File freerdp-CVE-2026-23883.patch of Package freerdp.42881

From 0421b53fcb4a80c95f51342e4a2c40c68a4101d3 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 19 Jan 2026 08:52:51 +0100
Subject: [PATCH] [client,x11] fix double free in case of invalid pointer

---
 client/X11/xf_graphics.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

Index: FreeRDP-2.4.0/client/X11/xf_graphics.c
===================================================================
--- FreeRDP-2.4.0.orig/client/X11/xf_graphics.c
+++ FreeRDP-2.4.0/client/X11/xf_graphics.c
@@ -376,7 +376,6 @@ static BOOL xf_Pointer_New(rdpContext* c
 {
 #ifdef WITH_XCURSOR
 	UINT32 CursorFormat;
-	size_t size;
 	xfContext* xfc = (xfContext*)context;
 	xfPointer* xpointer = (xfPointer*)pointer;
 
@@ -391,19 +390,18 @@ static BOOL xf_Pointer_New(rdpContext* c
 	xpointer->nCursors = 0;
 	xpointer->mCursors = 0;
 
-	size = pointer->height * pointer->width * GetBytesPerPixel(CursorFormat) * 1ULL;
+	const size_t size =
+	    1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat);
 
-	if (!(xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16)))
+	xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16);
+	if (!xpointer->cursorPixels)
 		return FALSE;
 
 	if (!freerdp_image_copy_from_pointer_data(
 	        (BYTE*)xpointer->cursorPixels, CursorFormat, 0, 0, 0, pointer->width, pointer->height,
 	        pointer->xorMaskData, pointer->lengthXorMask, pointer->andMaskData,
 	        pointer->lengthAndMask, pointer->xorBpp, &context->gdi->palette))
-	{
-		_aligned_free(xpointer->cursorPixels);
 		return FALSE;
-	}
 
 	if (!_xf_Pointer_GetCursorForCurrentScale(context, pointer, &(xpointer->cursor)))
 		return FALSE;