From a9e0abf2eac8c2e370fa155bf1abb9d044c0ca8a Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Tue, 3 Mar 2026 13:58:09 +0100
Subject: [PATCH] [core,orders] improve input validation

check length before subtracting. Might underflow and be cought by the
next check, but lets be strict.
---
 libfreerdp/core/orders.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 327baae6a89c..21eb79d0e50c 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -2354,6 +2354,8 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt
 				goto fail;
 
 			Stream_Read(s, bitmapComprHdr, 8); /* bitmapComprHdr (8 bytes) */
+			if (cache_bitmap->bitmapLength < 8)
+				goto fail;
 			cache_bitmap->bitmapLength -= 8;
 		}
 	}