From 1bc75cd389ec9af2634738fde315a8a888fa2750 Mon Sep 17 00:00:00 2001
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
Date: Thu, 9 Apr 2026 19:09:12 +1200
Subject: [PATCH] freerdp3: fix CVE-2026-29775

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29775

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
---
 .../freerdp/freerdp3/CVE-2026-29775.patch     | 30 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp3_3.4.0.bb |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29775.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29775.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29775.patch
new file mode 100644
index 0000000000..584481e330
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-29775.patch
@@ -0,0 +1,30 @@
+From e4bfcb3197787e7af4246366b643c16de99f56a2 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Sat, 28 Feb 2026 11:38:55 +0100
+Subject: [PATCH] [cache,bitmap] overallocate bitmap cache
+
+(cherry picked from commit ffad58fd2b329efd81a3239e9d7e3c927b8e503f)
+
+CVE: CVE-2026-29775
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libfreerdp/cache/bitmap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libfreerdp/cache/bitmap.c b/libfreerdp/cache/bitmap.c
+index dd5ae1d71..0d694dd3f 100644
+--- a/libfreerdp/cache/bitmap.c
++++ b/libfreerdp/cache/bitmap.c
+@@ -364,7 +364,10 @@ rdpBitmapCache* bitmap_cache_new(rdpContext* context)
+ 	const UINT32 BitmapCacheV2NumCells =
+ 	    freerdp_settings_get_uint32(settings, FreeRDP_BitmapCacheV2NumCells);
+ 	bitmapCache->context = context;
+-	bitmapCache->cells = (BITMAP_V2_CELL*)calloc(BitmapCacheV2NumCells, sizeof(BITMAP_V2_CELL));
++
++	/* overallocate by 1. older RDP servers do send a off by 1 cache index. */
++	bitmapCache->cells =
++	    (BITMAP_V2_CELL*)calloc(BitmapCacheV2NumCells + 1ull, sizeof(BITMAP_V2_CELL));
+ 
+ 	if (!bitmapCache->cells)
+ 		goto fail;
diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
index f92d824d66..e3d71ee854 100644
--- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
@@ -32,6 +32,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2026-24682.patch \
            file://CVE-2026-24683.patch \
            file://CVE-2026-29774.patch \
+           file://CVE-2026-29775.patch \
            "
 
 S = "${WORKDIR}/git"