Backport several CVE fixes

It fixes CVE-2026-33983 and CVE-2026-33984.

Also remove unused channels-audin-fix-audin_server_recv_formats-cleanup.patch from the tree.

Resolves: RHEL-162960, RHEL-162986

Made-with: Cursor

channels-audin-fix-audin_server_recv_formats-cleanup.patch

@@ -1,28 +0,0 @@
-From 3b403f9bfe3fc5f2d45151bd685ba17af65dcc05 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Thu, 12 Mar 2026 15:43:14 +0100
-Subject: [PATCH] [channels,audin] fix audin_server_recv_formats cleanup
-
-Backport of commit 1c5c74223179d425a1ce6dbbb6a3dd2a958b7aee.
-
-Made-with: Cursor
----
- channels/audin/server/audin.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/channels/audin/server/audin.c b/channels/audin/server/audin.c
-index 8252236f8..17e487a47 100644
---- a/channels/audin/server/audin.c
-+++ b/channels/audin/server/audin.c
-@@ -215,7 +215,7 @@ static UINT audin_server_recv_formats(audin_server* audin, wStream* s, UINT32 le
- 
- 		if (!audio_format_read(s, format))
- 		{
--			audio_formats_free(audin->context.client_formats, i);
-+			audio_formats_free(audin->context.client_formats, audin->context.num_client_formats);
- 			audin->context.client_formats = NULL;
- 			WLog_ERR(TAG, "expected length at least 18, but got %" PRIu32 "", length);
- 			return ERROR_INVALID_DATA;
--- 
-2.53.0
-

codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch

@@ -0,0 +1,35 @@
+From a2dde6d9832cb032e8cf12cab3da84dafbab9006 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 10 Apr 2026 11:32:09 +0200
+Subject: [PATCH] [codec,clear] update CLEAR_VBAR_ENTRY::size after alloc
+
+Backport of commit a2dde6d9832cb032e8cf12cab3da84dafbab9006.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/clear.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index e38fa0d..eda30ad 100644
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -565,7 +565,6 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* clear, CLEAR_VBAR_ENTRY* vBarEntry)
+ 		const UINT32 oldPos = vBarEntry->size * bpp;
+ 		const UINT32 diffSize = (vBarEntry->count - vBarEntry->size) * bpp;
+ 		BYTE* tmp;
+-		vBarEntry->size = vBarEntry->count;
+ 		tmp = (BYTE*)realloc(vBarEntry->pixels, 1ull * vBarEntry->count * bpp);
+ 
+ 		if (!tmp)
+@@ -576,6 +575,7 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* clear, CLEAR_VBAR_ENTRY* vBarEntry)
+ 
+ 		memset(&tmp[oldPos], 0, diffSize);
+ 		vBarEntry->pixels = tmp;
++		vBarEntry->size = vBarEntry->count;
+ 	}
+ 
+ 	if (!vBarEntry->pixels && vBarEntry->size)
+-- 
+2.49.0
+

codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch

@@ -0,0 +1,89 @@
+From 78188ab479c8e6eb9ba2475b3732c76b4bbe5425 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 13 Apr 2026 14:00:00 +0200
+Subject: [PATCH] [codec,progressive] Fail progressive_rfx_quant_sub on invalid
+ values
+
+Backport of commit 78188ab479c8e6eb9ba2475b3732c76b4bbe5425.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/progressive.c | 42 ++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c
+index 8894b35..bbcc921 100644
+--- a/libfreerdp/codec/progressive.c
++++ b/libfreerdp/codec/progressive.c
+@@ -155,20 +155,51 @@ static INLINE void progressive_rfx_quant_lsub(RFX_COMPONENT_CODEC_QUANT* q, int
+ 	q->LL3 -= val; /* LL3 */
+ }
+ 
+-static INLINE void progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1,
++static INLINE BOOL progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1,
+                                              const RFX_COMPONENT_CODEC_QUANT* q2,
+                                              RFX_COMPONENT_CODEC_QUANT* dst)
+ {
++	if (q1->HH1 < q2->HL1)
++		return FALSE;
+ 	dst->HL1 = q1->HL1 - q2->HL1; /* HL1 */
++
++	if (q1->LH1 < q2->LH1)
++		return FALSE;
+ 	dst->LH1 = q1->LH1 - q2->LH1; /* LH1 */
++
++	if (q1->HH1 < q2->HH1)
++		return FALSE;
+ 	dst->HH1 = q1->HH1 - q2->HH1; /* HH1 */
++
++	if (q1->HL2 < q2->HL2)
++		return FALSE;
+ 	dst->HL2 = q1->HL2 - q2->HL2; /* HL2 */
++
++	if (q1->LH2 < q2->LH2)
++		return FALSE;
+ 	dst->LH2 = q1->LH2 - q2->LH2; /* LH2 */
++
++	if (q1->HH2 < q2->HH2)
++		return FALSE;
+ 	dst->HH2 = q1->HH2 - q2->HH2; /* HH2 */
++
++	if (q1->HL3 < q2->HL3)
++		return FALSE;
+ 	dst->HL3 = q1->HL3 - q2->HL3; /* HL3 */
++
++	if (q1->LH3 < q2->LH3)
++		return FALSE;
+ 	dst->LH3 = q1->LH3 - q2->LH3; /* LH3 */
++
++	if (q1->HH3 < q2->HH3)
++		return FALSE;
+ 	dst->HH3 = q1->HH3 - q2->HH3; /* HH3 */
++
++	if (q1->LL3 < q2->LL3)
++		return FALSE;
+ 	dst->LL3 = q1->LL3 - q2->LL3; /* LL3 */
++
++	return TRUE;
+ }
+ 
+ static INLINE BOOL progressive_rfx_quant_lcmp_less_equal(const RFX_COMPONENT_CODEC_QUANT* q,
+@@ -1433,9 +1464,12 @@ static INLINE int progressive_decompress_tile_upgrade(PROGRESSIVE_CONTEXT* progr
+ 	progressive_rfx_quant_add(quantY, quantProgY, &yBitPos);
+ 	progressive_rfx_quant_add(quantCb, quantProgCb, &cbBitPos);
+ 	progressive_rfx_quant_add(quantCr, quantProgCr, &crBitPos);
+-	progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits);
+-	progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits);
+-	progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits);
++	if (!progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits))
++		goto fail;
++	if (!progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits))
++		goto fail;
++	if (!progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits))
++		goto fail;
+ 	progressive_rfx_quant_add(quantY, quantProgY, &shiftY);
+ 	progressive_rfx_quant_lsub(&shiftY, 1); /* -6 + 5 = -1 */
+ 	progressive_rfx_quant_add(quantCb, quantProgCb, &shiftCb);
+-- 
+2.49.0
+

codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch

@@ -0,0 +1,29 @@
+From 78677dc6e262f46937d00c3aa52381e4bb198fa5 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 13 Apr 2026 14:00:00 +0200
+Subject: [PATCH] [codec,progressive] fix underflow guard in
+ progressive_rfx_quant_sub
+
+Backport of commit 78677dc6e262f46937d00c3aa52381e4bb198fa5.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/progressive.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c
+index bbcc921..1234567 100644
+--- a/libfreerdp/codec/progressive.c
++++ b/libfreerdp/codec/progressive.c
+@@ -158,7 +158,7 @@ static INLINE BOOL progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1
+                                              const RFX_COMPONENT_CODEC_QUANT* q2,
+                                              RFX_COMPONENT_CODEC_QUANT* dst)
+ {
+-	if (q1->HH1 < q2->HL1)
++	if (q1->HL1 < q2->HL1)
+ 		return FALSE;
+ 	dst->HL1 = q1->HL1 - q2->HL1; /* HL1 */
+ 
+-- 
+2.49.0
+

freerdp.spec

@@ -27,7 +27,7 @@
 
 Name:           freerdp
 Version:        2.11.7
-Release:        7%{?dist}
+Release:        8%{?dist}
 Epoch:          2
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 License:        ASL 2.0
@@ -147,6 +147,16 @@ Patch:          channel-rdpsnd-only-clean-up-thread-before-free.patch
 Patch:          codec-nsc-limit-copy-area-in-nsc_process_message.patch
 Patch:          codec-nsc-fix-use-of-nsc_process_message.patch
 
+# CVE-2026-33984
+# https://github.com/FreeRDP/FreeRDP/commit/a2dde6d9832cb032e8cf12cab3da84dafbab9006
+Patch:          codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch
+
+# CVE-2026-33983
+# https://github.com/FreeRDP/FreeRDP/commit/78188ab479c8e6eb9ba2475b3732c76b4bbe5425
+# https://github.com/FreeRDP/FreeRDP/commit/78677dc6e262f46937d00c3aa52381e4bb198fa5
+Patch:          codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch
+Patch:          codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@@ -404,6 +414,11 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc
 
 %changelog
+* Fri Apr 10 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-8
+- Update CLEAR_VBAR_ENTRY size after alloc (CVE-2026-33984)
+- Fail progressive_rfx_quant_sub on invalid values (CVE-2026-33983)
+  Resolves: RHEL-162960, RHEL-162986
+
 * Tue Mar 31 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-7
 - Fix use of nsc_process_message
   Resolves: RHEL-155994