From 73ae0a80348417d534f179c305094597b7d1a4e9 Mon Sep 17 00:00:00 2001
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
Date: Thu, 9 Apr 2026 19:09:14 +1200
Subject: [PATCH] freerdp3: fix CVE-2026-31806

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31806

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
---
 .../freerdp/freerdp3/CVE-2026-31806.patch     | 36 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp3_3.4.0.bb |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-31806.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-31806.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-31806.patch
new file mode 100644
index 0000000000..112a924d83
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-31806.patch
@@ -0,0 +1,36 @@
+From 9bf461ad116d081134adf37da9d6faa9459d1ad6 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Mon, 9 Mar 2026 08:11:19 +0100
+Subject: [PATCH] [codec,nsc] limit copy area in nsc_process_message
+
+the rectangle decoded might not fit into the destination buffer. Limit
+width and height of the area to copy to the one fitting.
+
+CVE: CVE-2026-31806
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/83d9aedea278a74af3e490ff5eeb889c016dbb2b]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libfreerdp/codec/nsc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/nsc.c b/libfreerdp/codec/nsc.c
+index c2d92e48c..1cee9918d 100644
+--- a/libfreerdp/codec/nsc.c
++++ b/libfreerdp/codec/nsc.c
+@@ -494,7 +494,15 @@ BOOL nsc_process_message(NSC_CONTEXT* context, UINT16 bpp, UINT32 width, UINT32
+ 			return FALSE;
+ 	}
+ 
+-	if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, width, height,
++	uint32_t cwidth = width;
++	if (1ull * nXDst + width > nWidth)
++		cwidth = nWidth - nXDst;
++
++	uint32_t cheight = height;
++	if (1ull * nYDst + height > nHeight)
++		cheight = nHeight - nYDst;
++
++	if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, cwidth, cheight,
+ 	                        context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0, 0, NULL, flip))
+ 		return FALSE;
+ 
diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
index 74f80ee948..66cc3305e8 100644
--- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
@@ -34,6 +34,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2026-29774.patch \
            file://CVE-2026-29775.patch \
            file://CVE-2026-29776.patch \
+           file://CVE-2026-31806.patch \
            "
 
 S = "${WORKDIR}/git"