rpms/freerdp
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Import from CS git

Browse Source
This commit is contained in:
eabdullin 2026-02-06 07:28:28 +00:00
parent 1178f88fc5
commit 92946c8118
9 changed files with 380 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/FreeRDP-2.11.7.tar.gz
SOURCES/FreeRDP-2.11.7.tar.gz

46
SOURCES/cache-offscreen-invalidate-bitmap-before-free.patch Normal file
View File

@ -0,0 +1,46 @@
From 4a4126380430a3517d1015b628475b816705ceb4 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 22 Jan 2026 12:52:16 +0100
Subject: [PATCH] [cache,offscreen] invalidate bitmap before free
Backport of commit 52106a26726a2aba77aa6d86014d2eb3507f0783.
Co-Authored-By: Claude <noreply@anthropic.com>
---
libfreerdp/cache/offscreen.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libfreerdp/cache/offscreen.c b/libfreerdp/cache/offscreen.c
index cdad56b4d..11e6caf21 100644
--- a/libfreerdp/cache/offscreen.c
+++ b/libfreerdp/cache/offscreen.c
@@ -160,7 +160,7 @@ void offscreen_cache_put(rdpOffscreenCache* offscreenCache, UINT32 index, rdpBit
void offscreen_cache_delete(rdpOffscreenCache* offscreenCache, UINT32 index)
{
- rdpBitmap* prevBitmap;
+ WINPR_ASSERT(offscreenCache);
if (index >= offscreenCache->maxEntries)
{
@@ -168,10 +168,16 @@ void offscreen_cache_delete(rdpOffscreenCache* offscreenCache, UINT32 index)
return;
}
- prevBitmap = offscreenCache->entries[index];
+ rdpBitmap* prevBitmap = offscreenCache->entries[index];
if (prevBitmap != NULL)
+ {
+ WINPR_ASSERT(offscreenCache->update->context);
+
+ /* Ensure that the bitmap is no longer used in GDI */
+ IFCALL(prevBitmap->SetSurface, offscreenCache->update->context, NULL, FALSE);
Bitmap_Free(offscreenCache->update->context, prevBitmap);
+ }
offscreenCache->entries[index] = NULL;
}
--
2.52.0

53
SOURCES/client-x11-fix-double-free-in-case-of-invalid-pointe.patch Normal file
View File

@ -0,0 +1,53 @@
From c0e85d92e45dff6c9a12e6af5be2e9ed10b4990c Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 22 Jan 2026 12:51:08 +0100
Subject: [PATCH] [client,x11] fix double free in case of invalid pointer
Backport of commit 0421b53fcb4a80c95f51342e4a2c40c68a4101d3.
Co-Authored-By: Claude <noreply@anthropic.com>
---
client/X11/xf_graphics.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/client/X11/xf_graphics.c b/client/X11/xf_graphics.c
index 5aa1fd48b..d596b23da 100644
--- a/client/X11/xf_graphics.c
+++ b/client/X11/xf_graphics.c
@@ -406,7 +406,6 @@ static BOOL xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
BOOL rc = FALSE;
#ifdef WITH_XCURSOR
UINT32 CursorFormat;
- size_t size;
xfContext* xfc = (xfContext*)context;
xfPointer* xpointer = (xfPointer*)pointer;
@@ -421,19 +420,19 @@ static BOOL xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
xpointer->nCursors = 0;
xpointer->mCursors = 0;
- size = 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat);
+ const size_t size =
+ 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat);
- if (!(xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16)))
+ xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16);
+ if (!xpointer->cursorPixels)
goto fail;
if (!freerdp_image_copy_from_pointer_data(
(BYTE*)xpointer->cursorPixels, CursorFormat, 0, 0, 0, pointer->width, pointer->height,
pointer->xorMaskData, pointer->lengthXorMask, pointer->andMaskData,
pointer->lengthAndMask, pointer->xorBpp, &context->gdi->palette))
- {
- _aligned_free(xpointer->cursorPixels);
- return FALSE;
- }
+ goto fail;
+
rc = TRUE;
#endif
--
2.52.0

