From patchwork Fri Jan 23 06:43:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79462 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E850ED6CFDC for ; Fri, 23 Jan 2026 06:43:45 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.62296.1769150614676774470 for ; Thu, 22 Jan 2026 22:43:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HRJ9qE3F; spf=pass (domain: gmail.com, ip: 209.85.221.52, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-435903c4040so1148642f8f.3 for ; Thu, 22 Jan 2026 22:43:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769150613; x=1769755413; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=IAUUID3BTDFNR7VC1ZZXZjMQdHlCl7VEDfQS6lNQTe4=; b=HRJ9qE3FNdzKHrKgezkQcxqsx72dQznul1695+q2YuS9EbNezw6AQnAm4YyDIvognd IPbREOrs/BR7beZJnVHzUUHGtdSEVQ11OX7PP1oYszcncUvU5Qm1CaLSQQ5Fn73SPq81 FNRO7i5KuUEGBDd1xNsiUGw00vkkhGvDAFO2lMk9TOHje+/BHMtqsQT+xYjVCLNIlGNw NcU9tYNTxIIL9yivd3d9oNA1veNjc5EEd4Cc3Up9idxgW3eMX3OVLxTceqLRM6eMFHoL xcYd8FtPxshv7+JALrNXHuzm09mJn3VQtqWGnQ6tURNbxT6znIyEfCE1gPHxj10tsz+g sBjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769150613; x=1769755413; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IAUUID3BTDFNR7VC1ZZXZjMQdHlCl7VEDfQS6lNQTe4=; b=tR5Fp9LfCbWdrO7tpvRux5EB7S6Xc0jgXO47b4wbUvDYZoeldgFgGe5//NaxAQmAnX GKJH0TuEl9gfiNKFKao5j9QFhwrKsxmKI7Gim9IwG78l3bBBm45N71znPWCX+Hjcbj3I iS7KPrFPpYGCbPK9P9zeVr0ebcu0FRt2ioSK6IbU+Wwf6SoQD7SW5Z0T2GKcou6CdUol rZf92auH4IeFixArZVVIhNm/fWX88mY5jaaU8EzgFuRQoj4xwUaGOXS9VmSWHly258ir y+w+LiNGBSbt8t7O2A4IqbHOm5ebl/NQWSBwCjI8njPWFDdJdWF0j7hB3+rDd8v+LZnc /L4g== X-Gm-Message-State: AOJu0YxR64aQmfdHbBI45/qLsXNP+F/yShbx0J/AwbI5LS20e80RJqH6 g0cuMNNwAfr3hotleXH+o1+E/0KlCAbxxUyQFiGMncc5vWs7lh05ls+lti85bA== X-Gm-Gg: AZuq6aIbAyA7YqLQc1B82HjfHeOxU0ZNLeoCtL9BAMz+BhL5s3UxnK+sF6aG7KCDTyO yuy0FzYMOaeKTAmxeis5eA/DBFnk6GoGsOgM9NlcePFhKVnjyJOWVUrgc4cZ7qGSWL9of+HZ2/P Ubge1OrvP25+t1BcaW2u80vG0oz7m9dnjJV6obwKBMq8SLZw2ENdssw3bUvPEJl787IkcCu7TB+ KRlsNuQ6vvKDeLDdIRnLzWnyu4ic3fFtC4Jgd2hxdezFYtrwYGTlWoGnUMmFGHcB62cQ5XRrBeD /KgzE+mLuI6wYtyi7hmZwBf+zqfAMYUDJSUBK8d7kSPakE/YSROm06eR1FSjEXTXJGj8uxOtGoD GiuZII6uDU8h7x7MutIL2hGPNw0Prvy45vSLoA3/o3VmWHe+mowSt2jJHArrbLdvtIqKAZgQW4/ lt0GC/GlxP X-Received: by 2002:a05:6000:2891:b0:435:8d02:b9d2 with SMTP id ffacd0b85a97d-435b16271ffmr3368282f8f.60.1769150612768; Thu, 22 Jan 2026 22:43:32 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c02cd8sm4051608f8f.8.2026.01.22.22.43.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 22:43:32 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/5] freerdp: mark CVE-2024-32041 patched Date: Fri, 23 Jan 2026 07:43:28 +0100 Message-ID: <20260123064332.4001588-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 23 Jan 2026 06:43:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123764 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32041 Both the relevant Github Advisory[1] and Debian[2] states that the same patch fixes this vulnerability as CVE-2024-32039. Therefore add this CVE ID to the same patch's CVE tag. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5r4p-mfx2-m44r [2]: https://security-tracker.debian.org/tracker/CVE-2024-32041 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch index 4def7320b9..ed12787310 100644 --- a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch @@ -7,7 +7,7 @@ reorder check to prevent possible integer overflow (cherry picked from commit 3a2a241b8fcfee853e35cc54bec00375096fedd9) -CVE: CVE-2024-32039 +CVE: CVE-2024-32039 CVE-2024-32041 Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/d88ad1acd142769650a6159906ac90f46a766265] Signed-off-by: Gyorgy Sarvari --- From patchwork Fri Jan 23 06:43:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79460 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5BA2D3EE9A for ; Fri, 23 Jan 2026 06:43:45 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.62297.1769150615209203116 for ; Thu, 22 Jan 2026 22:43:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=i+MzUeCP; spf=pass (domain: gmail.com, ip: 209.85.221.45, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-4359249bbacso1846056f8f.0 for ; Thu, 22 Jan 2026 22:43:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769150613; x=1769755413; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MlR2l5Wpg3ztu9hF1edDGnn3XV0q7ljj2ueYiMQzRro=; b=i+MzUeCPbe3lJFQcth/psOyoUAiud1GTpeMOAI9dOe+9Gd4HGeYucMNKvtNkke0npV ypd5Vz7o9roCbsCEfANjnc7Yvg1ROjEQKI3F31VMwF06rNvmIr0iF8OSCKg4jyOc9/JM Q1mcOFIdg0NXWTNEU9quCn3eHSdUTibGsuprUWLgMIpwou7PEiKJapfwINeTRSkPpnkj IbDxiwngKZvTpCPlHcV/rrZn/IL1ViUpEv7wxMsajTCsztMcmFCu4cUFUDjr0h+19puq WWMCUsSTFkTfJFs4VII0cAz0P2jxqbqzOrw5ZjbUfxqGHmvMz2Qj4N5atg+Pjw2E9xoi yFUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769150613; x=1769755413; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MlR2l5Wpg3ztu9hF1edDGnn3XV0q7ljj2ueYiMQzRro=; b=Oep9CG0VZdNlPXZud+37D0b6DP+iIQEHG/8aYXQwHXgC1r280soZC3EoFa2Flr0eyw YPgv8Zt4y2yNn+LTKk5W0tSlDHmGGhSGw4Lul4YkOfy6+ZEsgW3HblIzpPXxxL6ZAGjM dZTXEHlmIkQ6KT4hkqQjopJlXLRRt2oBV023aYyrvFivgxPO+4SgR9XLSbbawHLznnqQ vxn8VNxns9sxOx56Ou8lM8IrdgZ4ri0K06VRw3qjOxcqq08M7+r1UCJ50yn00VE4QZHH /z/1L0fQEaSBfmg8LpApY4P+RhiAahIrze4A/faq6SXXT1Sv3VhxH6qSMwjAZjb7qGi/ HM0A== X-Gm-Message-State: AOJu0Yzhjo7vHTNVby8BPlU4MsOYJfQACZ/5hX90AUr4ZykgBDlJY/CI RNyAjTBM+VkIjYgC0La18Kok6f/PFEj/XxoVfdU7vOKiQjpM7OkmWrlVulwW2w== X-Gm-Gg: AZuq6aK2HyT72NzCc3VZ3Rb8juh49j15KNv55tVQsdt4NSc3IdSsz/6f2PIQQUAdOHz YACiQiF7zVm9YjB0WO1FYXTr83z3sIf6ZNGlLXFmD+6J47Z5sUZDVU+baaTmT0ZvEmGnpnR1qWH 5Tvj7hW7tq62KuubP2T7BknZqhAWVZFxw7jTIU0fI4oE4naOiThN9q/IQhuMZzHYgQoxtea8Uza oFkY6hZ/OsFm42fMQ98HISx+J2JrG/Tle06QlFPZt/nybJhLqFjH4q8yrasZ3d99hp+3EXjSoBb f54EJzaaBMO/EqaDA3RL5xOG0tPqttIzyjy5VDjCersp6iklrG8WChlbzl54rrrly7O+palszU8 +XmdynMyUp3dNck86n/7S5rGNB+mFstYc9iAr1WEd7pgXojzeAvWBNSzeY5kqGzpxtLRP5dXo9i 09CPn3TuLt X-Received: by 2002:a05:6000:400a:b0:431:2ff:128f with SMTP id ffacd0b85a97d-435b1ab836dmr3278282f8f.6.1769150613499; Thu, 22 Jan 2026 22:43:33 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c02cd8sm4051608f8f.8.2026.01.22.22.43.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 22:43:33 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/5] freerdp: patch CVE-2024-32458 Date: Fri, 23 Jan 2026 07:43:29 +0100 Message-ID: <20260123064332.4001588-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260123064332.4001588-1-skandigraun@gmail.com> References: <20260123064332.4001588-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 23 Jan 2026 06:43:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123765 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32458 Pick the patch that is marked to resolve this vulnerbility by the relevant Github advisory[1]. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vvr6-h646-mp4p Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2024-32458.patch | 118 ++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 119 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch new file mode 100644 index 0000000000..eeba767d91 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32458.patch @@ -0,0 +1,118 @@ +From f04f5fc28869140079c3c5edca614e495493b9ba Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 16 Apr 2024 08:42:52 +0200 +Subject: [PATCH] fix missing input length checks + +(cherry picked from commit 52d75f6f4078143951e8a4976bc5af30a5556cb6) + +CVE: CVE-2024-32458 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/9bc624c721ecde8251cfabd1edf069bc713ccc97] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/planar.c | 53 +++++++++++++++++++++++++++++++-------- + 1 file changed, 43 insertions(+), 10 deletions(-) + +diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c +index 58d4e4bae..9f891b9c7 100644 +--- a/libfreerdp/codec/planar.c ++++ b/libfreerdp/codec/planar.c +@@ -679,6 +679,13 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT + rawHeights[3] = nSrcHeight; + } + ++ const size_t diff = srcp - pSrcData; ++ if (SrcSize < diff) ++ { ++ WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff); ++ return FALSE; ++ } ++ + if (!rle) /* RAW */ + { + UINT32 base = planeSize * 3; +@@ -687,8 +694,12 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT + + if (alpha) + { +- if ((SrcSize - (srcp - pSrcData)) < (planeSize + base)) ++ if ((SrcSize - diff) < (planeSize + base)) ++ { ++ WLog_ERR(TAG, "Alpha plane size mismatch %" PRIuz " < %" PRIu32, SrcSize - diff, ++ (planeSize + base)); + return FALSE; ++ } + + planes[3] = srcp; /* AlphaPlane */ + planes[0] = planes[3] + rawSizes[3]; /* LumaOrRedPlane */ +@@ -700,8 +711,11 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT + } + else + { +- if ((SrcSize - (srcp - pSrcData)) < base) ++ if ((SrcSize - diff) < base) ++ { ++ WLog_ERR(TAG, "plane size mismatch %" PRIu32 " < %" PRIu32, SrcSize - diff, base); + return FALSE; ++ } + + planes[0] = srcp; /* LumaOrRedPlane */ + planes[1] = planes[0] + rawSizes[0]; /* OrangeChromaOrGreenPlane */ +@@ -716,8 +730,8 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT + if (alpha) + { + planes[3] = srcp; +- rleSizes[3] = planar_skip_plane_rle(planes[3], SrcSize - (planes[3] - pSrcData), +- rawWidths[3], rawHeights[3]); /* AlphaPlane */ ++ rleSizes[3] = planar_skip_plane_rle(planes[3], SrcSize - diff, rawWidths[3], ++ rawHeights[3]); /* AlphaPlane */ + + if (rleSizes[3] < 0) + return FALSE; +@@ -727,22 +741,41 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* planar, const BYTE* pSrcData, UINT + else + planes[0] = srcp; + +- rleSizes[0] = planar_skip_plane_rle(planes[0], SrcSize - (planes[0] - pSrcData), +- rawWidths[0], rawHeights[0]); /* RedPlane */ ++ const size_t diff0 = (planes[0] - pSrcData); ++ if (SrcSize < diff0) ++ { ++ WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff0); ++ return FALSE; ++ } ++ rleSizes[0] = planar_skip_plane_rle(planes[0], SrcSize - diff0, rawWidths[0], ++ rawHeights[0]); /* RedPlane */ + + if (rleSizes[0] < 0) + return FALSE; + + planes[1] = planes[0] + rleSizes[0]; +- rleSizes[1] = planar_skip_plane_rle(planes[1], SrcSize - (planes[1] - pSrcData), +- rawWidths[1], rawHeights[1]); /* GreenPlane */ ++ ++ const size_t diff1 = (planes[1] - pSrcData); ++ if (SrcSize < diff1) ++ { ++ WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff1); ++ return FALSE; ++ } ++ rleSizes[1] = planar_skip_plane_rle(planes[1], SrcSize - diff1, rawWidths[1], ++ rawHeights[1]); /* GreenPlane */ + + if (rleSizes[1] < 1) + return FALSE; + + planes[2] = planes[1] + rleSizes[1]; +- rleSizes[2] = planar_skip_plane_rle(planes[2], SrcSize - (planes[2] - pSrcData), +- rawWidths[2], rawHeights[2]); /* BluePlane */ ++ const size_t diff2 = (planes[2] - pSrcData); ++ if (SrcSize < diff2) ++ { ++ WLog_ERR(TAG, "Size mismatch %" PRIu32 " < %" PRIuz, SrcSize, diff); ++ return FALSE; ++ } ++ rleSizes[2] = planar_skip_plane_rle(planes[2], SrcSize - diff2, rawWidths[2], ++ rawHeights[2]); /* BluePlane */ + + if (rleSizes[2] < 1) + return FALSE; diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 06aac0325f..0a01b2095a 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -34,6 +34,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2024-22211.patch \ file://CVE-2024-32039.patch \ file://CVE-2024-32040.patch \ + file://CVE-2024-32458.patch \ " S = "${WORKDIR}/git" From patchwork Fri Jan 23 06:43:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79461 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04B42D62602 for ; Fri, 23 Jan 2026 06:43:46 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.62298.1769150615818883929 for ; Thu, 22 Jan 2026 22:43:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mgustIlL; spf=pass (domain: gmail.com, ip: 209.85.221.46, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-4327555464cso1135827f8f.1 for ; Thu, 22 Jan 2026 22:43:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769150614; x=1769755414; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DlLE3rISwWJSkmR+q/ygdHoJeBvIfZ1KFAx/tnISRcY=; b=mgustIlL7enCjsurkMIIEGZCB38SMrEskPRu1RJwUM6OavL7dvp+H6MFQ78kninjM+ 84YB4J1PB5z9LRSiymsK4cICbXbnlJXOT5J9tjcj95U3Vp3KgMHpa2wi7akOzZhfiVBb TFk0FSlOpic/idKQ5cXOFU+zcPRwpciOjxzObypZYwk4y0XuOpU3c2FUD9CVpW5ImvOg XnHtQE8l6xVnL58Pn3YumTtjEzVHYjyc1SdzARfbX4W0t/S2SJqyfCgplXwjKJp2iK6a YYGXEYuAvXS9QBmYNidacgCoVuP8b8bFO/jUkalfwySCO/P9kb7JaAIr8z1ju/FX5FbV Q83Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769150614; x=1769755414; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DlLE3rISwWJSkmR+q/ygdHoJeBvIfZ1KFAx/tnISRcY=; b=js+qrbim1ySHI3YCHs6t8CuCYvhVK9TN4DkytwuoXw5+xUMpCOxRD4SK671gUjR7SJ 1nXheKjwdjYTB9OdbBPmMuY7dVVzgZBXwm+AmUup0BVyZjVwGKFEswM0lpKkXPYynQgk N8+bKTweCGQr7T+tmEk3Q5jZ+hfr0i8JqJqZnf6hjVnA6Gwqn83vPS5PwQylZdX5CqSP vLJLZKtnsosBr/xPEiVNZ/Acp6RNoberijW+TqtnfQHpkJr9Voiwifbc+iJ0iGe37VGV slBwWD9rVitzzbtkuqJKX2QLtWByfrKa7LPuKolzSCYL8iI7JssPW5/nCl4ea3IiJfaL YuFA== X-Gm-Message-State: AOJu0YzycIc2ACwCJo35qN9AWyXe7LU7MJnAIBO7l0Xd+ORRrTFRI6HV TFxEbHfjeD3sYINPmvC741mxySmiPgCQNnw+opLFqor2LGPVoo24pRJWfbnLhg== X-Gm-Gg: AZuq6aLMfGc+kYbTDLgjPWILgKoL83H/cEWY/+sKvmPhR+/o8z+3Q9TkUNhBDQKgSm6 LBoATxrEcHE5Cf1UP9LAQJXXbiUZk152ZZqg6Uvf3AFM/tdO8C//F3xz5wIXkDHthPNlasBfFHL wBTLqj1Ton519YcMdjCApAxUBQLwPFLKQZTOEnBZnH7MoNWp/+ngayvOU3fAURDbqKvNlTxVQkm 3Po7mtiqFDu1o5QUIUC4wG7NxH3w+yz6dq5NXatAEnyBP5Yh25ast9tJzVe2wThnnpTF4Zy2cED Wj9KtcRuiVOVw3IhKrWhT/hk5yIQ5NdytdGIvSYzeGQhfKh52+0twjGTLFItG9p2O1PnYCqEgD4 66xs2u+GFOcJtWjQrXB9hYBsNcOfeaPJ1P5uAacTwIUQLlS14kxADWnY/ZUR8R2l/OmrlWBxypg vxIUh8JPdKPg9ME1IbzGs= X-Received: by 2002:a05:6000:26d2:b0:435:ad51:ac82 with SMTP id ffacd0b85a97d-435b15d6e8dmr2991859f8f.18.1769150614150; Thu, 22 Jan 2026 22:43:34 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c02cd8sm4051608f8f.8.2026.01.22.22.43.