[meta-oe,scarthgap,14/22] freerdp3: fix CVE-2026-29774

Message ID	20260409070919.3968586-14-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.210.173, mailfrom: ankur.tyagi85@gmail.com) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com> Subject: [oe][meta-oe][scarthgap][PATCH 14/22] freerdp3: fix CVE-2026-29774 Date: Thu, 9 Apr 2026 19:09:11 +1200 Message-ID: <20260409070919.3968586-14-ankur.tyagi85@gmail.com> In-Reply-To: <20260409070919.3968586-1-ankur.tyagi85@gmail.com> References: <20260409070919.3968586-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,scarthgap,1/22] abseil-cpp: ignore CVE-2025-0838 \| expand [meta-oe,scarthgap,1/22] abseil-cpp: ignore CVE-2025-0838 [meta-oe,scarthgap,2/22] freerdp3: fix CVE-2026-25941 [meta-oe,scarthgap,3/22] freerdp3: fix CVE-2026-33952 [meta-oe,scarthgap,4/22] freerdp3: fix CVE-2026-23948 [meta-oe,scarthgap,5/22] freerdp3: fix CVE-2026-24491 [meta-oe,scarthgap,6/22] freerdp3: fix CVE-2026-24675 [meta-oe,scarthgap,7/22] freerdp3: fix CVE-2026-24676 [meta-oe,scarthgap,8/22] freerdp3: ignore CVE-2026-24677 and CVE-2026-24678 [meta-oe,scarthgap,9/22] freerdp3: fix CVE-2026-24679 [meta-oe,scarthgap,10/22] freerdp3: fix CVE-2026-24680 and CVE-2026-27950 [meta-oe,scarthgap,11/22] freerdp3: fix CVE-2026-24681 [meta-oe,scarthgap,12/22] freerdp3: fix CVE-2026-24682 [meta-oe,scarthgap,13/22] freerdp3: fix CVE-2026-24683 [meta-oe,scarthgap,14/22] freerdp3: fix CVE-2026-29774 [meta-oe,scarthgap,15/22] freerdp3: fix CVE-2026-29775 [meta-oe,scarthgap,16/22] freerdp3: fix CVE-2026-29776 [meta-oe,scarthgap,17/22] freerdp3: fix CVE-2026-31806 [meta-oe,scarthgap,18/22] freerdp3: fix CVE-2026-31897 [meta-oe,scarthgap,19/22] freerdp3: fix CVE-2026-33984 [meta-oe,scarthgap,20/22] giflib: patch CVE-2025-31344 [meta-multimedia,scarthgap,21/22] libde265: upgrade 1.0.12 -> 1.0.16 [meta-oe,scarthgap,22/22] libraw: ignore CVE-2026-5318

Message ID

20260409070919.3968586-14-ankur.tyagi85@gmail.com

State

New

Headers

From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 14/22] freerdp3: fix CVE-2026-29774
Date: Thu,  9 Apr 2026 19:09:11 +1200
Message-ID: <20260409070919.3968586-14-ankur.tyagi85@gmail.com>
In-Reply-To: <20260409070919.3968586-1-ankur.tyagi85@gmail.com>
References: <20260409070919.3968586-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,scarthgap,1/22] abseil-cpp: ignore CVE-2025-0838 | expand

Commit Message

Ankur Tyagi April 9, 2026, 7:09 a.m. UTC

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29774

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../freerdp/freerdp3/CVE-2026-29774.patch     | 75 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp3_3.4.0.bb |  1 +
 2 files changed, 76 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29774.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29774.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29774.patch
new file mode 100644
index 0000000000..aaf83fd90c
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29774.patch
@@ -0,0 +1,75 @@ 
+From b590224c94effa3104a2db98a59478a9c4ed6f02 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Sat, 28 Feb 2026 11:38:23 +0100
+Subject: [PATCH] [codec,h264] validate rectangles before use
+
+CVE: CVE-2026-29774
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/6482b7a92fff3959582cef052d1967ad6bde3738]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libfreerdp/codec/h264.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+diff --git a/libfreerdp/codec/h264.c b/libfreerdp/codec/h264.c
+index 718bd2ccf..13d592600 100644
+--- a/libfreerdp/codec/h264.c
++++ b/libfreerdp/codec/h264.c
+@@ -91,6 +91,36 @@ BOOL avc420_ensure_buffer(H264_CONTEXT* h264, UINT32 stride, UINT32 width, UINT3
+ 	return TRUE;
+ }
+ 
++static BOOL isRectValid(UINT32 width, UINT32 height, const RECTANGLE_16* rect)
++{
++	WINPR_ASSERT(rect);
++	if (rect->left > width)
++		return FALSE;
++	if (rect->right > width)
++		return FALSE;
++	if (rect->left >= rect->right)
++		return FALSE;
++	if (rect->top > height)
++		return FALSE;
++	if (rect->bottom > height)
++		return FALSE;
++	if (rect->top >= rect->bottom)
++		return FALSE;
++	return TRUE;
++}
++
++static BOOL areRectsValid(UINT32 width, UINT32 height, const RECTANGLE_16* rects, UINT32 count)
++{
++	WINPR_ASSERT(rects || (count == 0));
++	for (size_t x = 0; x < count; x++)
++	{
++		const RECTANGLE_16* rect = &rects[x];
++		if (!isRectValid(width, height, rect))
++			return FALSE;
++	}
++	return TRUE;
++}
++
+ INT32 avc420_decompress(H264_CONTEXT* h264, const BYTE* pSrcData, UINT32 SrcSize, BYTE* pDstData,
+                         DWORD DstFormat, UINT32 nDstStep, UINT32 nDstWidth, UINT32 nDstHeight,
+                         const RECTANGLE_16* regionRects, UINT32 numRegionRects)
+@@ -101,6 +131,9 @@ INT32 avc420_decompress(H264_CONTEXT* h264, const BYTE* pSrcData, UINT32 SrcSize
+ 	if (!h264 || h264->Compressor)
+ 		return -1001;
+ 
++	if (!areRectsValid(nDstWidth, nDstHeight, regionRects, numRegionRects))
++		return -1013;
++
+ 	status = h264->subsystem->Decompress(h264, pSrcData, SrcSize);
+ 
+ 	if (status == 0)
+@@ -523,6 +556,11 @@ INT32 avc444_decompress(H264_CONTEXT* h264, BYTE op, const RECTANGLE_16* regionR
+ 	if (!h264 || !regionRects || !pSrcData || !pDstData || h264->Compressor)
+ 		return -1001;
+ 
++	if (!areRectsValid(nDstWidth, nDstHeight, regionRects, numRegionRects))
++		return -1013;
++	if (!areRectsValid(nDstWidth, nDstHeight, auxRegionRects, numAuxRegionRect))
++		return -1014;
++
+ 	switch (op)
+ 	{
+ 		case 0: /* YUV420 in stream 1
diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
index 715354768a..f92d824d66 100644
--- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
@@ -31,6 +31,7 @@  SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2026-24681.patch \
            file://CVE-2026-24682.patch \
            file://CVE-2026-24683.patch \
+           file://CVE-2026-29774.patch \
            "
 
 S = "${WORKDIR}/git"

[meta-oe,scarthgap,14/22] freerdp3: fix CVE-2026-29774

Commit Message

Patch