76
SOURCES/codec-clear-check-clear_decomress-glyphData.patch Normal file
View File

@ -0,0 +1,76 @@
From 3a4ee3f0020977320066b99da16456b6364c1365 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 22 Jan 2026 12:50:22 +0100
Subject: [PATCH] [codec,clear] check clear_decomress glyphData
Backport of commit 243ecf804bb122e8e643a5c142ad5a49d7aa19ee.
Co-Authored-By: Claude <noreply@anthropic.com>
---
libfreerdp/codec/clear.c | 50 +++++++++++++++++++++++++++++++++++++++-
1 file changed, 49 insertions(+), 1 deletion(-)
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
index 4f0aead10..fcafb9235 100644
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -1145,7 +1145,55 @@ INT32 clear_decompress(CLEAR_CONTEXT* clear, const BYTE* pSrcData, UINT32 SrcSiz
if (glyphData)
{
- if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, nWidth, nHeight, pDstData,
+ uint32_t w = MIN(nWidth, nDstWidth);
+ if (nXDst > nDstWidth)
+ {
+ WLog_WARN(TAG, "glyphData copy area x exceeds destination: x=%" PRIu32 " > %" PRIu32,
+ nXDst, nDstWidth);
+ w = 0;
+ }
+ else if (nXDst + w > nDstWidth)
+ {
+ WLog_WARN(TAG,
+ "glyphData copy area x + width exceeds destination: x=%" PRIu32 " + %" PRIu32
+ " > %" PRIu32,
+ nXDst, w, nDstWidth);
+ w = nDstWidth - nXDst;
+ }
+
+ if (w != nWidth)
+ {
+ WLog_WARN(TAG,
+ "glyphData copy area width truncated: requested=%" PRIu32
+ ", truncated to %" PRIu32,
+ nWidth, w);
+ }
+
+ uint32_t h = MIN(nHeight, nDstHeight);
+ if (nYDst > nDstHeight)
+ {
+ WLog_WARN(TAG, "glyphData copy area y exceeds destination: y=%" PRIu32 " > %" PRIu32,
+ nYDst, nDstHeight);
+ h = 0;
+ }
+ else if (nYDst + h > nDstHeight)
+ {
+ WLog_WARN(TAG,
+ "glyphData copy area y + height exceeds destination: x=%" PRIu32 " + %" PRIu32
+ " > %" PRIu32,
+ nYDst, h, nDstHeight);
+ h = nDstHeight - nYDst;
+ }
+
+ if (h != nHeight)
+ {
+ WLog_WARN(TAG,
+ "glyphData copy area height truncated: requested=%" PRIu32
+ ", truncated to %" PRIu32,
+ nHeight, h);
+ }
+
+ if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, w, h, pDstData,
DstFormat, nDstStep, nXDst, nYDst, palette, FREERDP_FLIP_NONE))
goto fail;
}
--
2.52.0

61
SOURCES/codec-clear-fix-clear_resize_buffer-checks.patch Normal file
View File

@ -0,0 +1,61 @@
From 00a593f9eda67212539e4dcac68ea5a699eb3e93 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 22 Jan 2026 12:48:37 +0100
Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks
Backport of commit c4391827d7facfc874ca7f61a92afb82232a5748.
Co-Authored-By: Claude <noreply@anthropic.com>
---
libfreerdp/codec/clear.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
index e38fa0dcf..299acef2e 100644
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -62,7 +62,7 @@ struct _CLEAR_CONTEXT
NSC_CONTEXT* nsc;
UINT32 seqNumber;
BYTE* TempBuffer;
- UINT32 TempSize;
+ size_t TempSize;
UINT32 nTempStep;
UINT32 TempFormat;
UINT32 format;
@@ -313,24 +313,25 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height)
{
- UINT32 size;
-
if (!clear)
return FALSE;
- size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format));
+ const UINT64 size = 1ull * (width + 16ull) * (height + 16ull);
+ const size_t bpp = GetBytesPerPixel(clear->format);
+ if (size > UINT32_MAX / bpp)
+ return FALSE;
- if (size > clear->TempSize)
+ if (size > clear->TempSize / bpp)
{
- BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size);
+ BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size * bpp);
if (!tmp)
{
- WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu32 " bytes", size);
+ WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu64 " bytes", size);
return FALSE;
}
- clear->TempSize = size;
+ clear->TempSize = size * bpp;
clear->TempBuffer = tmp;
}
--
2.52.0

35
SOURCES/codec-clear-fix-off-by-one-length-check.patch Normal file
View File

@ -0,0 +1,35 @@
From 5b03db3926bd7bc1bf5819de068ed71a73b25236 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 22 Jan 2026 12:49:28 +0100
Subject: [PATCH] [codec,clear] fix off by one length check
Backport of commit f8688b57f6cfad9a0b05475a6afbde355ffab720.
Co-Authored-By: Claude <noreply@anthropic.com>
---
libfreerdp/codec/clear.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
index 09f5dad6d..4f0aead10 100644
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -881,11 +881,14 @@ static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32
if (count > nHeight)
count = nHeight;
- if (nXDstRel + i > nDstWidth)
+ if (nXDstRel + i >= nDstWidth)
return FALSE;
for (UINT32 y = 0; y < count; y++)
{
+ if (nYDstRel + y >= nDstHeight)
+ return FALSE;
+
BYTE* pDstPixel8 = &pDstData[((nYDstRel + y) * nDstStep) +
((nXDstRel + i) * GetBytesPerPixel(DstFormat))];
UINT32 color = ReadColor(cpSrcPixel, clear->format);
--
2.52.0

31
SOURCES/codec-planar-fix-decoder-length-checks.patch Normal file
View File

@ -0,0 +1,31 @@
From 2d656eb6b29a68de7f19e8a1cce169259e7506b4 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 27 Jan 2026 14:35:43 +0100
Subject: [PATCH] [codec,planar] fix decoder length checks
Backport of commit 1bab198a2edd0d0e6e1627d21a433151ea190.
Co-Authored-By: Claude <noreply@anthropic.com>
---
libfreerdp/codec/planar.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index fe27011e1..1cb2e22bc 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -616,6 +616,11 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
WINPR_ASSERT(planar);
WINPR_ASSERT(prims);
+ if (planar->maxWidth < nSrcWidth)
+ return FALSE;
+ if (planar->maxHeight < nSrcHeight)
+ return FALSE;
+
if (nDstStep <= 0)
nDstStep = nDstWidth * GetBytesPerPixel(DstFormat);
--
2.52.0