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 22:43:33 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/5] freerdp: patch CVE-2024-32459 Date: Fri, 23 Jan 2026 07:43:30 +0100 Message-ID: <20260123064332.4001588-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260123064332.4001588-1-skandigraun@gmail.com> References: <20260123064332.4001588-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 23 Jan 2026 06:43:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123766 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32459 Pick the patch that is marked to resolve this vulnerability by the relevant Github advisory[1]. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cp4q-p737-rmw9 Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2024-32459.patch | 31 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch new file mode 100644 index 0000000000..ed665da447 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch @@ -0,0 +1,31 @@ +From 7570f1a12a5718a47c4260130e6a05fd518e1268 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 16 Apr 2024 08:45:03 +0200 +Subject: [PATCH] fix missing input length check + +(cherry picked from commit dbe5d521001789511bbf1db97c9bc565d168e03b) + +CVE: CVE-2024-32459 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/b70c8e989d2807cea47bbf89e57700b5a10b2ca7] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/ncrush.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libfreerdp/codec/ncrush.c b/libfreerdp/codec/ncrush.c +index c1d622a9c..199f1ed7c 100644 +--- a/libfreerdp/codec/ncrush.c ++++ b/libfreerdp/codec/ncrush.c +@@ -2041,6 +2041,12 @@ int ncrush_decompress(NCRUSH_CONTEXT* ncrush, BYTE* pSrcData, UINT32 SrcSize, BY + return 1; + } + ++ if (SrcSize < 4) ++ { ++ WLog_ERR(TAG, "Input size short: SrcSize %" PRIu32 " < 4", SrcSize); ++ return -1; ++ } ++ + const BYTE* SrcEnd = &pSrcData[SrcSize]; + const BYTE* SrcPtr = pSrcData + 4; + diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 0a01b2095a..6d98ad36f7 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -35,6 +35,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2024-32039.patch \ file://CVE-2024-32040.patch \ file://CVE-2024-32458.patch \ + file://CVE-2024-32459.patch \ " S = "${WORKDIR}/git" From patchwork Fri Jan 23 06:43:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79463 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D468D625E5 for ; Fri, 23 Jan 2026 06:43:46 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.62776.1769150616890510714 for ; Thu, 22 Jan 2026 22:43:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ld2lEg5a; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-47edd9024b1so14768035e9.3 for ; Thu, 22 Jan 2026 22:43:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769150615; x=1769755415; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0IvxzK+yrhGN9FZmRawLSSos/GpqpK2g3rJN+TFL1L4=; b=ld2lEg5aNIZdAD/mu6FhwThidVnTYR49NbNQX4YrC0soMiScAjXN8IM8PTupUkPss3 JmKmApOQunVt4btMUYhyjDXlR3lQ00T9EOUGsWLg6QFNFi4Ue32Onsi15Ibf0Uw8FOzU EUCZjPLJ3ThijRX4cyhUJ32U36b+050toAt4Dnq3k0XmD5XOzvz/wNGM5FR7No+Fzjpp KmWgx+Xb8c8bIgRCjjenJutwlVbF7X+fNM2BS3V+njTP2GPS150D5SznR8TzWDW10S9T nJ1dGGkGv88YDoxymPO8vLRrZSjQueSBmGA1/nnX6dBP6SeuMIXwX/lq+jfOV03htBNX tpkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769150615; x=1769755415; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0IvxzK+yrhGN9FZmRawLSSos/GpqpK2g3rJN+TFL1L4=; b=DiUV17lnYXFxdXq00J9T8dYKy9wL5MoUaqoVcDCV9bvexAX+QVLEjKLFUuz6Dj6z45 60nqYQs57/v7sJGWP5af3Z1cdUOVl+t1ZvFXJRJAZFF1kW751msSNnVT79JrwHXPa+M0 VFkUm66vYBdbugz9bbIgHqJM8TZXJNKWKX3JC6NMuskO7hCpFdCU5IuU37fcjWz3AVwX /BjidChS6bbkRmsY3awN1P/A/M6314qUpKoVNVOF+Qy9rqMSfkR4b6SgA43GzkpWqIHK SOPX9dGdMGbjLn5+8WuwbGVgO6FTTq8T3z+ujjfYUr0sgT54KyvF+fOVyByzBu1lZVOR 3+dA== X-Gm-Message-State: AOJu0YxysB/4DDDCA42uv35pqcqXBlEDd9gXLnjO8oL7CFixeJyUHmHp MIgTAjwEJBxY6/kjgvYZr3qfIejKEwM5F5uEMyOLg9a0VL7Dk9Mr3fv9X+N4cw== X-Gm-Gg: AZuq6aKBJDNQcg30uaxEexOm2tvJJXOAzVCFGDeF/fE19EHcpR+Rwurb3FV0/QPQ4aj YxOqS68KY0tbBgpivN9bxrZQsJqR8fh7MwP14Yp/tsmTgPqhbpQklm5JQ4my+tXnVMBk46w8ORh ZyDuSboAI+QiIYdmg0p07te/ZmG697ldtECReOse46QwuWqEEh7VvRQJ1d7iPgUtMLYx8NxyQRR bD2l2AHvDdLGu48lQp96ZBp5keS6FSvfA1wMrIAPt3AeezttO5GLGrwf+c6A93ypjbPZIhzbLNw NOxSNO8O/WnsLyqf2UfraiMkTmh465Ip8dmxoJUIRuhNM+kcPdIkZiRWjMRcB6QNcxSFPylkIJs MX6xaWdJ3P93l2BunyEpbEfLmZ9js9UoAdbZHUZOyKKSPfmA/zJvdRuxKCnzQv4vP5CfNGu9fQP TocUUUfSd6 X-Received: by 2002:a05:6000:26ce:b0:430:f58d:40e5 with SMTP id ffacd0b85a97d-435b1604d2amr2613121f8f.30.1769150614908; Thu, 22 Jan 2026 22:43:34 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c02cd8sm4051608f8f.8.2026.01.22.22.43.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 22:43:34 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/5] freerdp: patch CVE-2024-32460 Date: Fri, 23 Jan 2026 07:43:31 +0100 Message-ID: <20260123064332.4001588-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260123064332.4001588-1-skandigraun@gmail.com> References: <20260123064332.4001588-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 23 Jan 2026 06:43:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123767 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32460 Backport the patch that is marked to resolve this vulnerability by the relevant Github advisory[1]. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4rr8-gr65-vqrr Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2024-32460.patch | 1030 +++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 1031 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32460.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32460.