File freerdp-CVE-2026-26955.patch of Package freerdp.43418
From 7d8fdce2d0ef337cb86cb37fc0c436c905e04d77 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 16 Feb 2026 19:56:55 +0100
Subject: [PATCH] [codec,clear] fix destination checks
check against the correct nDstWidth/nDstHeight
---
libfreerdp/codec/clear.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
Index: freerdp-2.11.7/libfreerdp/codec/clear.c
===================================================================
--- freerdp-2.11.7.orig/libfreerdp/codec/clear.c
+++ freerdp-2.11.7/libfreerdp/codec/clear.c
@@ -471,9 +471,6 @@ static BOOL clear_decompress_subcodecs_d
while (suboffset < subcodecByteCount)
{
- UINT32 nXDstRel;
- UINT32 nYDstRel;
-
if (Stream_GetRemainingLength(s) < 13)
{
WLog_ERR(TAG, "stream short %" PRIuz " [13 expected]", Stream_GetRemainingLength(s));
@@ -495,8 +492,20 @@ static BOOL clear_decompress_subcodecs_d
return FALSE;
}
- nXDstRel = nXDst + xStart;
- nYDstRel = nYDst + yStart;
+ const UINT32 nXDstRel = nXDst + xStart;
+ const UINT32 nYDstRel = nYDst + yStart;
+ if (1ull * nXDstRel + width > nDstWidth)
+ {
+ WLog_ERR(TAG, "nXDstRel %" PRIu32 " + width %" PRIu16 " > nDstWidth %" PRIu32 "",
+ nXDstRel, width, nDstWidth);
+ FALSE;
+ }
+ if (1ull * nYDstRel + height > nDstHeight)
+ {
+ WLog_ERR(TAG, "nYDstRel %" PRIu32 " + height %" PRIu16 " > nDstHeight %" PRIu32 "",
+ nYDstRel, height, nDstHeight);
+ return FALSE;
+ }
if (width > nWidth)
{
@@ -1051,6 +1060,18 @@ INT32 clear_decompress(CLEAR_CONTEXT* cl
if ((nWidth > 0xFFFF) || (nHeight > 0xFFFF))
return -1004;
+ if (nXDst > nDstWidth)
+ {
+ WLog_WARN(TAG, "nXDst %" PRIu32 " > nDstWidth %" PRIu32, nXDst, nDstWidth);
+ return -1005;
+ }
+
+ if (nYDst > nDstHeight)
+ {
+ WLog_WARN(TAG, "nYDst %" PRIu32 " > nDstHeight %" PRIu32, nYDst, nDstHeight);
+ return -1006;
+ }
+
s = Stream_New((BYTE*)pSrcData, SrcSize);
if (!s)
