Overview

File freerdp-CVE-2026-23883.patch of Package freerdp.42882

From 0421b53fcb4a80c95f51342e4a2c40c68a4101d3 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 19 Jan 2026 08:52:51 +0100
Subject: [PATCH] [client,x11] fix double free in case of invalid pointer

---
 client/X11/xf_graphics.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

Index: freerdp-2.11.7/client/X11/xf_graphics.c
===================================================================
--- freerdp-2.11.7.orig/client/X11/xf_graphics.c
+++ freerdp-2.11.7/client/X11/xf_graphics.c
@@ -406,7 +406,6 @@ static BOOL xf_Pointer_New(rdpContext* c
 	BOOL rc = FALSE;
 #ifdef WITH_XCURSOR
 	UINT32 CursorFormat;
-	size_t size;
 	xfContext* xfc = (xfContext*)context;
 	xfPointer* xpointer = (xfPointer*)pointer;
 
@@ -421,19 +420,19 @@ static BOOL xf_Pointer_New(rdpContext* c
 	xpointer->nCursors = 0;
 	xpointer->mCursors = 0;
 
-	size = 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat);
+	const size_t size =
+	    1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat);
 
-	if (!(xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16)))
+	xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16);
+	if (!xpointer->cursorPixels)
 		goto fail;
 
 	if (!freerdp_image_copy_from_pointer_data(
 	        (BYTE*)xpointer->cursorPixels, CursorFormat, 0, 0, 0, pointer->width, pointer->height,
 	        pointer->xorMaskData, pointer->lengthXorMask, pointer->andMaskData,
 	        pointer->lengthAndMask, pointer->xorBpp, &context->gdi->palette))
-	{
-		_aligned_free(xpointer->cursorPixels);
-		return FALSE;
-	}
+        goto fail;
+
 	rc = TRUE;
 
 #endif
openSUSE Build Service is sponsored by
Places