Backport upstream commit 4a065a941 to fix CVE-2026-45700 in
freerdp 2.11.7. The patch corrects incorrect bounds checks in the
planar codec's RLE decompression path where nDstStep was used
instead of nTempStep, both in the bounds check condition and the
corresponding error message in planar_decompress().
CVE: CVE-2026-45700
Upstream patches:
- 4a065a941a.patch
Resolves: RHEL-186983
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
32 lines
978 B
Diff
32 lines
978 B
Diff
From 836d5b6f6d305ba6542fac8ba2d16b2e4e8b13a7 Mon Sep 17 00:00:00 2001
|
|
From: Armin Novak <armin.novak@thincast.com>
|
|
Date: Thu, 30 Apr 2026 15:03:21 +0200
|
|
Subject: [PATCH] [codec,planar] fix bounds checks
|
|
|
|
---
|
|
libfreerdp/codec/planar.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
|
|
index 9b4d13057..67fc4212e 100644
|
|
--- a/libfreerdp/codec/planar.c
|
|
+++ b/libfreerdp/codec/planar.c
|
|
@@ -841,12 +841,12 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
|
|
return FALSE;
|
|
}
|
|
|
|
- if ((nXDst + nSrcWidth) * bpp > nDstStep)
|
|
+ if ((nXDst + nSrcWidth) * bpp > nTempStep)
|
|
{
|
|
WLog_ERR(TAG,
|
|
"planar plane destination (X %" PRIu32 " + width %" PRIu32
|
|
") * bpp %" PRIu32 " exceeds stride %" PRIu32,
|
|
- nXDst, nSrcWidth, bpp, nDstStep);
|
|
+ nXDst, nSrcWidth, bpp, nTempStep);
|
|
return FALSE;
|
|
}
|
|
|
|
--
|
|
2.52.0
|
|
|