freerdp3: fix CVE-2026-29775

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29775 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-04-09 19:09:12 +12:00
parent 2d96f24f2d
commit 1bc75cd389
2 changed files with 31 additions and 0 deletions
@@ -0,0 +1,30 @@
+From e4bfcb3197787e7af4246366b643c16de99f56a2 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Sat, 28 Feb 2026 11:38:55 +0100
+Subject: [PATCH] [cache,bitmap] overallocate bitmap cache
+
+(cherry picked from commit ffad58fd2b329efd81a3239e9d7e3c927b8e503f)
+
+CVE: CVE-2026-29775
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libfreerdp/cache/bitmap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libfreerdp/cache/bitmap.c b/libfreerdp/cache/bitmap.c
+index dd5ae1d71..0d694dd3f 100644
+--- a/libfreerdp/cache/bitmap.c
+++ b/libfreerdp/cache/bitmap.c
+@@ -364,7 +364,10 @@ rdpBitmapCache* bitmap_cache_new(rdpContext* context)
+ 	const UINT32 BitmapCacheV2NumCells =
+ 	    freerdp_settings_get_uint32(settings, FreeRDP_BitmapCacheV2NumCells);
+ 	bitmapCache->context = context;
+-	bitmapCache->cells = (BITMAP_V2_CELL*)calloc(BitmapCacheV2NumCells, sizeof(BITMAP_V2_CELL));
+
+	/* overallocate by 1. older RDP servers do send a off by 1 cache index. */
+	bitmapCache->cells =
+	    (BITMAP_V2_CELL*)calloc(BitmapCacheV2NumCells + 1ull, sizeof(BITMAP_V2_CELL));
+ 
+ 	if (!bitmapCache->cells)
+ 		goto fail;
@@ -32,6 +32,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
           file://CVE-2026-24682.patch \
           file://CVE-2026-24683.patch \
           file://CVE-2026-29774.patch \
+           file://CVE-2026-29775.patch \
           "

 S = "${WORKDIR}/git"