freerdp3: fix CVE-2026-24680 and CVE-2026-27950

There was only SDL2 client until commit[1] created SDL2 and SDL3 clients
from version 3.6.0 onwards.
[1] https://github.com/FreeRDP/FreeRDP/commit/8281186a6d9dad20e8345d85a1732e2974636555

Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24680
https://nvd.nist.gov/vuln/detail/CVE-2026-27950

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24680_CVE-2026-27950.patch

@@ -0,0 +1,24 @@
+From a2e077bc8dea8a7d1b16b98f31b6f6fbc00c0c24 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 11:01:17 +0100
+Subject: [PATCH] [client,sdl] reset pointer after memory release
+
+CVE: CVE-2026-24680 CVE-2026-27950
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ client/SDL/sdl_pointer.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/client/SDL/sdl_pointer.cpp b/client/SDL/sdl_pointer.cpp
+index ad8a4f316..a9203a20b 100644
+--- a/client/SDL/sdl_pointer.cpp
++++ b/client/SDL/sdl_pointer.cpp
+@@ -63,6 +63,7 @@ static BOOL sdl_Pointer_New(rdpContext* context, rdpPointer* pointer)
+ 	        &context->gdi->palette))
+ 	{
+ 		winpr_aligned_free(ptr->data);
++		ptr->data = nullptr;
+ 		return FALSE;
+ 	}
+ 

meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb

@@ -27,6 +27,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2026-24675.patch \
            file://CVE-2026-24676.patch \
            file://CVE-2026-24679.patch \
+           file://CVE-2026-24680_CVE-2026-27950.patch \
            "
 
 S = "${WORKDIR}/git"