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32460.patch new file mode 100644 index 0000000000..356e1a99ef --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32460.patch @@ -0,0 +1,1030 @@ +From 86391660a70ac263c21a818c51528c42d01e64c5 Mon Sep 17 00:00:00 2001 +From: Armin Novak +Date: Wed, 17 Apr 2024 11:23:52 +0200 +Subject: [PATCH] backport from 3.5.0 + +CVE: CVE-2024-32460 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/18cef378eae2b63a1a750da242f00da12b5b3881] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/include/bitmap.c | 119 ++++---- + libfreerdp/codec/interleaved.c | 448 +++++++++++++++++++++++------- + 2 files changed, 413 insertions(+), 154 deletions(-) + +diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c +index 38bcaa859..af8338711 100644 +--- a/libfreerdp/codec/include/bitmap.c ++++ b/libfreerdp/codec/include/bitmap.c +@@ -31,7 +31,10 @@ static INLINE BYTE* WRITEFGBGIMAGE(BYTE* pbDest, const BYTE* pbDestEnd, UINT32 r + BYTE mask = 0x01; + + if (cBits > 8) ++ { ++ WLog_ERR(TAG, "cBits %d > 8", cBits); + return NULL; ++ } + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, cBits)) + return NULL; +@@ -46,7 +49,6 @@ static INLINE BYTE* WRITEFGBGIMAGE(BYTE* pbDest, const BYTE* pbDestEnd, UINT32 r + data = xorPixel; + + DESTWRITEPIXEL(pbDest, data); +- DESTNEXTPIXEL(pbDest); + mask = mask << 1; + }); + return pbDest; +@@ -62,7 +64,10 @@ static INLINE BYTE* WRITEFIRSTLINEFGBGIMAGE(BYTE* pbDest, const BYTE* pbDestEnd, + BYTE mask = 0x01; + + if (cBits > 8) ++ { ++ WLog_ERR(TAG, "cBits %d > 8", cBits); + return NULL; ++ } + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, cBits)) + return NULL; +@@ -76,7 +81,6 @@ static INLINE BYTE* WRITEFIRSTLINEFGBGIMAGE(BYTE* pbDest, const BYTE* pbDestEnd, + data = BLACK_PIXEL; + + DESTWRITEPIXEL(pbDest, data); +- DESTNEXTPIXEL(pbDest); + mask = mask << 1; + }); + return pbDest; +@@ -88,6 +92,9 @@ static INLINE BYTE* WRITEFIRSTLINEFGBGIMAGE(BYTE* pbDest, const BYTE* pbDestEnd, + static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BYTE* pbDestBuffer, + UINT32 rowDelta, UINT32 width, UINT32 height) + { ++#if defined(WITH_DEBUG_CODECS) ++ char sbuffer[128] = { 0 }; ++#endif + const BYTE* pbSrc = pbSrcBuffer; + const BYTE* pbEnd; + const BYTE* pbDestEnd; +@@ -100,14 +107,22 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + PIXEL pixelA, pixelB; + UINT32 runLength; + UINT32 code; +- UINT32 advance; ++ UINT32 advance = 0; + RLEEXTRA + + if ((rowDelta == 0) || (rowDelta < width)) ++ { ++ WLog_ERR(TAG, "Invalid arguments: rowDelta=%" PRIu32 " == 0 || < width=%" PRIu32, rowDelta, ++ width); + return FALSE; ++ } + + if (!pbSrcBuffer || !pbDestBuffer) ++ { ++ WLog_ERR(TAG, "Invalid arguments: pbSrcBuffer=%p, pbDestBuffer=%p", pbSrcBuffer, ++ pbDestBuffer); + return FALSE; ++ } + + pbEnd = pbSrcBuffer + cbSrcBuffer; + pbDestEnd = pbDestBuffer + rowDelta * height; +@@ -130,10 +145,17 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + */ + code = ExtractCodeId(*pbSrc); + ++#if defined(WITH_DEBUG_CODECS) ++ WLog_VRB(TAG, "pbSrc=%p code=%s, rem=%" PRIuz, pbSrc, ++ rle_code_str_buffer(code, sbuffer, sizeof(sbuffer)), pbEnd - pbSrc); ++#endif ++ + /* Handle Background Run Orders. */ +- if (code == REGULAR_BG_RUN || code == MEGA_MEGA_BG_RUN) ++ if ((code == REGULAR_BG_RUN) || (code == MEGA_MEGA_BG_RUN)) + { +- runLength = ExtractRunLength(code, pbSrc, &advance); ++ runLength = ExtractRunLength(code, pbSrc, pbEnd, &advance); ++ if (advance == 0) ++ return FALSE; + pbSrc = pbSrc + advance; + + if (fFirstLine) +@@ -144,17 +166,13 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + return FALSE; + + DESTWRITEPIXEL(pbDest, fgPel); +- DESTNEXTPIXEL(pbDest); + runLength = runLength - 1; + } + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength)) + return FALSE; + +- UNROLL(runLength, { +- DESTWRITEPIXEL(pbDest, BLACK_PIXEL); +- DESTNEXTPIXEL(pbDest); +- }); ++ UNROLL(runLength, { DESTWRITEPIXEL(pbDest, BLACK_PIXEL); }); + } + else + { +@@ -166,7 +184,6 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + return FALSE; + + DESTWRITEPIXEL(pbDest, temp ^ fgPel); +- DESTNEXTPIXEL(pbDest); + runLength--; + } + +@@ -176,7 +193,6 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + UNROLL(runLength, { + DESTREADPIXEL(temp, pbDest - rowDelta); + DESTWRITEPIXEL(pbDest, temp); +- DESTNEXTPIXEL(pbDest); + }); + } + +@@ -196,15 +212,16 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + case MEGA_MEGA_FG_RUN: + case LITE_SET_FG_FG_RUN: + case MEGA_MEGA_SET_FG_RUN: +- runLength = ExtractRunLength(code, pbSrc, &advance); ++ runLength = ExtractRunLength(code, pbSrc, pbEnd, &advance); ++ if (advance == 0) ++ return FALSE; + pbSrc = pbSrc + advance; + + if (code == LITE_SET_FG_FG_RUN || code == MEGA_MEGA_SET_FG_RUN) + { +- if (pbSrc >= pbEnd) ++ if (!buffer_within_range(pbSrc, PIXEL_SIZE, pbEnd)) + return FALSE; + SRCREADPIXEL(fgPel, pbSrc); +- SRCNEXTPIXEL(pbSrc); + } + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength)) +@@ -212,17 +229,13 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + + if (fFirstLine) + { +- UNROLL(runLength, { +- DESTWRITEPIXEL(pbDest, fgPel); +- DESTNEXTPIXEL(pbDest); +- }); ++ UNROLL(runLength, { DESTWRITEPIXEL(pbDest, fgPel); }); + } + else + { + UNROLL(runLength, { + DESTREADPIXEL(temp, pbDest - rowDelta); + DESTWRITEPIXEL(pbDest, temp ^ fgPel); +- DESTNEXTPIXEL(pbDest); + }); + } + +@@ -231,45 +244,41 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + /* Handle Dithered Run Orders. */ + case LITE_DITHERED_RUN: + case MEGA_MEGA_DITHERED_RUN: +- runLength = ExtractRunLength(code, pbSrc, &advance); ++ runLength = ExtractRunLength(code, pbSrc, pbEnd, &advance); ++ if (advance == 0) ++ return FALSE; + pbSrc = pbSrc + advance; +- if (pbSrc >= pbEnd) ++ if (!buffer_within_range(pbSrc, PIXEL_SIZE, pbEnd)) + return FALSE; + SRCREADPIXEL(pixelA, pbSrc); +- SRCNEXTPIXEL(pbSrc); +- if (pbSrc >= pbEnd) ++ if (!buffer_within_range(pbSrc, PIXEL_SIZE, pbEnd)) + return FALSE; + SRCREADPIXEL(pixelB, pbSrc); +- SRCNEXTPIXEL(pbSrc); + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength * 2)) + return FALSE; + + UNROLL(runLength, { + DESTWRITEPIXEL(pbDest, pixelA); +- DESTNEXTPIXEL(pbDest); + DESTWRITEPIXEL(pbDest, pixelB); +- DESTNEXTPIXEL(pbDest); + }); + break; + + /* Handle Color Run Orders. */ + case REGULAR_COLOR_RUN: + case MEGA_MEGA_COLOR_RUN: +- runLength = ExtractRunLength(code, pbSrc, &advance); ++ runLength = ExtractRunLength(code, pbSrc, pbEnd, &advance); ++ if (advance == 0) ++ return FALSE; + pbSrc = pbSrc + advance; +- if (pbSrc >= pbEnd) ++ if (!buffer_within_range(pbSrc, PIXEL_SIZE, pbEnd)) + return FALSE; + SRCREADPIXEL(pixelA, pbSrc); +- SRCNEXTPIXEL(pbSrc); + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength)) + return FALSE; + +- UNROLL(runLength, { +- DESTWRITEPIXEL(pbDest, pixelA); +- DESTNEXTPIXEL(pbDest); +- }); ++ UNROLL(runLength, { DESTWRITEPIXEL(pbDest, pixelA); }); + break; + + /* Handle Foreground/Background Image Orders. */ +@@ -277,17 +286,20 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + case MEGA_MEGA_FGBG_IMAGE: + case LITE_SET_FG_FGBG_IMAGE: + case MEGA_MEGA_SET_FGBG_IMAGE: +- runLength = ExtractRunLength(code, pbSrc, &advance); ++ runLength = ExtractRunLength(code, pbSrc, pbEnd, &advance); ++ if (advance == 0) ++ return FALSE; + pbSrc = pbSrc + advance; + +- if (pbSrc >= pbEnd) +- return FALSE; + if (code == LITE_SET_FG_FGBG_IMAGE || code == MEGA_MEGA_SET_FGBG_IMAGE) + { ++ if (!buffer_within_range(pbSrc, PIXEL_SIZE, pbEnd)) ++ return FALSE; + SRCREADPIXEL(fgPel, pbSrc); +- SRCNEXTPIXEL(pbSrc); + } + ++ if (!buffer_within_range(pbSrc, runLength / 8, pbEnd)) ++ return FALSE; + if (fFirstLine) + { + while (runLength > 8) +@@ -306,8 +318,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + { + while (runLength > 8) + { +- bitmask = *pbSrc; +- pbSrc = pbSrc + 1; ++ bitmask = *pbSrc++; ++ + pbDest = WRITEFGBGIMAGE(pbDest, pbDestEnd, rowDelta, bitmask, fgPel, 8); + + if (!pbDest) +@@ -319,8 +331,9 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + + if (runLength > 0) + { +- bitmask = *pbSrc; +- pbSrc = pbSrc + 1; ++ if (!buffer_within_range(pbSrc, 1, pbEnd)) ++ return FALSE; ++ bitmask = *pbSrc++; + + if (fFirstLine) + { +@@ -342,23 +355,25 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + /* Handle Color Image Orders. */ + case REGULAR_COLOR_IMAGE: + case MEGA_MEGA_COLOR_IMAGE: +- runLength = ExtractRunLength(code, pbSrc, &advance); ++ runLength = ExtractRunLength(code, pbSrc, pbEnd, &advance); ++ if (advance == 0) ++ return FALSE; + pbSrc = pbSrc + advance; + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength)) + return FALSE; ++ if (!ENSURE_CAPACITY(pbSrc, pbEnd, runLength)) ++ return FALSE; + + UNROLL(runLength, { +- if (pbSrc >= pbEnd) +- return FALSE; + SRCREADPIXEL(temp, pbSrc); +- SRCNEXTPIXEL(pbSrc); + DESTWRITEPIXEL(pbDest, temp); +- DESTNEXTPIXEL(pbDest); + }); + break; + + /* Handle Special Order 1. */ + case SPECIAL_FGBG_1: ++ if (!buffer_within_range(pbSrc, 1, pbEnd)) ++ return FALSE; + pbSrc = pbSrc + 1; + + if (fFirstLine) +@@ -379,6 +394,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + + /* Handle Special Order 2. */ + case SPECIAL_FGBG_2: ++ if (!buffer_within_range(pbSrc, 1, pbEnd)) ++ return FALSE; + pbSrc = pbSrc + 1; + + if (fFirstLine) +@@ -399,27 +416,31 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY + + /* Handle White Order. */ + case SPECIAL_WHITE: ++ if (!buffer_within_range(pbSrc, 1, pbEnd)) ++ return FALSE; + pbSrc = pbSrc + 1; + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, 1)) + return FALSE; + + DESTWRITEPIXEL(pbDest, WHITE_PIXEL); +- DESTNEXTPIXEL(pbDest); + break; + + /* Handle Black Order. */ + case SPECIAL_BLACK: ++ if (!buffer_within_range(pbSrc, 1, pbEnd)) ++ return FALSE; + pbSrc = pbSrc + 1; + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, 1)) + return FALSE; + + DESTWRITEPIXEL(pbDest, BLACK_PIXEL); +- DESTNEXTPIXEL(pbDest); + break; + + default: ++ WLog_ERR(TAG, "invalid code 0x%08" PRIx32 ", pbSrcBuffer=%p, pbSrc=%p, pbEnd=%p", ++ code, pbSrcBuffer, pbSrc, pbEnd); + return FALSE; + } + } +diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c +index b76fe1ca3..abfdc51f9 100644 +--- a/libfreerdp/codec/interleaved.c ++++ b/libfreerdp/codec/interleaved.c +@@ -21,6 +21,7 @@ + * limitations under the License. + */ + ++#include + #ifdef HAVE_CONFIG_H + #include "config.h" + #endif +@@ -30,15 +31,16 @@ + + #define TAG FREERDP_TAG("codec") + +-#define UNROLL_BODY(_exp, _count) \ +- do \ +- { \ +- size_t x; \ +- for (x = 0; x < (_count); x++) \ +- { \ +- do \ +- _exp while (FALSE); \ +- } \ ++#define UNROLL_BODY(_exp, _count) \ ++ do \ ++ { \ ++ for (size_t x = 0; x < (_count); x++) \ ++ { \ ++ do \ ++ { \ ++ _exp \ ++ } while (FALSE); \ ++ } \ + } while (FALSE) + + #define UNROLL_MULTIPLE(_condition, _exp, _count) \ +@@ -97,6 +99,80 @@ static const BYTE g_MaskSpecialFgBg2 = 0x05; + static const BYTE g_MaskRegularRunLength = 0x1F; + static const BYTE g_MaskLiteRunLength = 0x0F; + ++static const char* rle_code_str(UINT32 code) ++{ ++ switch (code) ++ { ++ case REGULAR_BG_RUN: ++ return "REGULAR_BG_RUN"; ++ case MEGA_MEGA_BG_RUN: ++ return "MEGA_MEGA_BG_RUN"; ++ case REGULAR_FG_RUN: ++ return "REGULAR_FG_RUN"; ++ case MEGA_MEGA_FG_RUN: ++ return "MEGA_MEGA_FG_RUN"; ++ case LITE_SET_FG_FG_RUN: ++ return "LITE_SET_FG_FG_RUN"; ++ case MEGA_MEGA_SET_FG_RUN: ++ return "MEGA_MEGA_SET_FG_RUN"; ++ case LITE_DITHERED_RUN: ++ return "LITE_DITHERED_RUN"; ++ case MEGA_MEGA_DITHERED_RUN: ++ return "MEGA_MEGA_DITHERED_RUN"; ++ case REGULAR_COLOR_RUN: ++ return "REGULAR_COLOR_RUN"; ++ case MEGA_MEGA_COLOR_RUN: ++ return "MEGA_MEGA_COLOR_RUN"; ++ case REGULAR_FGBG_IMAGE: ++ return "REGULAR_FGBG_IMAGE"; ++ case MEGA_MEGA_FGBG_IMAGE: ++ return "MEGA_MEGA_FGBG_IMAGE"; ++ case LITE_SET_FG_FGBG_IMAGE: ++ return "LITE_SET_FG_FGBG_IMAGE"; ++ case MEGA_MEGA_SET_FGBG_IMAGE: ++ return "MEGA_MEGA_SET_FGBG_IMAGE"; ++ case REGULAR_COLOR_IMAGE: ++ return "REGULAR_COLOR_IMAGE"; ++ case MEGA_MEGA_COLOR_IMAGE: ++ return "MEGA_MEGA_COLOR_IMAGE"; ++ case SPECIAL_FGBG_1: ++ return "SPECIAL_FGBG_1"; ++ case SPECIAL_FGBG_2: ++ return "SPECIAL_FGBG_2"; ++ case SPECIAL_WHITE: ++ return "SPECIAL_WHITE"; ++ case SPECIAL_BLACK: ++ return "SPECIAL_BLACK"; ++ default: ++ return "UNKNOWN"; ++ } ++} ++ ++static const char* rle_code_str_buffer(UINT32 code, char* buffer, size_t size) ++{ ++ const char* str = rle_code_str(code); ++ _snprintf(buffer, size, "%s [0x%08" PRIx32 "]", str, code); ++ return buffer; ++} ++ ++#define buffer_within_range(pbSrc, size, pbEnd) \ ++ buffer_within_range_((pbSrc), (size), (pbEnd), __func__, __FILE__, __LINE__) ++static INLINE BOOL buffer_within_range_(const void* pbSrc, size_t size, const void* pbEnd, ++ const char* fkt, const char* file, size_t line) ++{ ++ WINPR_UNUSED(file); ++ assert((pbSrc) && "Assert failed: pbSrc"); ++ assert((pbEnd) && "Assert failed: pbEnd"); ++ ++ if ((const char*)pbSrc + size > (const char*)pbEnd) ++ { ++ WLog_ERR(TAG, "[%s:%" PRIuz "] pbSrc=%p + %" PRIuz " > pbEnd=%p", fkt, line, pbSrc, size, ++ pbEnd); ++ return FALSE; ++ } ++ return TRUE; ++} ++ + /** + * Reads the supplied order header and extracts the compression + * order code ID. +@@ -127,71 +203,155 @@ static INLINE UINT32 ExtractCodeId(BYTE bOrderHdr) + /** + * Extract the run length of a compression order. + */ +-static INLINE UINT32 ExtractRunLength(UINT32 code, const BYTE* pbOrderHdr, UINT32* advance) ++static UINT ExtractRunLengthRegularFgBg(const BYTE* pbOrderHdr, const BYTE* pbEnd, UINT32* advance) + { +- UINT32 runLength; +- UINT32 ladvance; +- ladvance = 1; +- runLength = 0; ++ UINT runLength = 0; + +- switch (code) ++ assert((pbOrderHdr) && "Assert failed: pbOrderHdr"); ++ assert((pbEnd) && "Assert failed: pbEnd"); ++ assert((advance) && "Assert failed: advance"); ++ ++ runLength = (*pbOrderHdr) & g_MaskRegularRunLength; ++ if (runLength == 0) + { +- case REGULAR_FGBG_IMAGE: +- runLength = (*pbOrderHdr) & g_MaskRegularRunLength; ++ if (!buffer_within_range(pbOrderHdr, 1, pbEnd)) ++ { ++ *advance = 