From 1b6fb6fd41f33602b19fbae7a425c6d9db6e2280 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 16 Dec 2024 08:19:57 +0100
Subject: [PATCH 1/4] [core,settings] fix initialization of ComputerName

---
 libfreerdp/core/settings.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/core/settings.c b/libfreerdp/core/settings.c
index 0ee70cc50..b397b32b6 100644
--- a/libfreerdp/core/settings.c
+++ b/libfreerdp/core/settings.c
@@ -326,7 +326,9 @@ static BOOL settings_init_computer_name(rdpSettings* settings)
 	if (!GetComputerNameExA(ComputerNameNetBIOS, computerName, &nSize))
 		return FALSE;
 
-	return freerdp_settings_set_string(settings, FreeRDP_ComputerName, computerName);
+	if (!freerdp_settings_set_string(settings, FreeRDP_ComputerName, computerName))
+		return FALSE;
+	return freerdp_settings_set_string(settings, FreeRDP_ClientHostname, computerName);
 }
 
 void freerdp_settings_print_warnings(const rdpSettings* settings)

From cf4ff90e162d593a4e2a233ea3cefab14ffc6bfd Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 16 Dec 2024 10:42:20 +0100
Subject: [PATCH 2/4] [rdtk] fix rdtk_font_load_descriptor

* ensure string is '\0' terminated
* ensure allocated string is freed in all paths
---
 rdtk/librdtk/rdtk_font.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/rdtk/librdtk/rdtk_font.c b/rdtk/librdtk/rdtk_font.c
index 1774ae4ff..fdcc19bd3 100644
--- a/rdtk/librdtk/rdtk_font.c
+++ b/rdtk/librdtk/rdtk_font.c
@@ -146,6 +146,7 @@ int rdtk_font_text_draw_size(rdtkFont* font, uint16_t* width, uint16_t* height,
 	return 1;
 }
 
+WINPR_ATTR_MALLOC(free, 1)
 static char* rdtk_font_load_descriptor_file(const char* filename, size_t* pSize)
 {
 	WINPR_ASSERT(filename);
@@ -170,7 +171,7 @@ static char* rdtk_font_load_descriptor_file(const char* filename, size_t* pSize)
 	if (fileSize.i64 < 1)
 		goto fail;
 
-	uint8_t* buffer = (uint8_t*)malloc(fileSize.s + 2);
+	char* buffer = (char*)calloc(fileSize.s + 4, sizeof(char));
 
 	if (!buffer)
 		goto fail;
@@ -193,7 +194,7 @@ static char* rdtk_font_load_descriptor_file(const char* filename, size_t* pSize)
 	buffer[fileSize.s] = '\0';
 	buffer[fileSize.s + 1] = '\0';
 	*pSize = fileSize.s;
-	return (char*)buffer;
+	return buffer;
 
 fail:
 	(void)fclose(fp);
@@ -238,16 +239,12 @@ static int rdtk_font_convert_descriptor_code_to_utf8(const char* str, uint8_t* u
 	return 1;
 }
 
-static int rdtk_font_parse_descriptor_buffer(rdtkFont* font, const char* sbuffer, size_t size)
+static int rdtk_font_parse_descriptor_buffer(rdtkFont* font, char* buffer, size_t size)
 {
 	int rc = -1;
 
 	WINPR_ASSERT(font);
 
-	char* buffer = strndup(sbuffer, size);
-	if (!buffer)
-		goto fail;
-
 	const char xmlversion[] = "<?xml version=\"1.0\" encoding=\"utf-8\"?>";
 	const char xmlfont[] = "<Font ";
 
@@ -670,7 +667,6 @@ static rdtkFont* rdtk_embedded_font_new(rdtkEngine* engine, const uint8_t* image
                                         size_t descriptorSize)
 {
 	size_t size = 0;
-	uint8_t* buffer = NULL;
 
 	WINPR_ASSERT(engine);
 
@@ -697,14 +693,13 @@ static rdtkFont* rdtk_embedded_font_new(rdtkEngine* engine, const uint8_t* image
 	}
 
 	size = descriptorSize;
-	buffer = (uint8_t*)malloc(size);
+	char* buffer = (char*)calloc(size + 4, sizeof(char));
 
 	if (!buffer)
 		goto fail;
 
 	CopyMemory(buffer, descriptorData, size);
 	const int status2 = rdtk_font_parse_descriptor_buffer(font, buffer, size);
-	free(buffer);
 
 	if (status2 < 0)
 		goto fail;

From 212f4f70e811f1dd3baf787aaf1c238b13a3c017 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 16 Dec 2024 10:36:41 +0100
Subject: [PATCH 3/4] [core,gateway] fix range check in rpc_client_write

---
 libfreerdp/core/gateway/rpc_client.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libfreerdp/core/gateway/rpc_client.c b/libfreerdp/core/gateway/rpc_client.c
index 28e56e6d8..eede64677 100644
--- a/libfreerdp/core/gateway/rpc_client.c
+++ b/libfreerdp/core/gateway/rpc_client.c
@@ -1096,9 +1096,9 @@ BOOL rpc_client_write_call(rdpRpc* rpc, wStream* s, UINT16 opnum)
 	request_pdu.auth_verifier.auth_context_id = 0x00000000;
 	offset += (8 + request_pdu.header.auth_length);
 
-	if (offset > UINT32_MAX)
+	if (offset > UINT16_MAX)
 		goto fail;
-	request_pdu.header.frag_length = (UINT32)offset;
+	request_pdu.header.frag_length = (UINT16)offset;
 	buffer = (BYTE*)calloc(1, request_pdu.header.frag_length);
 
 	if (!buffer)

From df129070994044ab36d565cdbe81f32225642775 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 16 Dec 2024 10:38:43 +0100
Subject: [PATCH 4/4] [client,common] fix leak in
 client_cli_get_rdsaad_access_token

---
 client/common/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/common/client.c b/client/common/client.c
index 3036e97cf..1002049ed 100644
--- a/client/common/client.c
+++ b/client/common/client.c
@@ -1056,7 +1056,7 @@ static BOOL client_cli_get_rdsaad_access_token(freerdp* instance, const char* sc
 	printf("Paste redirect URL here: \n");
 
 	if (freerdp_interruptible_get_line(instance->context, &url, &size, stdin) < 0)
-		return FALSE;
+		goto cleanup;
 
 	char* code = extract_authorization_code(url);
 	if (!code)