diff --git a/cache-offscreen-invalidate-bitmap-before-free.patch b/cache-offscreen-invalidate-bitmap-before-free.patch new file mode 100644 index 0000000..33e094d --- /dev/null +++ b/cache-offscreen-invalidate-bitmap-before-free.patch @@ -0,0 +1,46 @@ +From 4a4126380430a3517d1015b628475b816705ceb4 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 22 Jan 2026 12:52:16 +0100 +Subject: [PATCH] [cache,offscreen] invalidate bitmap before free + +Backport of commit 52106a26726a2aba77aa6d86014d2eb3507f0783. + +Co-Authored-By: Claude +--- + libfreerdp/cache/offscreen.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/libfreerdp/cache/offscreen.c b/libfreerdp/cache/offscreen.c +index cdad56b4d..11e6caf21 100644 +--- a/libfreerdp/cache/offscreen.c ++++ b/libfreerdp/cache/offscreen.c +@@ -160,7 +160,7 @@ void offscreen_cache_put(rdpOffscreenCache* offscreenCache, UINT32 index, rdpBit + + void offscreen_cache_delete(rdpOffscreenCache* offscreenCache, UINT32 index) + { +- rdpBitmap* prevBitmap; ++ WINPR_ASSERT(offscreenCache); + + if (index >= offscreenCache->maxEntries) + { +@@ -168,10 +168,16 @@ void offscreen_cache_delete(rdpOffscreenCache* offscreenCache, UINT32 index) + return; + } + +- prevBitmap = offscreenCache->entries[index]; ++ rdpBitmap* prevBitmap = offscreenCache->entries[index]; + + if (prevBitmap != NULL) ++ { ++ WINPR_ASSERT(offscreenCache->update->context); ++ ++ /* Ensure that the bitmap is no longer used in GDI */ ++ IFCALL(prevBitmap->SetSurface, offscreenCache->update->context, NULL, FALSE); + Bitmap_Free(offscreenCache->update->context, prevBitmap); ++ } + + offscreenCache->entries[index] = NULL; + } +-- +2.52.0 + diff --git a/client-x11-fix-double-free-in-case-of-invalid-pointe.patch b/client-x11-fix-double-free-in-case-of-invalid-pointe.patch new file mode 100644 index 0000000..a3074ec --- /dev/null +++ b/client-x11-fix-double-free-in-case-of-invalid-pointe.patch @@ -0,0 +1,53 @@ +From c0e85d92e45dff6c9a12e6af5be2e9ed10b4990c Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 22 Jan 2026 12:51:08 +0100 +Subject: [PATCH] [client,x11] fix double free in case of invalid pointer + +Backport of commit 0421b53fcb4a80c95f51342e4a2c40c68a4101d3. + +Co-Authored-By: Claude +--- + client/X11/xf_graphics.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/client/X11/xf_graphics.c b/client/X11/xf_graphics.c +index 5aa1fd48b..d596b23da 100644 +--- a/client/X11/xf_graphics.c ++++ b/client/X11/xf_graphics.c +@@ -406,7 +406,6 @@ static BOOL xf_Pointer_New(rdpContext* context, rdpPointer* pointer) + BOOL rc = FALSE; + #ifdef WITH_XCURSOR + UINT32 CursorFormat; +- size_t size; + xfContext* xfc = (xfContext*)context; + xfPointer* xpointer = (xfPointer*)pointer; + +@@ -421,19 +420,19 @@ static BOOL xf_Pointer_New(rdpContext* context, rdpPointer* pointer) + xpointer->nCursors = 0; + xpointer->mCursors = 0; + +- size = 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat); ++ const size_t size = ++ 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat); + +- if (!(xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16))) ++ xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16); ++ if (!xpointer->cursorPixels) + goto fail; + + if (!freerdp_image_copy_from_pointer_data( + (BYTE*)xpointer->cursorPixels, CursorFormat, 0, 0, 0, pointer->width, pointer->height, + pointer->xorMaskData, pointer->lengthXorMask, pointer->andMaskData, + pointer->lengthAndMask, pointer->xorBpp, &context->gdi->palette)) +- { +- _aligned_free(xpointer->cursorPixels); +- return FALSE; +- } ++ goto fail; ++ + rc = TRUE; + + #endif +-- +2.52.0 + diff --git a/codec-clear-check-clear_decomress-glyphData.patch b/codec-clear-check-clear_decomress-glyphData.patch new file mode 100644 index 0000000..3828919 --- /dev/null +++ b/codec-clear-check-clear_decomress-glyphData.patch @@ -0,0 +1,76 @@ +From 3a4ee3f0020977320066b99da16456b6364c1365 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 22 Jan 2026 12:50:22 +0100 +Subject: [PATCH] [codec,clear] check clear_decomress glyphData + +Backport of commit 243ecf804bb122e8e643a5c142ad5a49d7aa19ee. + +Co-Authored-By: Claude +--- + libfreerdp/codec/clear.c | 50 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 49 insertions(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c +index 4f0aead10..fcafb9235 100644 +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -1145,7 +1145,55 @@ INT32 clear_decompress(CLEAR_CONTEXT* clear, const BYTE* pSrcData, UINT32 SrcSiz + + if (glyphData) + { +- if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, nWidth, nHeight, pDstData, ++ uint32_t w = MIN(nWidth, nDstWidth); ++ if (nXDst > nDstWidth) ++ { ++ WLog_WARN(TAG, "glyphData copy area x exceeds destination: x=%" PRIu32 " > %" PRIu32, ++ nXDst, nDstWidth); ++ w = 0; ++ } ++ else if (nXDst + w > nDstWidth) ++ { ++ WLog_WARN(TAG, ++ "glyphData copy area x + width exceeds destination: x=%" PRIu32 " + %" PRIu32 ++ " > %" PRIu32, ++ nXDst, w, nDstWidth); ++ w = nDstWidth - nXDst; ++ } ++ ++ if (w != nWidth) ++ { ++ WLog_WARN(TAG, ++ "glyphData copy area width truncated: requested=%" PRIu32 ++ ", truncated to %" PRIu32, ++ nWidth, w); ++ } ++ ++ uint32_t h = MIN(nHeight, nDstHeight); ++ if (nYDst > nDstHeight) ++ { ++ WLog_WARN(TAG, "glyphData copy area y exceeds destination: y=%" PRIu32 " > %" PRIu32, ++ nYDst, nDstHeight); ++ h = 0; ++ } ++ else if (nYDst + h > nDstHeight) ++ { ++ WLog_WARN(TAG, ++ "glyphData copy area y + height exceeds destination: x=%" PRIu32 " + %" PRIu32 ++ " > %" PRIu32, ++ nYDst, h, nDstHeight); ++ h = nDstHeight - nYDst; ++ } ++ ++ if (h != nHeight) ++ { ++ WLog_WARN(TAG, ++ "glyphData copy area height truncated: requested=%" PRIu32 ++ ", truncated to %" PRIu32, ++ nHeight, h); ++ } ++ ++ if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, w, h, pDstData, + DstFormat, nDstStep, nXDst, nYDst, palette, FREERDP_FLIP_NONE)) + goto fail; + } +-- +2.52.0 + diff --git a/codec-clear-fix-clear_resize_buffer-checks.patch b/codec-clear-fix-clear_resize_buffer-checks.patch new file mode 100644 index 0000000..e79f801 --- /dev/null +++ b/codec-clear-fix-clear_resize_buffer-checks.patch @@ -0,0 +1,61 @@ +From 00a593f9eda67212539e4dcac68ea5a699eb3e93 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 22 Jan 2026 12:48:37 +0100 +Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks + +Backport of commit c4391827d7facfc874ca7f61a92afb82232a5748. + +Co-Authored-By: Claude +--- + libfreerdp/codec/clear.