rpms/freerdp
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
freerdp/codec-clear-update-clear_glyph_entry-count-after-alloc.patch
Ondrej Holy cffbceacb7 Backport several CVE fixes 
It fixes CVE-2026-26986, CVE-2026-27951, CVE-2026-29775, CVE-2026-31884,
CVE-2026-31883, CVE-2026-31885, and CVE-2026-33985.

Resolves: RHEL-159806, RHEL-155468, RHEL-161037, RHEL-161472
Resolves: RHEL-161508, RHEL-161075, RHEL-167794

Made-with: Cursor
2026-04-29 17:26:10 +02:00

58 lines
2.0 KiB
Diff
Raw Permalink Blame History

From 947feeadfddf01d30dda5aa16ebc335bfcc23ae0 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 29 Apr 2026 13:42:00 +0000
Subject: [PATCH] [codec,clear] Update CLEAR_GLYPH_ENTRY::count after alloc
Backport of commit c49d1ad43b8c7b32794d0250f2623c2dccd7ef25.
Adapted for 2.11.7: uses GetBytesPerPixel instead of FreeRDPGetBytesPerPixel,
plain realloc instead of winpr_aligned_recalloc; overflow checks match upstream
(size_t count, hlimit / exceeded logging); glyphEntry->count set via (UINT32)cast
after successful realloc.
Made-with: Cursor
---
libfreerdp/codec/clear.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -979,20 +979,31 @@
{
const UINT32 bpp = GetBytesPerPixel(clear->format);
CLEAR_GLYPH_ENTRY* glyphEntry = &(clear->GlyphCache[glyphIndex]);
- glyphEntry->count = nWidth * nHeight;
+ const size_t count = 1ull * nWidth * nHeight;
+ const size_t hlimit = SIZE_MAX / ((nWidth > 0) ? nWidth : 1);
+ if ((nWidth == 0) || (nHeight == 0) || (hlimit < nHeight))
+ {
+ const char* exceeded = (hlimit < nHeight) ? "within" : "outside";
+ WLog_ERR(TAG,
+ "CLEARCODEC_FLAG_GLYPH_INDEX: nWidth=%" PRIu32 ", nHeight=%" PRIu32
+ ", nWidth * nHeight is %s allowed range",
+ nWidth, nHeight, exceeded);
+ return FALSE;
+ }
- if (glyphEntry->count > glyphEntry->size)
+ if (count > glyphEntry->size)
{
BYTE* tmp;
- tmp = realloc(glyphEntry->pixels, 1ull * glyphEntry->count * bpp);
+ tmp = realloc(glyphEntry->pixels, 1ull * count * bpp);
if (!tmp)
{
- WLog_ERR(TAG, "glyphEntry->pixels realloc %" PRIu32 " failed!",
- glyphEntry->count * bpp);
+ WLog_ERR(TAG, "glyphEntry->pixels realloc %" PRIuz " failed!",
+ count * bpp);
return FALSE;
}
+ glyphEntry->count = (UINT32)count;
glyphEntry->size = glyphEntry->count;
glyphEntry->pixels = (UINT32*)tmp;
}
Reference in New Issue View Git Blame Copy Permalink