Overview

File freerdp-CVE-2026-23533.patch of Package freerdp.42881

From c4391827d7facfc874ca7f61a92afb82232a5748 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 15 Jan 2026 12:11:57 +0100
Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks

---
 libfreerdp/codec/clear.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

Index: freerdp-2.11.7/libfreerdp/codec/clear.c
===================================================================
--- freerdp-2.11.7.orig/libfreerdp/codec/clear.c
+++ freerdp-2.11.7/libfreerdp/codec/clear.c
@@ -62,7 +62,7 @@ struct _CLEAR_CONTEXT
 	NSC_CONTEXT* nsc;
 	UINT32 seqNumber;
 	BYTE* TempBuffer;
-	UINT32 TempSize;
+	size_t TempSize;
 	UINT32 nTempStep;
 	UINT32 TempFormat;
 	UINT32 format;
@@ -313,12 +313,17 @@ static BOOL clear_decompress_subcode_rle
 
 static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height)
 {
-	UINT32 size;
+    UINT32 size;
+    const UINT64 area = 1ull * (width + 16ull) * (height + 16ull);
+    const UINT32 bpp = GetBytesPerPixel(clear->format);
 
-	if (!clear)
-		return FALSE;
+    if (!clear)
+        return FALSE;
+
+    if (area > UINT32_MAX / bpp)
+        return FALSE;
 
-	size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format));
+   size = (UINT32)(area * bpp);
 
 	if (size > clear->TempSize)
 	{
openSUSE Build Service is sponsored by
Places