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c +index e38fa0dcf..299acef2e 100644 +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -62,7 +62,7 @@ struct _CLEAR_CONTEXT + NSC_CONTEXT* nsc; + UINT32 seqNumber; + BYTE* TempBuffer; +- UINT32 TempSize; ++ size_t TempSize; + UINT32 nTempStep; + UINT32 TempFormat; + UINT32 format; +@@ -313,24 +313,25 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount + + static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height) + { +- UINT32 size; +- + if (!clear) + return FALSE; + +- size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format)); ++ const UINT64 size = 1ull * (width + 16ull) * (height + 16ull); ++ const size_t bpp = GetBytesPerPixel(clear->format); ++ if (size > UINT32_MAX / bpp) ++ return FALSE; + +- if (size > clear->TempSize) ++ if (size > clear->TempSize / bpp) + { +- BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size); ++ BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size * bpp); + + if (!tmp) + { +- WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu32 " bytes", size); ++ WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu64 " bytes", size); + return FALSE; + } + +- clear->TempSize = size; ++ clear->TempSize = size * bpp; + clear->TempBuffer = tmp; + } + +-- +2.52.0 + diff --git a/codec-clear-fix-off-by-one-length-check.patch b/codec-clear-fix-off-by-one-length-check.patch new file mode 100644 index 0000000..d300c1d --- /dev/null +++ b/codec-clear-fix-off-by-one-length-check.patch @@ -0,0 +1,35 @@ +From 5b03db3926bd7bc1bf5819de068ed71a73b25236 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 22 Jan 2026 12:49:28 +0100 +Subject: [PATCH] [codec,clear] fix off by one length check + +Backport of commit f8688b57f6cfad9a0b05475a6afbde355ffab720. + +Co-Authored-By: Claude +--- + libfreerdp/codec/clear.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c +index 09f5dad6d..4f0aead10 100644 +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -881,11 +881,14 @@ static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32 + if (count > nHeight) + count = nHeight; + +- if (nXDstRel + i > nDstWidth) ++ if (nXDstRel + i >= nDstWidth) + return FALSE; + + for (UINT32 y = 0; y < count; y++) + { ++ if (nYDstRel + y >= nDstHeight) ++ return FALSE; ++ + BYTE* pDstPixel8 = &pDstData[((nYDstRel + y) * nDstStep) + + ((nXDstRel + i) * GetBytesPerPixel(DstFormat))]; + UINT32 color = ReadColor(cpSrcPixel, clear->format); +-- +2.52.0 + diff --git a/codec-planar-fix-decoder-length-checks.patch b/codec-planar-fix-decoder-length-checks.patch new file mode 100644 index 0000000..a8d2c99 --- /dev/null +++ b/codec-planar-fix-decoder-length-checks.patch @@ -0,0 +1,31 @@ +From 2d656eb6b29a68de7f19e8a1cce169259e7506b4 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Tue, 27 Jan 2026 14:35:43 +0100 +Subject: [PATCH] [codec,planar] fix decoder length checks + +Backport of commit 1bab198a2edd0d0e6e1627d21a433151ea190. + +Co-Authored-By: Claude +--- + libfreerdp/codec/planar.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c +index fe27011e1..1cb2e22bc 100644 +--- a/libfreerdp/codec/planar.c ++++ b/libfreerdp/codec/planar.c +@@ -616,6 +616,11 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT + WINPR_ASSERT(planar); + WINPR_ASSERT(prims); + ++ if (planar->maxWidth < nSrcWidth) ++ return FALSE; ++ if (planar->maxHeight < nSrcHeight) ++ return FALSE; ++ + if (nDstStep <= 0) + nDstStep = nDstWidth * GetBytesPerPixel(DstFormat); + +-- +2.52.0 + diff --git a/freerdp.spec b/freerdp.spec index f052efd..3670e3a 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -27,7 +27,7 @@ Name: freerdp Version: 2.11.7 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 Summary: Free implementation of the Remote Desktop Protocol (RDP) License: ASL 2.0 @@ -39,6 +39,27 @@ Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{ # https://issues.redhat.com/browse/RHEL-53081 Patch0: Revert-Moved-clipboard-utils-to-core-library-fixes-6.patch +# https://github.com/FreeRDP/FreeRDP/commit/c4a7c371342edf0d307cea728f56d3302f0ab38c +Patch1: gdi-gfx-properly-clamp-SurfaceToSurface.patch + +# https://github.com/FreeRDP/FreeRDP/commit/c4391827d7facfc874ca7f61a92afb82232a5748 +Patch2: codec-clear-fix-clear_resize_buffer-checks.patch + +# https://github.com/FreeRDP/FreeRDP/commit/f8688b57f6cfad9a0b05475a6afbde355ffab720 +Patch3: codec-clear-fix-off-by-one-length-check.patch + +# https://github.com/FreeRDP/FreeRDP/commit/1bab198a2edd0d0e6e1627d21a433151ea190500 +Patch4: codec-planar-fix-decoder-length-checks.patch + +# https://github.com/FreeRDP/FreeRDP/commit/243ecf804bb122e8e643a5c142ad5a49d7aa19ee +Patch5: codec-clear-check-clear_decomress-glyphData.patch + +# https://github.com/FreeRDP/FreeRDP/commit/0421b53fcb4a80c95f51342e4a2c40c68a4101d3 +Patch6: client-x11-fix-double-free-in-case-of-invalid-pointe.patch + +# https://github.com/FreeRDP/FreeRDP/commit/52106a26726a2aba77aa6d86014d2eb3507f0783 +Patch7: cache-offscreen-invalidate-bitmap-before-free.patch + BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: alsa-lib-devel @@ -296,6 +317,11 @@ find %{buildroot} -name "*.a" -delete %{_libdir}/pkgconfig/winpr-tools2.pc %changelog +* Tue Jan 27 2026 Ondrej Holy - 2:2.11.7-2 +- Backport several CVE fixes + Resolves: RHEL-142417, RHEL-142401, RHEL-142385, RHEL-142369, RHEL-142353 + Resolves: RHEL-142337, RHEL-142321 + * Tue Oct 01 2024 Ondrej Holy - 2:2.11.7-1 - Update to 2.11.7 (RHEL-53081) diff --git a/gdi-gfx-properly-clamp-SurfaceToSurface.patch b/gdi-gfx-properly-clamp-SurfaceToSurface.patch new file mode 100644 index 0000000..8002877 --- /dev/null +++ b/gdi-gfx-properly-clamp-SurfaceToSurface.patch @@ -0,0 +1,50 @@ +From ef99da020599a666b7d171eec6ab527b47dd33f3 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 22 Jan 2026 12:47:42 +0100 +Subject: [PATCH] [gdi,gfx] properly clamp SurfaceToSurface + +Backport of commit c4a7c371342edf0d307cea728f56d3302f0ab38c. + +Co-Authored-By: Claude +--- + libfreerdp/gdi/gfx.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c +index 3970715e0..968a5a17c 100644 +--- a/libfreerdp/gdi/gfx.c ++++ b/libfreerdp/gdi/gfx.c +@@ -1175,7 +1175,6 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, + UINT status = ERROR_INTERNAL_ERROR; + UINT16 index; + BOOL sameSurface; +- UINT32 nWidth, nHeight; + const RECTANGLE_16* rectSrc; + RECTANGLE_16 invalidRect; + gdiGfxSurface* surfaceSrc; +@@ -1199,8 +1198,8 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, + if (!is_rect_valid(rectSrc, surfaceSrc->width, surfaceSrc->height)) + goto fail; + +- nWidth = rectSrc->right - rectSrc->left; +- nHeight = rectSrc->bottom - rectSrc->top; ++ const UINT32 nWidth = rectSrc->right - rectSrc->left; ++ const UINT32 nHeight = rectSrc->bottom - rectSrc->top; + + for (index = 0; index < surfaceToSurface->destPtsCount; index++) + { +@@ -1209,8 +1208,10 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, + if (!is_rect_valid(&rect, surfaceDst->width, surfaceDst->height)) + goto fail; + ++ const UINT32 rwidth = rect.right - rect.left; ++ const UINT32 rheight = rect.bottom - rect.top; + if (!freerdp_image_copy(surfaceDst->data, surfaceDst->format, surfaceDst->scanline, +- destPt->x, destPt->y, nWidth, nHeight, surfaceSrc->data, ++ destPt->x, destPt->y, rwidth, rheight, surfaceSrc->data, + surfaceSrc->format, surfaceSrc->scanline, rectSrc->left, + rectSrc->top, NULL, FREERDP_FLIP_NONE)) + goto fail; +-- +2.52.0 +