50
SOURCES/gdi-gfx-properly-clamp-SurfaceToSurface.patch Normal file
View File

@ -0,0 +1,50 @@
From ef99da020599a666b7d171eec6ab527b47dd33f3 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 22 Jan 2026 12:47:42 +0100
Subject: [PATCH] [gdi,gfx] properly clamp SurfaceToSurface
Backport of commit c4a7c371342edf0d307cea728f56d3302f0ab38c.
Co-Authored-By: Claude <noreply@anthropic.com>
---
libfreerdp/gdi/gfx.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c
index 3970715e0..968a5a17c 100644
--- a/libfreerdp/gdi/gfx.c
+++ b/libfreerdp/gdi/gfx.c
@@ -1175,7 +1175,6 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context,
UINT status = ERROR_INTERNAL_ERROR;
UINT16 index;
BOOL sameSurface;
- UINT32 nWidth, nHeight;
const RECTANGLE_16* rectSrc;
RECTANGLE_16 invalidRect;
gdiGfxSurface* surfaceSrc;
@@ -1199,8 +1198,8 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context,
if (!is_rect_valid(rectSrc, surfaceSrc->width, surfaceSrc->height))
goto fail;
- nWidth = rectSrc->right - rectSrc->left;
- nHeight = rectSrc->bottom - rectSrc->top;
+ const UINT32 nWidth = rectSrc->right - rectSrc->left;
+ const UINT32 nHeight = rectSrc->bottom - rectSrc->top;
for (index = 0; index < surfaceToSurface->destPtsCount; index++)
{
@@ -1209,8 +1208,10 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context,
if (!is_rect_valid(&rect, surfaceDst->width, surfaceDst->height))
goto fail;
+ const UINT32 rwidth = rect.right - rect.left;
+ const UINT32 rheight = rect.bottom - rect.top;
if (!freerdp_image_copy(surfaceDst->data, surfaceDst->format, surfaceDst->scanline,
- destPt->x, destPt->y, nWidth, nHeight, surfaceSrc->data,
+ destPt->x, destPt->y, rwidth, rheight, surfaceSrc->data,
surfaceSrc->format, surfaceSrc->scanline, rectSrc->left,
rectSrc->top, NULL, FREERDP_FLIP_NONE))
goto fail;
--
2.52.0

28
SPECS/freerdp.spec
View File

@ -27,7 +27,7 @@
Name: freerdp
Version: 2.11.7
Release: 1%{?dist}
Release: 2%{?dist}
Epoch: 2
Summary: Free implementation of the Remote Desktop Protocol (RDP)
License: ASL 2.0
@ -39,6 +39,27 @@ Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{
# https://issues.redhat.com/browse/RHEL-53081
Patch0: Revert-Moved-clipboard-utils-to-core-library-fixes-6.patch
# https://github.com/FreeRDP/FreeRDP/commit/c4a7c371342edf0d307cea728f56d3302f0ab38c
Patch1: gdi-gfx-properly-clamp-SurfaceToSurface.patch
# https://github.com/FreeRDP/FreeRDP/commit/c4391827d7facfc874ca7f61a92afb82232a5748
Patch2: codec-clear-fix-clear_resize_buffer-checks.patch
# https://github.com/FreeRDP/FreeRDP/commit/f8688b57f6cfad9a0b05475a6afbde355ffab720
Patch3: codec-clear-fix-off-by-one-length-check.patch
# https://github.com/FreeRDP/FreeRDP/commit/1bab198a2edd0d0e6e1627d21a433151ea190500
Patch4: codec-planar-fix-decoder-length-checks.patch
# https://github.com/FreeRDP/FreeRDP/commit/243ecf804bb122e8e643a5c142ad5a49d7aa19ee
Patch5: codec-clear-check-clear_decomress-glyphData.patch
# https://github.com/FreeRDP/FreeRDP/commit/0421b53fcb4a80c95f51342e4a2c40c68a4101d3
Patch6: client-x11-fix-double-free-in-case-of-invalid-pointe.patch
# https://github.com/FreeRDP/FreeRDP/commit/52106a26726a2aba77aa6d86014d2eb3507f0783
Patch7: cache-offscreen-invalidate-bitmap-before-free.patch
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel
@ -296,6 +317,11 @@ find %{buildroot} -name "*.a" -delete
%{_libdir}/pkgconfig/winpr-tools2.pc
%changelog
* Tue Jan 27 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-2
- Backport several CVE fixes
Resolves: RHEL-142417, RHEL-142401, RHEL-142385, RHEL-142369, RHEL-142353
Resolves: RHEL-142337, RHEL-142321
* Tue Oct 01 2024 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-1
- Update to 2.11.7 (RHEL-53081)