freerdp3: fix CVE-2026-25941

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25941 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-04-09 19:08:59 +12:00
parent 7cc6fe87bc
commit 421f659e20
2 changed files with 29 additions and 0 deletions
@@ -0,0 +1,28 @@
+From 52f2ae7b2377efc80abb742e452a8565372fd29e Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Mon, 9 Feb 2026 13:18:51 +0100
+Subject: [PATCH] [channels,rdpgfx] check available stream length
+
+(cherry picked from commit 2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2)
+
+CVE: CVE-2026-25941
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ channels/rdpgfx/client/rdpgfx_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/channels/rdpgfx/client/rdpgfx_main.c b/channels/rdpgfx/client/rdpgfx_main.c
+index dd59c8b23..c08436b40 100644
+--- a/channels/rdpgfx/client/rdpgfx_main.c
+++ b/channels/rdpgfx/client/rdpgfx_main.c
+@@ -1371,7 +1371,8 @@ static UINT rdpgfx_recv_wire_to_surface_2_pdu(GENERIC_CHANNEL_CALLBACK* callback
+ 	Stream_Read_UINT8(s, pdu.pixelFormat);       /* pixelFormat (1 byte) */
+ 	Stream_Read_UINT32(s, pdu.bitmapDataLength); /* bitmapDataLength (4 bytes) */
+ 	pdu.bitmapData = Stream_Pointer(s);
+-	Stream_Seek(s, pdu.bitmapDataLength);
+	if (!Stream_SafeSeek(s, pdu.bitmapDataLength))
+		return ERROR_INVALID_DATA;
+ 
+ 	DEBUG_RDPGFX(gfx->log,
+ 	             "RecvWireToSurface2Pdu: surfaceId: %" PRIu16 " codecId: %s (0x%04" PRIX16 ") "
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
           file://CVE-2024-32661.patch \
           file://CVE-2024-32662.patch \
           file://CVE-2025-4478.patch \
+           file://CVE-2026-25941.patch \
           "

 S = "${WORKDIR}/git"