File freerdp-CVE-2026-23732.patch of Package freerdp.42881

From 3bc1eeb4f63ceec9a696af194e4c1ea0e67ff60c Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Fri, 16 Jan 2026 12:00:15 +0100
Subject: [PATCH] [codec,color] add freerdp_glyph_convert_ex

The function freerdp_glyph_convert does not check input buffer length,
deprecate it and provide a replacement that does properly check.
---
 include/freerdp/codec/color.h | 23 +++++++++++++++++++++--
 libfreerdp/codec/color.c      | 21 ++++++++++++++++++++-
 2 files changed, 41 insertions(+), 3 deletions(-)

Index: FreeRDP-2.4.0/include/freerdp/codec/color.h
===================================================================
--- FreeRDP-2.4.0.orig/include/freerdp/codec/color.h
+++ FreeRDP-2.4.0/include/freerdp/codec/color.h
@@ -879,6 +879,20 @@ extern "C"
 
 	/***
 	 *
+	 * @param width    width to copy in pixels
+	 * @param height   height to copy in pixels
+	 * @param data     source buffer, must be (nWidth + 7) / 8 bytes long
+	 * @param len      the length of \ref data in bytes
+	 *
+	 * @return          A buffer allocated with winpr_aligned_malloc(width * height, 16)
+	 *                  if successful, NULL otherwise.
+	 * @since version 3.21.0
+	 */
+	FREERDP_API BYTE* freerdp_glyph_convert_ex(UINT32 width, UINT32 height,
+	                                           const BYTE* data, size_t len);
+
+	/***
+	 *
 	 * @param pDstData  destination buffer
 	 * @param DstFormat destination buffer format
 	 * @param nDstStep  destination buffer stride (line in bytes) 0 for default
Index: FreeRDP-2.4.0/libfreerdp/codec/color.c
===================================================================
--- FreeRDP-2.4.0.orig/libfreerdp/codec/color.c
+++ FreeRDP-2.4.0/libfreerdp/codec/color.c
@@ -28,6 +28,7 @@
 #include <stdlib.h>
 
 #include <winpr/crt.h>
+#include <winpr/assert.h>
 
 #include <freerdp/log.h>
 #include <freerdp/freerdp.h>
@@ -45,17 +46,32 @@
 
 BYTE* freerdp_glyph_convert(UINT32 width, UINT32 height, const BYTE* data)
 {
+	const size_t scanline = (width + 7ull) / 8ull;
+	const size_t required = scanline * height;
+	return freerdp_glyph_convert_ex(width, height, data, required);
+}
+
+BYTE* freerdp_glyph_convert_ex(UINT32 width, UINT32 height, const BYTE* data,
+                               size_t len)
+{
 	UINT32 x, y;
 	const BYTE* srcp;
 	BYTE* dstp;
 	BYTE* dstData;
-	UINT32 scanline;
 	/*
 	 * converts a 1-bit-per-pixel glyph to a one-byte-per-pixel glyph:
 	 * this approach uses a little more memory, but provides faster
 	 * means of accessing individual pixels in blitting operations
 	 */
-	scanline = (width + 7) / 8;
+	const size_t scanline = (width + 7ull) / 8ull;
+	const size_t required = scanline * height;
+	if (len < required)
+		return NULL;
+
+	if ((len == 0) || (width == 0) || (height == 0))
+		return NULL;
+
+	WINPR_ASSERT(data);
 	dstData = (BYTE*)_aligned_malloc(width * height * 1ULL, 16);
 
 	if (!dstData)