freerdp: patch CVE-2026-22855

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22855

The related Github advisory[1] describes the problem along with analyzing
where the vulnerability is in the codebase. I looked up the commit that
recently performed the changes from the analysis, and backported it.

[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch

@@ -0,0 +1,83 @@
+From df1132783e49ebeaa30206a67b70c7a37f3c5650 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 11 Jan 2026 09:03:57 +0100
+Subject: [PATCH] add length validity checks
+
+From: akallabeth <akallabeth@posteo.net>
+
+in smartcard_unpack_set_attrib_call input length validity checks were
+missing.
+
+CVE: CVE-2026-22855
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/57c5647d98c2a026de8b681159cb188ca0439ef8]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ channels/smartcard/client/smartcard_pack.c | 27 +++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/channels/smartcard/client/smartcard_pack.c b/channels/smartcard/client/smartcard_pack.c
+index f70eb4e5d..c0673e066 100644
+--- a/channels/smartcard/client/smartcard_pack.c
++++ b/channels/smartcard/client/smartcard_pack.c
+@@ -98,8 +98,8 @@ static BOOL smartcard_ndr_pointer_read_(wStream* s, UINT32* index, UINT32* ptr,
+ 	return TRUE;
+ }
+ 
+-static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
+-                               ndr_ptr_t type)
++static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t elementSize,
++                               ndr_ptr_t type, size_t* plen)
+ {
+ 	size_t len, offset, len2;
+ 	void* r;
+@@ -125,6 +125,9 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
+ 		return STATUS_BUFFER_TOO_SMALL;
+ 	}
+ 
++	if (plen)
++		*plen = 0;
++
+ 	switch (type)
+ 	{
+ 		case NDR_PTR_FULL:
+@@ -181,11 +184,20 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
+ 	if (!r)
+ 		return SCARD_E_NO_MEMORY;
+ 	Stream_Read(s, r, len);
+-	smartcard_unpack_read_size_align(NULL, s, len, 4);
++	const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4);
++	len += (size_t)pad;
+ 	*data = r;
++	if (plen)
++		*plen = len;
+ 	return STATUS_SUCCESS;
+ }
+ 
++static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
++                               ndr_ptr_t type)
++{
++       return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL);
++}
++
+ static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD length)
+ {
+ 	const UINT32 ndrPtr = 0x20000 + (*index) * 4;
+@@ -3427,12 +3439,15 @@ LONG smartcard_unpack_set_attrib_call(SMARTCARD_DEVICE* smartcard, wStream* s, S
+ 
+ 	if (ndrPtr)
+ 	{
+-		// TODO: call->cbAttrLen was larger than the pointer value.
+-		// TODO: Maybe need to refine the checks?
+-		status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE);
++		size_t len = 0;
++		status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE, &len);
+ 		if (status != SCARD_S_SUCCESS)
+ 			return status;
++		if (call->cbAttrLen > len)
++			call->cbAttrLen = (DWORD)(len);
+ 	}
++	else
++		call->cbAttrLen = 0;
+ 	smartcard_trace_set_attrib_call(smartcard, call);
+ 	return SCARD_S_SUCCESS;
+ }

meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb

@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \
            file://CVE-2024-32661.patch \
            file://CVE-2026-22854.patch \
+           file://CVE-2026-22855.patch \
            "