Backport several CVE fixes

It fixes CVE-2026-26955 and CVE-2026-26965.

Resolves: RHEL-151979, RHEL-152206
This commit is contained in:
Ondrej Holy 2026-03-25 08:59:29 +01:00
parent 46c186ca8f
commit 0ca845c6ac
3 changed files with 109 additions and 1 deletions

View File

@ -0,0 +1,41 @@
From 7178a5554d7147a47fb7a85bba8c681f59e2a714 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 9 Mar 2026 13:55:29 +0100
Subject: [PATCH] [codec,clear] fix destination checks
Backport of commit 7d8fdce2d0ef337cb86cb37fc0c436c905e04d77.
Made-with: Cursor
---
libfreerdp/codec/clear.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
index a989a9bff..4dbe72376 100644
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -494,15 +494,16 @@ static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* clear, wStream* s,
nXDstRel = nXDst + xStart;
nYDstRel = nYDst + yStart;
- if (width > nWidth)
+ if (1ull * nXDstRel + width > nDstWidth)
{
- WLog_ERR(TAG, "width %" PRIu16 " > nWidth %" PRIu32 "", width, nWidth);
+ WLog_ERR(TAG, "nXDstRel %" PRIu32 " + width %" PRIu16 " > nDstWidth %" PRIu32 "",
+ nXDstRel, width, nDstWidth);
return FALSE;
}
-
- if (height > nHeight)
+ if (1ull * nYDstRel + height > nDstHeight)
{
- WLog_ERR(TAG, "height %" PRIu16 " > nHeight %" PRIu32 "", height, nHeight);
+ WLog_ERR(TAG, "nYDstRel %" PRIu32 " + height %" PRIu16 " > nDstHeight %" PRIu32 "",
+ nYDstRel, height, nDstHeight);
return FALSE;
}
--
2.53.0

View File

@ -0,0 +1,55 @@
From eca8a1a876b77de5da60b18793e35e5c0714ef97 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 9 Mar 2026 12:56:11 +0100
Subject: [PATCH] [codec,planar]: fix missing destination bounds checks
Backport of commit a0be5cb87d760bb1c803ad1bb835aa1e73e62abc.
Made-with: Cursor
---
libfreerdp/codec/planar.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index 1cb2e22bc..9b4d13057 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -621,8 +621,9 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
if (planar->maxHeight < nSrcHeight)
return FALSE;
+ const UINT32 bpp = GetBytesPerPixel(DstFormat);
if (nDstStep <= 0)
- nDstStep = nDstWidth * GetBytesPerPixel(DstFormat);
+ nDstStep = nDstWidth * bpp;
srcp = pSrcData;
@@ -831,6 +832,24 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
}
else /* RLE */
{
+ if (nYDst + nSrcHeight > nTotalHeight)
+ {
+ WLog_ERR(TAG,
+ "planar plane destination Y %" PRIu32 " + height %" PRIu32
+ " exceeds totalHeight %" PRIu32,
+ nYDst, nSrcHeight, nTotalHeight);
+ return FALSE;
+ }
+
+ if ((nXDst + nSrcWidth) * bpp > nDstStep)
+ {
+ WLog_ERR(TAG,
+ "planar plane destination (X %" PRIu32 " + width %" PRIu32
+ ") * bpp %" PRIu32 " exceeds stride %" PRIu32,
+ nXDst, nSrcWidth, bpp, nDstStep);
+ return FALSE;
+ }
+
status =
planar_decompress_plane_rle(planes[0], rleSizes[0], pTempData, nTempStep, nXDst,
nYDst, nSrcWidth, nSrcHeight, 2, vFlip); /* RedPlane */
--
2.53.0

View File

@ -27,7 +27,7 @@
Name: freerdp
Version: 2.11.7
Release: 3%{?dist}
Release: 4%{?dist}
Epoch: 2
Summary: Free implementation of the Remote Desktop Protocol (RDP)
License: ASL 2.0
@ -72,6 +72,14 @@ Patch9: crypto-base64-ensure-char-is-singend.patch
# https://github.com/FreeRDP/FreeRDP/commit/7b7e6de8fe427a2f01d331056774aec69710590b
Patch10: channels-urbdrc-check-interface-indices-before-use.patch
# CVE-2026-26955
# https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77
Patch11: codec-clear-fix-destination-checks.patch
# CVE-2026-26965
# https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc
Patch12: codec-planar-fix-missing-destination-bounds-checks.patch
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel
@ -329,6 +337,10 @@ find %{buildroot} -name "*.a" -delete
%{_libdir}/pkgconfig/winpr-tools2.pc
%changelog
* Wed Mar 25 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-4
- Backport several CVE fixes
Resolves: RHEL-151979, RHEL-152206
* Tue Feb 17 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-3
- Backport several CVE fixes
Resolves: RHEL-148825, RHEL-148865, RHEL-148982