File freerdp-CVE-2026-26965.patch of Package freerdp.43418

From a0be5cb87d760bb1c803ad1bb835aa1e73e62abc Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 16 Feb 2026 09:45:58 +0100
Subject: [PATCH] [codec,planar] fix missing destination bounds checks

---
 libfreerdp/codec/planar.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

Index: freerdp-2.11.7/libfreerdp/codec/planar.c
===================================================================
--- freerdp-2.11.7.orig/libfreerdp/codec/planar.c
+++ freerdp-2.11.7/libfreerdp/codec/planar.c
@@ -621,8 +621,10 @@ BOOL planar_decompress(BITMAP_PLANAR_CON
 	if (planar->maxHeight < nSrcHeight)
 		return FALSE;
 
+    const UINT32 bpp = GetBytesPerPixel(DstFormat);
+
 	if (nDstStep <= 0)
-		nDstStep = nDstWidth * GetBytesPerPixel(DstFormat);
+		nDstStep = nDstWidth * bpp;
 
 	srcp = pSrcData;
 
@@ -831,6 +833,24 @@ BOOL planar_decompress(BITMAP_PLANAR_CON
 		}
 		else /* RLE */
 		{
+			if (nYDst + nSrcHeight > nTotalHeight)
+			{
+				WLog_ERR(TAG,
+				         "planar plane destination Y %" PRIu32 " + height %" PRIu32
+				         " exceeds totalHeight %" PRIu32,
+				         nYDst, nSrcHeight, nTotalHeight);
+				return FALSE;
+			}
+
+			if ((nXDst + nSrcWidth) * bpp > nDstStep)
+			{
+				WLog_ERR(TAG,
+				         "planar plane destination (X %" PRIu32 " + width %" PRIu32
+				         ") * bpp %" PRIu32 " exceeds stride %" PRIu32,
+				         nXDst, nSrcWidth, bpp, nDstStep);
+				return FALSE;
+			}
+
 			status =
 			    planar_decompress_plane_rle(planes[0], rleSizes[0], pTempData, nTempStep, nXDst,
 			                                nYDst, nSrcWidth, nSrcHeight, 2, vFlip); /* RedPlane */