[meta-oe,kirkstone,2/5] freerdp: patch CVE-2024-32458

Message ID	20260123064332.4001588-2-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.45, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/5] freerdp: patch CVE-2024-32458 Date: Fri, 23 Jan 2026 07:43:29 +0100 Message-ID: <20260123064332.4001588-2-skandigraun@gmail.com> In-Reply-To: <20260123064332.4001588-1-skandigraun@gmail.com> References: <20260123064332.4001588-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,kirkstone,1/5] freerdp: mark CVE-2024-32041 patched \| expand [meta-oe,kirkstone,1/5] freerdp: mark CVE-2024-32041 patched [meta-oe,kirkstone,2/5] freerdp: patch CVE-2024-32458 [meta-oe,kirkstone,3/5] freerdp: patch CVE-2024-32459 [meta-oe,kirkstone,4/5] freerdp: patch CVE-2024-32460 [meta-oe,kirkstone,5/5] freerdp: patch CVE-2024-32658

Message ID

20260123064332.4001588-2-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 2/5] freerdp: patch CVE-2024-32458
Date: Fri, 23 Jan 2026 07:43:29 +0100
Message-ID: <20260123064332.4001588-2-skandigraun@gmail.com>
In-Reply-To: <20260123064332.4001588-1-skandigraun@gmail.com>
References: <20260123064332.4001588-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,kirkstone,1/5] freerdp: mark CVE-2024-32041 patched | expand

Commit Message

Gyorgy Sarvari Jan. 23, 2026, 6:43 a.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32458

Pick the patch that is marked to resolve this vulnerbility by the
relevant Github advisory[1].

[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vvr6-h646-mp4p

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../freerdp/freerdp/CVE-2024-32458.patch      | 118 ++++++++++++++++++
 .../recipes-support/freerdp/freerdp_2.6.1.bb  |   1 +
 2 files changed, 119 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch
new file mode 100644
index 0000000000..eeba767d91
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch
@@ -0,0 +1,118 @@ 
+From f04f5fc28869140079c3c5edca614e495493b9ba Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Tue, 16 Apr 2024 08:42:52 +0200
+Subject: [PATCH] fix missing input length checks
+
+(cherry picked from commit 52d75f6f4078143951e8a4976bc5af30a5556cb6)
+
+CVE: CVE-2024-32458
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/9bc624c721ecde8251cfabd1edf069bc713ccc97]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libfreerdp/codec/planar.c | 53 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
+index 58d4e4bae..9f891b9c7 100644
+--- a/libfreerdp/codec/planar.c
++++ b/libfreerdp/codec/planar.c
+@@ -679,6 +679,13 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
+ 		rawHeights[3] = nSrcHeight;
+ 	}
+ 
++	const size_t diff = srcp - pSrcData;
++	if (SrcSize < diff)
++	{
++		WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff);
++		return FALSE;
++	}
++
+ 	if (!rle) /* RAW */
+ 	{
+ 		UINT32 base = planeSize * 3;
+@@ -687,8 +694,12 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
+ 
+ 		if (alpha)
+ 		{
+-			if ((SrcSize - (srcp - pSrcData)) < (planeSize + base))
++			if ((SrcSize - diff) < (planeSize + base))
++			{
++				WLog_ERR(TAG, "Alpha plane size mismatch %" PRIuz " < %" PRIu32, SrcSize - diff,
++				         (planeSize + base));
+ 				return FALSE;
++			}
+ 
+ 			planes[3] = srcp;                    /* AlphaPlane */
+ 			planes[0] = planes[3] + rawSizes[3]; /* LumaOrRedPlane */
+@@ -700,8 +711,11 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
+ 		}
+ 		else
+ 		{
+-			if ((SrcSize - (srcp - pSrcData)) < base)
++			if ((SrcSize - diff) < base)
++			{
++				WLog_ERR(TAG, "plane size mismatch %" PRIu32 " < %" PRIu32, SrcSize - diff, base);
+ 				return FALSE;
++			}
+ 
+ 			planes[0] = srcp;                    /* LumaOrRedPlane */
+ 			planes[1] = planes[0] + rawSizes[0]; /* OrangeChromaOrGreenPlane */
+@@ -716,8 +730,8 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
+ 		if (alpha)
+ 		{
+ 			planes[3] = srcp;
+-			rleSizes[3] = planar_skip_plane_rle(planes[3], SrcSize - (planes[3] - pSrcData),
+-			                                    rawWidths[3], rawHeights[3]); /* AlphaPlane */
++			rleSizes[3] = planar_skip_plane_rle(planes[3], SrcSize - diff, rawWidths[3],
++			                                    rawHeights[3]); /* AlphaPlane */
+ 
+ 			if (rleSizes[3] < 0)
+ 				return FALSE;
+@@ -727,22 +741,41 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT
+ 		else
+ 			planes[0] = srcp;
+ 
+-		rleSizes[0] = planar_skip_plane_rle(planes[0], SrcSize - (planes[0] - pSrcData),
+-		                                    rawWidths[0], rawHeights[0]); /* RedPlane */
++		const size_t diff0 = (planes[0] - pSrcData);
++		if (SrcSize < diff0)
++		{
++			WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff0);
++			return FALSE;
++		}
++		rleSizes[0] = planar_skip_plane_rle(planes[0], SrcSize - diff0, rawWidths[0],
++		                                    rawHeights[0]); /* RedPlane */
+ 
+ 		if (rleSizes[0] < 0)
+ 			return FALSE;
+ 
+ 		planes[1] = planes[0] + rleSizes[0];
+-		rleSizes[1] = planar_skip_plane_rle(planes[1], SrcSize - (planes[1] - pSrcData),
+-		                                    rawWidths[1], rawHeights[1]); /* GreenPlane */
++
++		const size_t diff1 = (planes[1] - pSrcData);
++		if (SrcSize < diff1)
++		{
++			WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff1);
++			return FALSE;
++		}
++		rleSizes[1] = planar_skip_plane_rle(planes[1], SrcSize - diff1, rawWidths[1],
++		                                    rawHeights[1]); /* GreenPlane */
+ 
+ 		if (rleSizes[1] < 1)
+ 			return FALSE;
+ 
+ 		planes[2] = planes[1] + rleSizes[1];
+-		rleSizes[2] = planar_skip_plane_rle(planes[2], SrcSize - (planes[2] - pSrcData),
+-		                                    rawWidths[2], rawHeights[2]); /* BluePlane */
++		const size_t diff2 = (planes[2] - pSrcData);
++		if (SrcSize < diff2)
++		{
++			WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff);
++			return FALSE;
++		}
++		rleSizes[2] = planar_skip_plane_rle(planes[2], SrcSize - diff2, rawWidths[2],
++		                                    rawHeights[2]); /* BluePlane */
+ 
+ 		if (rleSizes[2] < 1)
+ 			return FALSE;
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
index 06aac0325f..0a01b2095a 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
@@ -34,6 +34,7 @@  SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://CVE-2024-22211.patch \
            file://CVE-2024-32039.patch \
            file://CVE-2024-32040.patch \
+           file://CVE-2024-32458.patch \
            "
 
 S = "${WORKDIR}/git"

[meta-oe,kirkstone,2/5] freerdp: patch CVE-2024-32458

Commit Message

Patch