File freerdp-CVE-2026-24491.patch of Package freerdp2

From e02e052f6692550e539d10f99de9c35a23492db2 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 26 Jan 2026 10:06:29 +0100
Subject: [PATCH] [channels,drdynvc] reset channel_callback before close

The channel_callback usually frees up the memory of the callback. To
ensure that there is no access to any of the data structures in it
invalidate the pointer used to access it before a free.
---
 channels/drdynvc/client/drdynvc_main.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff -rup freerdp-2.11.7.orig/channels/drdynvc/client/drdynvc_main.c freerdp-2.11.7/channels/drdynvc/client/drdynvc_main.c
--- freerdp-2.11.7.orig/channels/drdynvc/client/drdynvc_main.c	2024-04-22 04:26:59.000000000 -0500
+++ freerdp-2.11.7/channels/drdynvc/client/drdynvc_main.c	2026-02-18 13:43:43.788110262 -0600
@@ -346,10 +346,11 @@ static void dvcman_channel_free(void* ar
 
 	if (channel)
 	{
-		if (channel->channel_callback)
+ 		IWTSVirtualChannelCallback* cb = channel->channel_callback;
+		channel->channel_callback = NULL;
+		if (cb)
 		{
-			IFCALL(channel->channel_callback->OnClose, channel->channel_callback);
-			channel->channel_callback = NULL;
+			IFCALL(channel->channel_callback->OnClose, cb);
 		}
 
 		if (channel->status == CHANNEL_RC_OK)
@@ -573,7 +574,6 @@ static UINT dvcman_open_channel(drdynvcP
                                 UINT32 ChannelId)
 {
 	DVCMAN_CHANNEL* channel;
-	IWTSVirtualChannelCallback* pCallback;
 	UINT error;
 	channel = (DVCMAN_CHANNEL*)dvcman_find_channel_by_id(pChannelMgr, ChannelId);
 
@@ -585,7 +585,7 @@ static UINT dvcman_open_channel(drdynvcP
 
 	if (channel->status == CHANNEL_RC_OK)
 	{
-		pCallback = channel->channel_callback;
+		IWTSVirtualChannelCallback* pCallback = channel->channel_callback;
 
 		if (pCallback->OnOpen)
 		{