From 7b9af434e1886f01a2af12da6ce24f2461dd5ade Mon Sep 17 00:00:00 2001 From: xinlongchen Date: Wed, 15 Apr 2026 16:08:21 +0800 Subject: [PATCH] fix CVE-2026-23533 --- ...clear-fix-clear_resize_buffer-checks.patch | 62 +++++++++++++++++++ freerdp.spec | 7 ++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 codec-clear-fix-clear_resize_buffer-checks.patch diff --git a/codec-clear-fix-clear_resize_buffer-checks.patch b/codec-clear-fix-clear_resize_buffer-checks.patch new file mode 100644 index 0000000..45e2d25 --- /dev/null +++ b/codec-clear-fix-clear_resize_buffer-checks.patch @@ -0,0 +1,62 @@ +From 00a593f9eda67212539e4dcac68ea5a699eb3e93 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 22 Jan 2026 12:48:37 +0100 +Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks + +Backport of commit c4391827d7facfc874ca7f61a92afb82232a5748. + +Co-Authored-By: Claude +--- + libfreerdp/codec/clear.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c +index e38fa0dcf..299acef2e 100644 +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -62,7 +62,7 @@ struct _CLEAR_CONTEXT + NSC_CONTEXT* nsc; + UINT32 seqNumber; + BYTE* TempBuffer; +- UINT32 TempSize; ++ size_t TempSize; + UINT32 nTempStep; + UINT32 TempFormat; + UINT32 format; +@@ -313,24 +313,25 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount + + static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height) + { +- UINT32 size; +- + if (!clear) + return FALSE; + +- size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format)); ++ const UINT64 size = 1ull * (width + 16ull) * (height + 16ull); ++ const size_t bpp = GetBytesPerPixel(clear->format); ++ if (size > UINT32_MAX / bpp) ++ return FALSE; + +- if (size > clear->TempSize) ++ if (size > clear->TempSize / bpp) + { +- BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size); ++ BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size * bpp); + + if (!tmp) + { +- WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu32 " bytes", size); ++ WLog_ERR(TAG, "clear->TempBuffer realloc failed for %" PRIu64 " bytes", size); + return FALSE; + } + +- clear->TempSize = size; ++ clear->TempSize = size * bpp; + clear->TempBuffer = tmp; + } + +-- +2.52.0 + + diff --git a/freerdp.spec b/freerdp.spec index 2613e49..d98eb81 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -17,7 +17,7 @@ Summary: Free implementation of the Remote Desktop Protocol (RDP) Name: freerdp Version: 2.11.6 -Release: 11%{?dist} +Release: 12%{?dist} License: ASL 2.0 URL: http://www.freerdp.com/ Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/%{name}-%{version}.tar.gz @@ -28,6 +28,7 @@ Patch0004: 0001-fix-CVE-2026-23530-CVE-2026-23531-CVE-2026-23532-CVE.patch Patch0005: 0001-fix-CVE-2026-23883.patch Patch0006: 0001-fix-CVE-2026-26955-CVE-2026-26965.patch Patch0007: freerdp-2.11.6-nsc-limit-copy-area.patch +Patch0008: codec-clear-fix-clear_resize_buffer-checks.patch BuildRequires: gcc gcc-c++ alsa-lib-devel cmake cups-devel gsm-devel lame-devel libicu-devel libjpeg-turbo-devel BuildRequires: libX11-devel libXcursor-devel libXdamage-devel libXext-devel libXi-devel libXinerama-devel @@ -227,6 +228,10 @@ find %{buildroot} -name "*.a" -delete %{_libdir}/pkgconfig/winpr-tools2.pc %changelog +* Wed Apr 15 2026 Xinlong Chen - 2.11.6-12 +- [Type] security +- [DESC] fix CVE-2026-23533 + * Mon Mar 16 2026 Xinlong Chen - 2.11.6-11 - Fix out-of-bounds write in nsc_process_message -- Gitee