freerdp/codec-planar-fix-bounds-checks.patch
RHEL Packaging Agent 5dd7f31d75 Fix incorrect bounds checks in planar codec (CVE-2026-45700)
Backport upstream commit 4a065a941 to fix CVE-2026-45700 in
freerdp 2.11.7. The patch corrects incorrect bounds checks in the
planar codec's RLE decompression path where nDstStep was used
instead of nTempStep, both in the bounds check condition and the
corresponding error message in planar_decompress().

CVE: CVE-2026-45700
Upstream patches:
 - 4a065a941a.patch
Resolves: RHEL-186983

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
2026-06-30 14:55:53 +02:00

32 lines
978 B
Diff

From 836d5b6f6d305ba6542fac8ba2d16b2e4e8b13a7 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Thu, 30 Apr 2026 15:03:21 +0200
Subject: [PATCH] [codec,planar] fix bounds checks
---
libfreerdp/codec/planar.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index 9b4d13057..67fc4212e 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -841,12 +841,12 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
return FALSE;
}
- if ((nXDst + nSrcWidth) * bpp > nDstStep)
+ if ((nXDst + nSrcWidth) * bpp > nTempStep)
{
WLog_ERR(TAG,
"planar plane destination (X %" PRIu32 " + width %" PRIu32
") * bpp %" PRIu32 " exceeds stride %" PRIu32,
- nXDst, nSrcWidth, bpp, nDstStep);
+ nXDst, nSrcWidth, bpp, nTempStep);
return FALSE;
}
--
2.52.0