0; ++ return 0; ++ } ++ runLength = *(pbOrderHdr + 1) + 1; ++ (*advance)++; ++ } ++ else ++ runLength = runLength * 8; + +- if (runLength == 0) +- { +- runLength = (*(pbOrderHdr + 1)) + 1; +- ladvance += 1; +- } +- else +- { +- runLength = runLength * 8; +- } ++ return runLength; ++} + +- break; ++static UINT ExtractRunLengthLiteFgBg(const BYTE* pbOrderHdr, const BYTE* pbEnd, UINT32* advance) ++{ ++ UINT runLength = 0; + +- case LITE_SET_FG_FGBG_IMAGE: +- runLength = (*pbOrderHdr) & g_MaskLiteRunLength; ++ assert((pbOrderHdr) && "Assert failed: pbOrderHdr"); ++ assert((pbEnd) && "Assert failed: pbEnd"); ++ assert((advance) && "Assert failed: advance"); + +- if (runLength == 0) +- { +- runLength = (*(pbOrderHdr + 1)) + 1; +- ladvance += 1; +- } +- else +- { +- runLength = runLength * 8; +- } ++ runLength = *pbOrderHdr & g_MaskLiteRunLength; ++ if (runLength == 0) ++ { ++ if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) ++ { ++ *advance = 0; ++ return 0; ++ } ++ runLength = *(pbOrderHdr + 1) + 1; ++ (*advance)++; ++ } ++ else ++ runLength = runLength * 8; ++ ++ return runLength; ++} ++ ++static UINT ExtractRunLengthRegular(const BYTE* pbOrderHdr, const BYTE* pbEnd, UINT32* advance) ++{ ++ UINT runLength = 0; ++ ++ assert((pbOrderHeader) && "Assert failed: pbOrderHeader"); ++ assert((pbEnd) && "Assert failed: pbEnd"); ++ assert((advance) && "Assert failed: advance"); ++ ++ runLength = *pbOrderHdr & g_MaskRegularRunLength; ++ if (runLength == 0) ++ { ++ if (!buffer_within_range(pbOrderHdr, 1, pbEnd)) ++ { ++ *advance = 0; ++ return 0; ++ } ++ runLength = *(pbOrderHdr + 1) + 32; ++ (*advance)++; ++ } ++ ++ return runLength; ++} ++ ++static UINT ExtractRunLengthMegaMega(const BYTE* pbOrderHdr, const BYTE* pbEnd, UINT32* advance) ++{ ++ UINT runLength = 0; ++ ++ assert((pbOrderHdr) && "Assert failed: pbOrderHdr"); ++ assert((pbEnd) && "Assert failed: pbEnd"); ++ assert((advance) && "Assert failed: advance"); ++ ++ if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) ++ { ++ *advance = 0; ++ return 0; ++ } ++ ++ runLength = ((UINT16)pbOrderHdr[1]) | (((UINT16)pbOrderHdr[2]) << 8); ++ (*advance) += 2; ++ ++ return runLength; ++} ++ ++static UINT ExtractRunLengthLite(const BYTE* pbOrderHdr, const BYTE* pbEnd, UINT32* advance) ++{ ++ UINT runLength = 0; ++ ++ assert((pbOrderHdr) && "Assert failed: pbOrderHdr"); ++ assert((pbEnd) && "Assert failed: pbEnd"); ++ assert((advance) && "Assert failed: advance"); ++ ++ runLength = *pbOrderHdr & g_MaskLiteRunLength; ++ if (runLength == 0) ++ { ++ if (!buffer_within_range(pbOrderHdr, 1, pbEnd)) ++ { ++ *advance = 0; ++ return 0; ++ } ++ runLength = *(pbOrderHdr + 1) + 16; ++ (*advance)++; ++ } ++ return runLength; ++} ++ ++static INLINE UINT32 ExtractRunLength(UINT32 code, const BYTE* pbOrderHdr, const BYTE* pbEnd, ++ UINT32* advance) ++{ ++ UINT32 runLength = 0; ++ UINT32 ladvance = 1; ++ ++ assert((pbOrderHdr) && "Assert failed: pbOrderHdr"); ++ assert((pbEnd) && "Assert failed: pbEnd"); ++ assert((advance) && "Assert failed: advance"); ++ ++ *advance = 0; ++ if (!buffer_within_range(pbOrderHdr, 0, pbEnd)) ++ return 0; ++ ++ switch (code) ++ { ++ case REGULAR_FGBG_IMAGE: ++ runLength = ExtractRunLengthRegularFgBg(pbOrderHdr, pbEnd, &ladvance); ++ break; + ++ case LITE_SET_FG_FGBG_IMAGE: ++ runLength = ExtractRunLengthLiteFgBg(pbOrderHdr, pbEnd, &ladvance); + break; + + case REGULAR_BG_RUN: + case REGULAR_FG_RUN: + case REGULAR_COLOR_RUN: + case REGULAR_COLOR_IMAGE: +- runLength = (*pbOrderHdr) & g_MaskRegularRunLength; +- +- if (runLength == 0) +- { +- /* An extended (MEGA) run. */ +- runLength = (*(pbOrderHdr + 1)) + 32; +- ladvance += 1; +- } +- ++ runLength = ExtractRunLengthRegular(pbOrderHdr, pbEnd, &ladvance); + break; + + case LITE_SET_FG_FG_RUN: + case LITE_DITHERED_RUN: +- runLength = (*pbOrderHdr) & g_MaskLiteRunLength; +- +- if (runLength == 0) +- { +- /* An extended (MEGA) run. */ +- runLength = (*(pbOrderHdr + 1)) + 16; +- ladvance += 1; +- } +- ++ runLength = ExtractRunLengthLite(pbOrderHdr, pbEnd, &ladvance); + break; + + case MEGA_MEGA_BG_RUN: +@@ -202,8 +362,12 @@ static INLINE UINT32 ExtractRunLength(UINT32 code, const BYTE* pbOrderHdr, UINT3 + case MEGA_MEGA_FGBG_IMAGE: + case MEGA_MEGA_SET_FGBG_IMAGE: + case MEGA_MEGA_COLOR_IMAGE: +- runLength = ((UINT16)pbOrderHdr[1]) | ((UINT16)(pbOrderHdr[2] << 8)); +- ladvance += 2; ++ runLength = ExtractRunLengthMegaMega(pbOrderHdr, pbEnd, &ladvance); ++ break; ++ ++ default: ++ runLength = 0; ++ ladvance = 0; + break; + } + +@@ -211,20 +375,32 @@ static INLINE UINT32 ExtractRunLength(UINT32 code, const BYTE* pbOrderHdr, UINT3 + return runLength; + } + +-static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t size, size_t base) ++#define ensure_capacity(start, end, size, base) \ ++ ensure_capacity_((start), (end), (size), (base), __func__, __FILE__, __LINE__) ++static INLINE BOOL ensure_capacity_(const BYTE* start, const BYTE* end, size_t size, size_t base, ++ const char* fkt, const char* file, size_t line) + { + const size_t available = (uintptr_t)end - (uintptr_t)start; + const BOOL rc = available >= size * base; +- return rc && (start <= end); ++ const BOOL res = rc && (start <= end); ++ ++ if (!res) ++ WLog_ERR(TAG, ++ "[%s:%" PRIuz "] failed: start=%p <= end=%p, available=%" PRIuz " >= size=%" PRIuz ++ " * base=%" PRIuz, ++ fkt, line, start, end, available, size, base); ++ return res; + } + + static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix) + { ++ assert((_buf) && "Assert failed: _buf"); + *_buf = _pix; + } + + static INLINE void write_pixel_24(BYTE* _buf, UINT32 _pix) + { ++ assert((_buf) && "Assert failed: _buf"); + (_buf)[0] = (BYTE)(_pix); + (_buf)[1] = (BYTE)((_pix) >> 8); + (_buf)[2] = (BYTE)((_pix) >> 16); +@@ -232,6 +408,7 @@ static INLINE void write_pixel_24(BYTE* _buf, UINT32 _pix) + + static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix) + { ++ assert((_buf) && "Assert failed: _buf"); + _buf[0] = _pix & 0xFF; + _buf[1] = (_pix >> 8) & 0xFF; + } +@@ -239,19 +416,30 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix) + #undef DESTWRITEPIXEL + #undef DESTREADPIXEL + #undef SRCREADPIXEL +-#undef DESTNEXTPIXEL +-#undef SRCNEXTPIXEL + #undef WRITEFGBGIMAGE + #undef WRITEFIRSTLINEFGBGIMAGE + #undef RLEDECOMPRESS + #undef RLEEXTRA + #undef WHITE_PIXEL ++#undef PIXEL_SIZE ++#undef PIXEL ++#define PIXEL_SIZE 1 ++#define PIXEL BYTE + #define WHITE_PIXEL 0xFF +-#define DESTWRITEPIXEL(_buf, _pix) write_pixel_8(_buf, _pix) ++#define DESTWRITEPIXEL(_buf, _pix) \ ++ do \ ++ { \ ++ write_pixel_8(_buf, _pix); \ ++ _buf += 1; \ ++ } while (0) + #define DESTREADPIXEL(_pix, _buf) _pix = (_buf)[0] +-#define