From 78188ab479c8e6eb9ba2475b3732c76b4bbe5425 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 13 Apr 2026 14:00:00 +0200
Subject: [PATCH] [codec,progressive] Fail progressive_rfx_quant_sub on invalid
 values

Backport of commit 78188ab479c8e6eb9ba2475b3732c76b4bbe5425.

Made-with: Cursor
---
 libfreerdp/codec/progressive.c | 42 ++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c
index 8894b35..bbcc921 100644
--- a/libfreerdp/codec/progressive.c
+++ b/libfreerdp/codec/progressive.c
@@ -155,20 +155,51 @@ static INLINE void progressive_rfx_quant_lsub(RFX_COMPONENT_CODEC_QUANT* q, int
 	q->LL3 -= val; /* LL3 */
 }
 
-static INLINE void progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1,
+static INLINE BOOL progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1,
                                              const RFX_COMPONENT_CODEC_QUANT* q2,
                                              RFX_COMPONENT_CODEC_QUANT* dst)
 {
+	if (q1->HH1 < q2->HL1)
+		return FALSE;
 	dst->HL1 = q1->HL1 - q2->HL1; /* HL1 */
+
+	if (q1->LH1 < q2->LH1)
+		return FALSE;
 	dst->LH1 = q1->LH1 - q2->LH1; /* LH1 */
+
+	if (q1->HH1 < q2->HH1)
+		return FALSE;
 	dst->HH1 = q1->HH1 - q2->HH1; /* HH1 */
+
+	if (q1->HL2 < q2->HL2)
+		return FALSE;
 	dst->HL2 = q1->HL2 - q2->HL2; /* HL2 */
+
+	if (q1->LH2 < q2->LH2)
+		return FALSE;
 	dst->LH2 = q1->LH2 - q2->LH2; /* LH2 */
+
+	if (q1->HH2 < q2->HH2)
+		return FALSE;
 	dst->HH2 = q1->HH2 - q2->HH2; /* HH2 */
+
+	if (q1->HL3 < q2->HL3)
+		return FALSE;
 	dst->HL3 = q1->HL3 - q2->HL3; /* HL3 */
+
+	if (q1->LH3 < q2->LH3)
+		return FALSE;
 	dst->LH3 = q1->LH3 - q2->LH3; /* LH3 */
+
+	if (q1->HH3 < q2->HH3)
+		return FALSE;
 	dst->HH3 = q1->HH3 - q2->HH3; /* HH3 */
+
+	if (q1->LL3 < q2->LL3)
+		return FALSE;
 	dst->LL3 = q1->LL3 - q2->LL3; /* LL3 */
+
+	return TRUE;
 }
 
 static INLINE BOOL progressive_rfx_quant_lcmp_less_equal(const RFX_COMPONENT_CODEC_QUANT* q,
@@ -1433,9 +1464,12 @@ static INLINE int progressive_decompress_tile_upgrade(PROGRESSIVE_CONTEXT* progr
 	progressive_rfx_quant_add(quantY, quantProgY, &yBitPos);
 	progressive_rfx_quant_add(quantCb, quantProgCb, &cbBitPos);
 	progressive_rfx_quant_add(quantCr, quantProgCr, &crBitPos);
-	progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits);
-	progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits);
-	progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits);
+	if (!progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits))
+		goto fail;
+	if (!progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits))
+		goto fail;
+	if (!progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits))
+		goto fail;
 	progressive_rfx_quant_add(quantY, quantProgY, &shiftY);
 	progressive_rfx_quant_lsub(&shiftY, 1); /* -6 + 5 = -1 */
 	progressive_rfx_quant_add(quantCb, quantProgCb, &shiftCb);
-- 
2.49.0