000000..7c5ea64
--- /dev/null
+++ b/codec-nsc-fix-use-of-nsc_process_message.patch
@@ -0,0 +1,90 @@
+From 21cb0e2b96e4e86b4ed8b7a76d819808b898e93e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 31 Mar 2026 07:08:04 +0200
+Subject: [PATCH] [codec,nsc] fix use of nsc_process_message
+
+Backport of commit 169971607cece48384cb94632b829bd57336af0f.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/clear.c | 10 ++++++----
+ libfreerdp/codec/nsc.c   |  9 ++++++++-
+ libfreerdp/gdi/gdi.c     |  4 ++--
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index 4dbe72376..6627b21d6 100644
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -103,7 +103,8 @@ static BOOL convert_color(BYTE* dst, UINT32 nDstStep, UINT32 DstFormat, UINT32 n
+ 
+ static BOOL clear_decompress_nscodec(NSC_CONTEXT* nsc, UINT32 width, UINT32 height, wStream* s,
+                                      UINT32 bitmapDataByteCount, BYTE* pDstData, UINT32 DstFormat,
+-                                     UINT32 nDstStep, UINT32 nXDstRel, UINT32 nYDstRel)
++                                     UINT32 nDstStep, UINT32 nXDstRel, UINT32 nYDstRel,
++                                     UINT32 nDstWidth, UINT32 nDstHeight)
+ {
+ 	BOOL rc;
+ 
+@@ -115,8 +116,8 @@ static BOOL clear_decompress_nscodec(NSC_CONTEXT* nsc, UINT32 width, UINT32 heig
+ 	}
+ 
+ 	rc = nsc_process_message(nsc, 32, width, height, Stream_Pointer(s), bitmapDataByteCount,
+-	                         pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel, width, height,
+-	                         FREERDP_FLIP_NONE);
++	                         pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel, nDstWidth,
++	                         nDstHeight, FREERDP_FLIP_NONE);
+ 	Stream_Seek(s, bitmapDataByteCount);
+ 	return rc;
+ }
+@@ -535,7 +536,8 @@ static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* clear, wStream* s,
+ 
+ 			case 1: /* NSCodec */
+ 				if (!clear_decompress_nscodec(clear->nsc, width, height, s, bitmapDataByteCount,
+-				                              pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel))
++				                              pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel,
++				                              nDstWidth, nDstHeight))
+ 					return FALSE;
+ 
+ 				break;
+diff --git a/libfreerdp/codec/nsc.c b/libfreerdp/codec/nsc.c
+index a257ae24a..f50a1ae89 100644
+--- a/libfreerdp/codec/nsc.c
++++ b/libfreerdp/codec/nsc.c
+@@ -447,10 +447,17 @@ BOOL nsc_process_message(NSC_CONTEXT* context, UINT16 bpp, UINT32 width, UINT32
+                          UINT32 nDstStride, UINT32 nXDst, UINT32 nYDst, UINT32 nWidth,
+                          UINT32 nHeight, UINT32 flip)
+ {
++	WINPR_ASSERT(context);
++	WINPR_ASSERT(context->priv);
++
+ 	wStream* s;
+ 	BOOL ret;
+-	if (!context || !data || !pDstData)
++	if (!data || !pDstData)
++	{
++		WLog_Print(context->priv->log, WLOG_ERROR, "Invalid argument: data=%p, pDstData=%p",
++		           (const void*)data, (void*)pDstData);
+ 		return FALSE;
++	}
+ 
+ 	s = Stream_New((BYTE*)data, length);
+ 
+diff --git a/libfreerdp/gdi/gdi.c b/libfreerdp/gdi/gdi.c
+index 37a010431..8c5e4bf34 100644
+--- a/libfreerdp/gdi/gdi.c
++++ b/libfreerdp/gdi/gdi.c
+@@ -1074,8 +1074,8 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm
+ 			if (!nsc_process_message(
+ 			        context->codecs->nsc, cmd->bmp.bpp, cmd->bmp.width, cmd->bmp.height,
+ 			        cmd->bmp.bitmapData, cmd->bmp.bitmapDataLength, gdi->primary_buffer, format,
+-			        gdi->stride, cmdRect.left, cmdRect.top, cmdRect.right - cmdRect.left,
+-			        cmdRect.bottom - cmdRect.top, FREERDP_FLIP_VERTICAL))
++			        gdi->stride, cmdRect.left, cmdRect.top, (UINT32)gdi->width, (UINT32)gdi->height,
++			        FREERDP_FLIP_VERTICAL))
+ 			{
+ 				WLog_ERR(TAG, "Failed to process NSCodec message");
+ 				goto out;
+-- 
+2.53.0
+
diff --git a/freerdp.spec b/freerdp.spec
index 64a9842..1aba30b 100644
--- a/freerdp.spec
+++ b/freerdp.spec
@@ -27,7 +27,7 @@
 
 Name:           freerdp
 Version:        2.11.7
-Release:        5%{?dist}
+Release:        6%{?dist}
 Epoch:          2
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 License:        ASL 2.0
@@ -140,7 +140,9 @@ Patch29:        channel-rdpsnd-only-clean-up-thread-before-free.patch
 
 # CVE-2026-31806
 # https://github.com/FreeRDP/FreeRDP/commit/83d9aedea278a74af3e490ff5eeb889c016dbb2b
+# https://github.com/FreeRDP/FreeRDP/commit/169971607cece48384cb94632b829bd57336af0f
 Patch30:        codec-nsc-limit-copy-area-in-nsc_process_message.patch
+Patch31:        codec-nsc-fix-use-of-nsc_process_message.patch
 
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@@ -399,6 +401,10 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc
 
 %changelog
+* Tue Mar 31 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-6
+- Fix use of nsc_process_message
+  Resolves: RHEL-155984
+
 * Fri Mar 27 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-5
 - Backport several CVE fixes
   Resolves: RHEL-147954, RHEL-147955, RHEL-147970, RHEL-147977, RHEL-147980