import Oracle_OSS freerdp-3.10.3-5.el10_1.6

2026-04-16 12:37:34 -04:00 · 2026-04-16 12:37:34 -04:00 · acb0a4e76e
commit acb0a4e76e
parent 33ebd2c72c
4 changed files with 163 additions and 1 deletions
--- a/codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch
+++ b/codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch
@ -0,0 +1,29 @@
+From a2dde6d9832cb032e8cf12cab3da84dafbab9006 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Wed, 25 Mar 2026 09:48:54 +0100
+Subject: [PATCH] [codec,clear] update CLEAR_VBAR_ENTRY::size after alloc
+
+---
+ libfreerdp/codec/clear.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index 67ae4f3656f8..b8ae99e80b03 100644
+--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
+@@ -567,7 +567,6 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* WINPR_RESTRICT clear,
+ 		const UINT32 oldPos = vBarEntry->size * bpp;
+ 		const UINT32 diffSize = (vBarEntry->count - vBarEntry->size) * bpp;
+ 
+-		vBarEntry->size = vBarEntry->count;
+ 		BYTE* tmp =
+ 		    (BYTE*)winpr_aligned_recalloc(vBarEntry->pixels, vBarEntry->count, 1ull * bpp, 32);
+ 
+@@ -580,6 +579,7 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* WINPR_RESTRICT clear,
+ 
+ 		memset(&tmp[oldPos], 0, diffSize);
+ 		vBarEntry->pixels = tmp;
+		vBarEntry->size = vBarEntry->count;
+ 	}
+ 
+ 	if (!vBarEntry->pixels && vBarEntry->size)
--- a/codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch
+++ b/codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch
@ -0,0 +1,89 @@
+From 78188ab479c8e6eb9ba2475b3732c76b4bbe5425 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 13 Apr 2026 14:00:00 +0200
+Subject: [PATCH] [codec,progressive] Fail progressive_rfx_quant_sub on invalid
+ values
+
+Backport of commit 78188ab479c8e6eb9ba2475b3732c76b4bbe5425.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/progressive.c | 42 ++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c
+index d499860..554e179 100644
+--- a/libfreerdp/codec/progressive.c
+++ b/libfreerdp/codec/progressive.c
+@@ -121,20 +121,51 @@ static INLINE void progressive_rfx_quant_lsub(RFX_COMPONENT_CODEC_QUANT* WINPR_R
+ 	q->LL3 -= val; /* LL3 */
+ }
+ 
+-static INLINE void progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* WINPR_RESTRICT q1,
+static INLINE BOOL progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* WINPR_RESTRICT q1,
+                                              const RFX_COMPONENT_CODEC_QUANT* WINPR_RESTRICT q2,
+                                              RFX_COMPONENT_CODEC_QUANT* dst)
+ {
+	if (q1->HH1 < q2->HL1)
+		return FALSE;
+ 	dst->HL1 = q1->HL1 - q2->HL1; /* HL1 */
+
+	if (q1->LH1 < q2->LH1)
+		return FALSE;
+ 	dst->LH1 = q1->LH1 - q2->LH1; /* LH1 */
+
+	if (q1->HH1 < q2->HH1)
+		return FALSE;
+ 	dst->HH1 = q1->HH1 - q2->HH1; /* HH1 */
+
+	if (q1->HL2 < q2->HL2)
+		return FALSE;
+ 	dst->HL2 = q1->HL2 - q2->HL2; /* HL2 */
+
+	if (q1->LH2 < q2->LH2)
+		return FALSE;
+ 	dst->LH2 = q1->LH2 - q2->LH2; /* LH2 */
+
+	if (q1->HH2 < q2->HH2)
+		return FALSE;
+ 	dst->HH2 = q1->HH2 - q2->HH2; /* HH2 */
+
+	if (q1->HL3 < q2->HL3)
+		return FALSE;
+ 	dst->HL3 = q1->HL3 - q2->HL3; /* HL3 */
+
+	if (q1->LH3 < q2->LH3)
+		return FALSE;
+ 	dst->LH3 = q1->LH3 - q2->LH3; /* LH3 */
+
+	if (q1->HH3 < q2->HH3)
+		return FALSE;
+ 	dst->HH3 = q1->HH3 - q2->HH3; /* HH3 */
+
+	if (q1->LL3 < q2->LL3)
+		return FALSE;
+ 	dst->LL3 = q1->LL3 - q2->LL3; /* LL3 */
+
+	return TRUE;
+ }
+ 
+ static INLINE BOOL
+@@ -1440,9 +1471,12 @@ progressive_decompress_tile_upgrade(PROGRESSIVE_CONTEXT* WINPR_RESTRICT progress
+ 	progressive_rfx_quant_add(quantY, quantProgY, &yBitPos);
+ 	progressive_rfx_quant_add(quantCb, quantProgCb, &cbBitPos);
+ 	progressive_rfx_quant_add(quantCr, quantProgCr, &crBitPos);
+-	progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits);
+-	progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits);
+-	progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits);
+	if (!progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits))
+		goto fail;
+	if (!progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits))
+		goto fail;
+	if (!progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits))
+		goto fail;
+ 	progressive_rfx_quant_add(quantY, quantProgY, &shiftY);
+ 	progressive_rfx_quant_lsub(&shiftY, 1); /* -6 + 5 = -1 */
+ 	progressive_rfx_quant_add(quantCb, quantProgCb, &shiftCb);
+-- 
+2.49.0
+
--- a/codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch
+++ b/codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch
@ -0,0 +1,29 @@
+From 78677dc6e262f46937d00c3aa52381e4bb198fa5 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 13 Apr 2026 14:00:00 +0200
+Subject: [PATCH] [codec,progressive] fix underflow guard in
+ progressive_rfx_quant_sub
+
+Backport of commit 78677dc6e262f46937d00c3aa52381e4bb198fa5.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/progressive.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c
+index 554e179..2016952 100644
+--- a/libfreerdp/codec/progressive.c
+++ b/libfreerdp/codec/progressive.c
+@@ -124,7 +124,7 @@ static INLINE BOOL progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* WI
+                                              const RFX_COMPONENT_CODEC_QUANT* WINPR_RESTRICT q2,
+                                              RFX_COMPONENT_CODEC_QUANT* dst)
+ {
+-	if (q1->HH1 < q2->HL1)
+	if (q1->HL1 < q2->HL1)
+ 		return FALSE;
+ 	dst->HL1 = q1->HL1 - q2->HL1; /* HL1 */
+ 
+-- 
+2.49.0
+
--- a/freerdp.spec
+++ b/freerdp.spec
@ -30,7 +30,7 @@
 Name:           freerdp
 Epoch:          2
 Version:        3.10.3
-Release:        5%{?dist}.5
+Release:        5%{?dist}.6
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)