SRCREADPIXEL(_pix, _buf) _pix = (_buf)[0] +-#define DESTNEXTPIXEL(_buf) _buf += 1 +-#define SRCNEXTPIXEL(_buf) _buf += 1 ++#define SRCREADPIXEL(_pix, _buf) \ ++ do \ ++ { \ ++ _pix = (_buf)[0]; \ ++ _buf += 1; \ ++ } while (0) ++ + #define WRITEFGBGIMAGE WriteFgBgImage8to8 + #define WRITEFIRSTLINEFGBGIMAGE WriteFirstLineFgBgImage8to8 + #define RLEDECOMPRESS RleDecompress8to8 +@@ -263,19 +451,29 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix) + #undef DESTWRITEPIXEL + #undef DESTREADPIXEL + #undef SRCREADPIXEL +-#undef DESTNEXTPIXEL +-#undef SRCNEXTPIXEL + #undef WRITEFGBGIMAGE + #undef WRITEFIRSTLINEFGBGIMAGE + #undef RLEDECOMPRESS + #undef RLEEXTRA + #undef WHITE_PIXEL ++#undef PIXEL_SIZE ++#undef PIXEL ++#define PIXEL_SIZE 2 ++#define PIXEL UINT16 + #define WHITE_PIXEL 0xFFFF +-#define DESTWRITEPIXEL(_buf, _pix) write_pixel_16(_buf, _pix) ++#define DESTWRITEPIXEL(_buf, _pix) \ ++ do \ ++ { \ ++ write_pixel_16(_buf, _pix); \ ++ _buf += 2; \ ++ } while (0) + #define DESTREADPIXEL(_pix, _buf) _pix = ((UINT16*)(_buf))[0] +-#define SRCREADPIXEL(_pix, _buf) _pix = (_buf)[0] | ((_buf)[1] << 8) +-#define DESTNEXTPIXEL(_buf) _buf += 2 +-#define SRCNEXTPIXEL(_buf) _buf += 2 ++#define SRCREADPIXEL(_pix, _buf) \ ++ do \ ++ { \ ++ _pix = (_buf)[0] | ((_buf)[1] << 8); \ ++ _buf += 2; \ ++ } while (0) + #define WRITEFGBGIMAGE WriteFgBgImage16to16 + #define WRITEFIRSTLINEFGBGIMAGE WriteFirstLineFgBgImage16to16 + #define RLEDECOMPRESS RleDecompress16to16 +@@ -287,19 +485,30 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix) + #undef DESTWRITEPIXEL + #undef DESTREADPIXEL + #undef SRCREADPIXEL +-#undef DESTNEXTPIXEL +-#undef SRCNEXTPIXEL + #undef WRITEFGBGIMAGE + #undef WRITEFIRSTLINEFGBGIMAGE + #undef RLEDECOMPRESS + #undef RLEEXTRA + #undef WHITE_PIXEL +-#define WHITE_PIXEL 0xFFFFFF +-#define DESTWRITEPIXEL(_buf, _pix) write_pixel_24(_buf, _pix) ++#undef PIXEL_SIZE ++#undef PIXEL ++#define PIXEL_SIZE 3 ++#define PIXEL UINT32 ++#define WHITE_PIXEL 0xffffff ++#define DESTWRITEPIXEL(_buf, _pix) \ ++ do \ ++ { \ ++ write_pixel_24(_buf, _pix); \ ++ _buf += 3; \ ++ } while (0) + #define DESTREADPIXEL(_pix, _buf) _pix = (_buf)[0] | ((_buf)[1] << 8) | ((_buf)[2] << 16) +-#define SRCREADPIXEL(_pix, _buf) _pix = (_buf)[0] | ((_buf)[1] << 8) | ((_buf)[2] << 16) +-#define DESTNEXTPIXEL(_buf) _buf += 3 +-#define SRCNEXTPIXEL(_buf) _buf += 3 ++#define SRCREADPIXEL(_pix, _buf) \ ++ do \ ++ { \ ++ _pix = (_buf)[0] | ((_buf)[1] << 8) | ((_buf)[2] << 16); \ ++ _buf += 3; \ ++ } while (0) ++ + #define WRITEFGBGIMAGE WriteFgBgImage24to24 + #define WRITEFIRSTLINEFGBGIMAGE WriteFirstLineFgBgImage24to24 + #define RLEDECOMPRESS RleDecompress24to24 +@@ -308,18 +517,32 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix) + #define ENSURE_CAPACITY(_start, _end, _size) ensure_capacity(_start, _end, _size, 3) + #include "include/bitmap.c" + ++struct S_BITMAP_INTERLEAVED_CONTEXT ++{ ++ BOOL Compressor; ++ ++ UINT32 TempSize; ++ BYTE* TempBuffer; ++ ++ wStream* bts; ++}; ++ + BOOL interleaved_decompress(BITMAP_INTERLEAVED_CONTEXT* interleaved, const BYTE* pSrcData, + UINT32 SrcSize, UINT32 nSrcWidth, UINT32 nSrcHeight, UINT32 bpp, + BYTE* pDstData, UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst, + UINT32 nYDst, UINT32 nDstWidth, UINT32 nDstHeight, + const gdiPalette* palette) + { +- UINT32 scanline; +- UINT32 SrcFormat; +- UINT32 BufferSize; ++ UINT32 scanline = 0; ++ UINT32 SrcFormat = 0; ++ UINT32 BufferSize = 0; + + if (!interleaved || !pSrcData || !pDstData) ++ { ++ WLog_ERR(TAG, "invalid arguments: interleaved=%p, pSrcData=%p, pDstData=%p", interleaved, ++ pSrcData, pDstData); + return FALSE; ++ } + + switch (bpp) + { +@@ -352,19 +575,26 @@ BOOL interleaved_decompress(BITMAP_INTERLEAVED_CONTEXT* interleaved, const BYTE* + + if (BufferSize > interleaved->TempSize) + { +- interleaved->TempBuffer = _aligned_realloc(interleaved->TempBuffer, BufferSize, 16); ++ interleaved->TempBuffer = ++ _aligned_recalloc(interleaved->TempBuffer, BufferSize, sizeof(BYTE), 16); + interleaved->TempSize = BufferSize; + } + + if (!interleaved->TempBuffer) ++ { ++ WLog_ERR(TAG, "interleaved->TempBuffer=%p", interleaved->TempBuffer); + return FALSE; ++ } + + switch (bpp) + { + case 24: + if (!RleDecompress24to24(pSrcData, SrcSize, interleaved->TempBuffer, scanline, + nSrcWidth, nSrcHeight)) ++ { ++ WLog_ERR(TAG, "RleDecompress24to24 failed"); + return FALSE; ++ } + + break; + +@@ -372,24 +602,36 @@ BOOL interleaved_decompress(BITMAP_INTERLEAVED_CONTEXT* interleaved, const BYTE* + case 15: + if (!RleDecompress16to16(pSrcData, SrcSize, interleaved->TempBuffer, scanline, + nSrcWidth, nSrcHeight)) ++ { ++ WLog_ERR(TAG, "RleDecompress16to16 failed"); + return FALSE; ++ } + + break; + + case 8: + if (!RleDecompress8to8(pSrcData, SrcSize, interleaved->TempBuffer, scanline, nSrcWidth, + nSrcHeight)) ++ { ++ WLog_ERR(TAG, "RleDecompress8to8 failed"); + return FALSE; ++ } + + break; + + default: ++ WLog_ERR(TAG, "Invalid color depth %" PRIu32 "", bpp); + return FALSE; + } + +- return freerdp_image_copy(pDstData, DstFormat, nDstStep, nXDst, nYDst, nDstWidth, nDstHeight, +- interleaved->TempBuffer, SrcFormat, scanline, 0, 0, palette, +- FREERDP_FLIP_VERTICAL); ++ if (!freerdp_image_copy(pDstData, DstFormat, nDstStep, nXDst, nYDst, nDstWidth, nDstHeight, ++ interleaved->TempBuffer, SrcFormat, scanline, 0, 0, palette, ++ FREERDP_FLIP_VERTICAL)) ++ { ++ WLog_ERR(TAG, "freerdp_image_copy failed"); ++ return FALSE; ++ } ++ return TRUE; + } + + BOOL interleaved_compress(BITMAP_INTERLEAVED_CONTEXT* interleaved, BYTE* pDstData, UINT32* pDstSize, +@@ -397,10 +639,10 @@ BOOL interleaved_compress(BITMAP_INTERLEAVED_CONTEXT* interleaved, BYTE* pDstDat + UINT32 nSrcStep, UINT32 nXSrc, UINT32 nYSrc, const gdiPalette* palette, + UINT32 bpp) + { +- BOOL status; +- wStream* s; ++ BOOL status = 0; ++ wStream* s = NULL; + UINT32 DstFormat = 0; +- const size_t maxSize = 64 * 64 * 4; ++ const UINT32 maxSize = 64 * 64 * 4; + + if (!interleaved || !pDstData || !pSrcData) + return FALSE; +@@ -442,7 +684,7 @@ BOOL interleaved_compress(BITMAP_INTERLEAVED_CONTEXT* interleaved, BYTE* pDstDat + } + + if (!freerdp_image_copy(interleaved->TempBuffer, DstFormat, 0, 0, 0, nWidth, nHeight, pSrcData, +- SrcFormat, nSrcStep, nXSrc, nYSrc, palette, FREERDP_FLIP_NONE)) ++ SrcFormat, nSrcStep, nXSrc, nYSrc, palette, 0)) + return FALSE; + + s = Stream_New(pDstData, *pDstSize); +@@ -474,33 +716,29 @@ BOOL bitmap_interleaved_context_reset(BITMAP_INTERLEAVED_CONTEXT* interleaved) + + BITMAP_INTERLEAVED_CONTEXT* bitmap_interleaved_context_new(BOOL Compressor) + { +- BITMAP_INTERLEAVED_CONTEXT* interleaved; +- interleaved = (BITMAP_INTERLEAVED_CONTEXT*)calloc(1, sizeof(BITMAP_INTERLEAVED_CONTEXT)); ++ BITMAP_INTERLEAVED_CONTEXT* interleaved = NULL; ++ interleaved = (BITMAP_INTERLEAVED_CONTEXT*)_aligned_recalloc( ++ NULL, 1, sizeof(BITMAP_INTERLEAVED_CONTEXT), 32); + + if (interleaved) + { + interleaved->TempSize = 64 * 64 * 4; +- interleaved->TempBuffer = _aligned_malloc(interleaved->TempSize, 16); ++ interleaved->TempBuffer = _aligned_malloc(interleaved->TempSize * sizeof(BYTE), 16); + + if (!interleaved->TempBuffer) +- { +- free(interleaved); +- WLog_ERR(TAG, "_aligned_malloc failed!"); +- return NULL; +- } ++ goto fail; + + interleaved->bts = Stream_New(NULL, interleaved->TempSize); + + if (!interleaved->bts) +- { +- _aligned_free(interleaved->TempBuffer); +- free(interleaved); +- WLog_ERR(TAG, "Stream_New failed!"); +- return NULL; +- } ++ goto fail; + } + + return interleaved; ++ ++fail: ++ bitmap_interleaved_context_free(interleaved); ++ return NULL; + } + + void bitmap_interleaved_context_free(BITMAP_INTERLEAVED_CONTEXT* interleaved) +@@ -510,5 +748,5 @@ void bitmap_interleaved_context_free(BITMAP_INTERLEAVED_CONTEXT* interleaved) + + _aligned_free(interleaved->TempBuffer); + Stream_Free(interleaved->bts, TRUE); +- free(interleaved); ++ _aligned_free(interleaved); + } diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 6d98ad36f7..85d24428d4 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -36,6 +36,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2024-32040.patch \ file://CVE-2024-32458.patch \ file://CVE-2024-32459.patch \ + file://CVE-2024-32460.patch \ " S = "${WORKDIR}/git" From patchwork Fri Jan 23 06:43:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79459 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6F1BD46952 for ; Fri, 23 Jan 2026 06:43:45 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.62299.1769150617216589597 for ; Thu, 22 Jan 2026 22:43:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WVvvaGz8; spf=pass (domain: gmail.com, ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-435a517be33so1147813f8f.0 for ; Thu, 22 Jan 2026 22:43:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769150616; x=1769755416; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OBG2Fx59+8IiUbCYiRFhE13Dh/VHjO1+UPPxz47o/jo=; b=WVvvaGz8J+80sQgKQv1LwKVxIJSk5K9ozcEhnmEHMMCNzP5IEuDSOG8BxGBPj9pjXa YyBqcD/EUDwiZh6Gkf4j7QlONM4daP12fbFaybiL398OGgDkFVGoJEgE8w9ITBrrM7Lx 90vpCj+8Uk4hD1lGhzppIKHQXcSroRp/Ue6/r7uJ3d5FrnEjePlmvk/jXw6q16uurZWP 087tn86P5nfzwS7z+5NCGILH2rdJ+Dn5W8+2MSv7Z1cBlMg/qh+E6EFd+Ya3VMb0EkJ4 IgCazflq0f6xDw4oFI4L5Y9SWp2D9bUHoFtSMF6MZORzb1sR3OAfRvX6qHEye6xpc7sj Fduw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769150616; x=1769755416; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=OBG2Fx59+8IiUbCYiRFhE13Dh/VHjO1+UPPxz47o/jo=; b=XHijHfTU2HBGNfqxJcSwJf2KaUpDW7mMfGMNdBQ4liJ+vyD8c4VRG4eKoEiFJDRPz3 Ju6LYWTAagAtTQm1YTROsgh4w35L1VGiTSBSDTDZbmsgvLWgVuHZYrEnlZNWheNAQECC wdlcyBmsStOwI9hB13wsG3GYr8NqgBaGpBd8y+MBvsTVrXLm4umMPWfyX+YqcYV9gXSq fGSvNaWe/+DpJm+BCP1nfoW0qorAX/1leH2sItl1vqAG2wAMGYpapiWHuJGr52thCAG+ 9iCG1RMEGYsmUhEwS4apwtUEQCEyaRMEm5OeRYMmOn0262IH+4HsGzTAFlBiT1W1g9dQ +Q0A== X-Gm-Message-State: AOJu0YwRUaFh6vK+5BZcE22N7CRcG2Kpn0/94VdUhoM0D3b5KWHWRFA5 FSecORaD88lLOllNFRtBjfoSz6lh7RxLYJL9OkIzeA9PO5O5TOEpZctNCdJu2A== X-Gm-Gg: AZuq6aJUjZojUkT9bEwUO22XgOga7ca4pGxBFDaG25mk+WakVw6b5blhu+BXOYxsz0u Q3WpXpZBe7ZC30AHB3loskzS8mUvIu2FWimnBLnHaBThqPFhobzxD3zlz3yiWvENQT1u5ClRat1 tqE63sy81+azKoWmL42isVlkaXpwUNYnjKtxoeJvOhlXFnOy1XqCE3Cln8djpVjI59VSqjcsFsO VYxC36QhEpmvKuuGIInmsgNS+Z7bw4wifwSktbMD71VDXyrs8PtrEAK8FtlHxKApWS55Ny9M1iK ZqyLzndWASw084XkJrZWLUcwpUw1OSAfsi/odQf0QAEns2/6szh58dp5crp3nseWJyYGdP2E6Wx a/ETCIRXVywje1W7HqZb/lxqeiWhta2fcoCNa4ZPBDP0UBSPwN8jTHk/XKqDDlXyW/L9W0+fRE8 fwSsrp2Hob X-Received: by 2002:a05:6000:400b:b0:435:92d3:d9b4 with SMTP id ffacd0b85a97d-435b1597b65mr3595363f8f.26.1769150615557; Thu, 22 Jan 2026 22:43:35 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c02cd8sm4051608f8f.8.2026.01.22.22.43.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 22:43:35 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/5] freerdp: patch CVE-2024-32658 Date: Fri, 23 Jan 2026 07:43:32 +0100 Message-ID: <20260123064332.4001588-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260123064332.4001588-1-skandigraun@gmail.com> References: <20260123064332.4001588-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 23 Jan 2026 06:43:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123768 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32658 Backport the patch that was marked to resolve this issue by the relevant Github advisory[1]. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vpv3-m3m9-4c2v Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2024-32658.patch | 36 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32658.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32658.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32658.patch new file mode 100644 index 0000000000..7467991f62 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32658.patch @@ -0,0 +1,36 @@ +From 9b8628f014d14d85baeb0258d5558946603abc45 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Sat, 20 Apr 2024 17:59:49 +0200 +Subject: [PATCH] fix offset error + +(cherry picked from commit 1a755d898ddc028cc818d0dd9d49d5acff4c44bf) + +CVE: CVE-2024-32658 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/2b9f30a2fa4b13559a367f7cbe158e1bafe0f482] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/interleaved.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c +index 58ddfbbfe..0c9e78fe0 100644 +--- a/libfreerdp/codec/interleaved.c ++++ b/libfreerdp/codec/interleaved.c +@@ -214,7 +214,7 @@ static UINT ExtractRunLengthRegularFgBg(const BYTE* pbOrderHdr, const BYTE* pbEn + runLength = (*pbOrderHdr) & g_MaskRegularRunLength; + if (runLength == 0) + { +- if (!buffer_within_range(pbOrderHdr, 1, pbEnd)) ++ if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) + { + *advance = 0; + return 0; +@@ -284,7 +284,7 @@ static UINT ExtractRunLengthMegaMega(const BYTE* pbOrderHdr, const BYTE* pbEnd, + assert((pbEnd) && "Assert failed: pbEnd"); + assert((advance) && "Assert failed: advance"); + +- if (!buffer_within_range(pbOrderHdr, 2, pbEnd)) ++ if (!buffer_within_range(pbOrderHdr, 3, pbEnd)) + { + *advance = 0; + return 0; diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 85d24428d4..1ad67b0a3c 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -37,6 +37,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2024-32458.patch \ file://CVE-2024-32459.patch \ file://CVE-2024-32460.patch \ + file://CVE-2024-32658.patch \ " S = "${WORKDIR}/git"