Overview

File freerdp-CVE-2026-31806.patch of Package freerdp.43418

From 83d9aedea278a74af3e490ff5eeb889c016dbb2b Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 9 Mar 2026 08:11:19 +0100
Subject: [PATCH] [codec,nsc] limit copy area in nsc_process_message

the rectangle decoded might not fit into the destination buffer. Limit
width and height of the area to copy to the one fitting.
---
 libfreerdp/codec/nsc.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Index: freerdp-2.11.7/libfreerdp/codec/nsc.c
===================================================================
--- freerdp-2.11.7.orig/libfreerdp/codec/nsc.c
+++ freerdp-2.11.7/libfreerdp/codec/nsc.c
@@ -515,7 +515,15 @@ BOOL nsc_process_message(NSC_CONTEXT* co
 			return FALSE;
 	}
 
-	if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, width, height,
+	uint32_t cwidth = width;
+	if (1ull * nXDst + width > nWidth)
+		cwidth = nWidth - nXDst;
+
+	uint32_t cheight = height;
+	if (1ull * nYDst + height > nHeight)
+		cheight = nHeight - nYDst;
+
+	if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, cwidth, cheight,
 	                        context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0, 0, NULL, flip))
 		return FALSE;
openSUSE Build Service is sponsored by
Places