diff mbox series

[meta-oe,2/3] freerdp: patch CVE-2026-23532

Message ID 20260224170448.1310931-2-skandigraun@gmail.com
State Under Review
Headers show
Series [meta-oe,1/3] freerdp: patch CVE-2026-23530 | expand

Commit Message

Gyorgy Sarvari Feb. 24, 2026, 5:04 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23532

The related Github advisory[1] contains a detailed analysis about
the vulnerability. Pick the patch that describes the same
issue in its description.

[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../freerdp/freerdp/CVE-2026-23532.patch      | 49 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp_2.11.7.bb |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch
new file mode 100644
index 0000000000..80d4af30b9
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch
@@ -0,0 +1,49 @@ 
+From 51929613e6897489736a35eaaf14a3accf143963 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 15 Jan 2026 12:04:36 +0100
+Subject: [PATCH] properly clamp SurfaceToSurface
+
+From: akallabeth <akallabeth@posteo.net>
+
+CVE: CVE-2026-23532
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/c4a7c371342edf0d307cea728f56d3302f0ab38c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libfreerdp/gdi/gfx.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c
+index 3970715e0..812568bbb 100644
+--- a/libfreerdp/gdi/gfx.c
++++ b/libfreerdp/gdi/gfx.c
+@@ -1175,7 +1175,6 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context,
+ 	UINT status = ERROR_INTERNAL_ERROR;
+ 	UINT16 index;
+ 	BOOL sameSurface;
+-	UINT32 nWidth, nHeight;
+ 	const RECTANGLE_16* rectSrc;
+ 	RECTANGLE_16 invalidRect;
+ 	gdiGfxSurface* surfaceSrc;
+@@ -1199,8 +1198,8 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context,
+ 	if (!is_rect_valid(rectSrc, surfaceSrc->width, surfaceSrc->height))
+ 		goto fail;
+ 
+-	nWidth = rectSrc->right - rectSrc->left;
+-	nHeight = rectSrc->bottom - rectSrc->top;
++	const UINT32 nWidth = rectSrc->right - rectSrc->left;
++	const UINT32 nHeight = rectSrc->bottom - rectSrc->top;
+ 
+ 	for (index = 0; index < surfaceToSurface->destPtsCount; index++)
+ 	{
+@@ -1209,8 +1208,10 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context,
+ 		if (!is_rect_valid(&rect, surfaceDst->width, surfaceDst->height))
+ 			goto fail;
+ 
++		const UINT32 rwidth = rect.right - rect.left;
++		const UINT32 rheight = rect.bottom - rect.top;
+ 		if (!freerdp_image_copy(surfaceDst->data, surfaceDst->format, surfaceDst->scanline,
+-		                        destPt->x, destPt->y, nWidth, nHeight, surfaceSrc->data,
++		                        destPt->x, destPt->y, rwidth, rheight, surfaceSrc->data,
+ 		                        surfaceSrc->format, surfaceSrc->scanline, rectSrc->left,
+ 		                        rectSrc->top, NULL, FREERDP_FLIP_NONE))
+ 			goto fail;
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
index d4efcccdbd..dff3f6dafe 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
@@ -28,6 +28,7 @@  SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://CVE-2026-22855.patch \
            file://CVE-2026-22852.patch \
            file://CVE-2026-23530.patch \
+           file://CVE-2026-23532.patch \
            "