File freerdp-CVE-2026-23534.patch of Package freerdp2

From f8688b57f6cfad9a0b05475a6afbde355ffab720 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 15 Jan 2026 12:19:53 +0100
Subject: [PATCH] [codec,clear] fix off by one length check

---
 libfreerdp/codec/clear.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: freerdp-2.11.7/libfreerdp/codec/clear.c
===================================================================
--- freerdp-2.11.7.orig/libfreerdp/codec/clear.c
+++ freerdp-2.11.7/libfreerdp/codec/clear.c
@@ -883,11 +883,13 @@ static BOOL clear_decompress_bands_data(
 				if (count > nHeight)
 					count = nHeight;
 
-				if (nXDstRel + i > nDstWidth)
+				if (nXDstRel + i >= nDstWidth)
 					return FALSE;
 
 				for (UINT32 y = 0; y < count; y++)
 				{
+					if (nYDstRel + y >= nDstHeight)
+						return FALSE;
 					BYTE* pDstPixel8 = &pDstData[((nYDstRel + y) * nDstStep) +
 					                             ((nXDstRel + i) * GetBytesPerPixel(DstFormat))];
 					UINT32 color = ReadColor(cpSrcPixel, clear->format);