 # The effective license is Apache-2.0 but:
@ -180,6 +180,16 @@ Patch:          codec-nsc-fix-use-of-nsc_process_message.patch
 # https://github.com/FreeRDP/FreeRDP/commit/907ca47e40583a7788674bb2f06258edd0c34223
 Patch:          winpr-synch-increase-timeout-for-TestSynchCritical.patch

+# CVE-2026-33984
+# https://github.com/FreeRDP/FreeRDP/commit/a2dde6d9832cb032e8cf12cab3da84dafbab9006
+Patch:          codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch
+
+# CVE-2026-33983
+# https://github.com/FreeRDP/FreeRDP/commit/78188ab479c8e6eb9ba2475b3732c76b4bbe5425
+# https://github.com/FreeRDP/FreeRDP/commit/78677dc6e262f46937d00c3aa52381e4bb198fa5
+Patch:          codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch
+Patch:          codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@ -502,6 +512,11 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools3.pc

 %changelog
+* Fri Apr 10 2026 Ondrej Holy <oholy@redhat.com> - 2:3.10.3-5.6
+- Update CLEAR_VBAR_ENTRY size after alloc (CVE-2026-33984)
+- Fail progressive_rfx_quant_sub on invalid values (CVE-2026-33983)
+  Resolves: RHEL-162946, RHEL-162962
+
 * Tue Mar 31 2026 Ondrej Holy <oholy@redhat.com> - 2:3.10.3-5.5
 - Fix use of nsc_process_message
 - Increase timeout for TestSynchCritical