rpms/freerdp
7
0
Fork 0
Code Issues Pull Requests Releases Activity
b00b6803d4
freerdp/codec-clear-fix-clear_resize_buffer-checks.patch
Ondrej Holy b00b6803d4 Backport several CVE fixes 
It fixes CVE-2026-23530, CVE-2026-23531, CVE-2026-23532, CVE-2026-23533,
CVE-2026-23534, CVE-2026-23883 and CVE-2026-23884.

Resolves: RHEL-142414, RHEL-142398, RHEL-142382, RHEL-142366, RHEL-142350
Resolves: RHEL-142334, RHEL-142318
2026-01-28 11:08:33 +01:00

63 lines
1.8 KiB
Diff
Raw Blame History

From 94235a5297db9cb83c2c23ade8a69cabe3e5f9f4 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 27 Jan 2026 16:15:28 +0100
Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks
Backport of commit c4391827d7facfc874ca7f61a92afb82232a5748.
Co-Authored-By: Claude <noreply@anthropic.com>
---
libfreerdp/codec/clear.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
index b0813937d..28450b357 100644
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -58,7 +58,7 @@ struct S_CLEAR_CONTEXT
NSC_CONTEXT* nsc;
UINT32 seqNumber;
BYTE* TempBuffer;
- UINT32 TempSize;
+ size_t TempSize;
UINT32 nTempStep;
UINT32 TempFormat;
UINT32 format;
@@ -328,25 +328,26 @@ static BOOL clear_decompress_subcode_rlex(wStream* WINPR_RESTRICT s, UINT32 bitm
static BOOL clear_resize_buffer(CLEAR_CONTEXT* WINPR_RESTRICT clear, UINT32 width, UINT32 height)
{
- UINT32 size = 0;
-
if (!clear)
return FALSE;
- size = ((width + 16) * (height + 16) * FreeRDPGetBytesPerPixel(clear->format));
+ const UINT64 size = 1ull * (width + 16ull) * (height + 16ull);
+ const size_t bpp = FreeRDPGetBytesPerPixel(clear->format);
+ if (size > UINT32_MAX / bpp)
+ return FALSE;
- if (size > clear->TempSize)
+ if (size > clear->TempSize / bpp)
{
- BYTE* tmp = (BYTE*)winpr_aligned_recalloc(clear->TempBuffer, size, sizeof(BYTE), 32);
+ BYTE* tmp = (BYTE*)winpr_aligned_recalloc(clear->TempBuffer, size, bpp, 32);
if (!tmp)
{
- WLog_ERR(TAG, "clear->TempBuffer winpr_aligned_recalloc failed for %" PRIu32 " bytes",
+ WLog_ERR(TAG, "clear->TempBuffer winpr_aligned_recalloc failed for %" PRIu64 " bytes",
size);
return FALSE;
}
- clear->TempSize = size;
+ clear->TempSize = size * bpp;
clear->TempBuffer = tmp;
}
--
2.52.0
Reference in New Issue View Git Blame Copy Permalink