From 10dc90cca76b0bdb409e9007bf5925d6f74791da Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Thu, 26 Feb 2026 13:37:24 +0100
Subject: [PATCH 1/2] [core,update] reset update->us immediately

---
 libfreerdp/core/update.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/core/update.c b/libfreerdp/core/update.c
index dfc0bf71c..b0e312a3b 100644
--- a/libfreerdp/core/update.c
+++ b/libfreerdp/core/update.c
@@ -1055,6 +1055,8 @@ static BOOL s_update_end_paint(rdpContext* context)
 		return FALSE;
 
 	wStream* s = update->us;
+	update->us = NULL;
+
 	Stream_SealLength(s);
 	Stream_SetPosition(s, update->offsetOrders);
 	Stream_Write_UINT16(s, update->numberOrders); /* numberOrders (2 bytes) */
@@ -1070,7 +1072,7 @@ static BOOL s_update_end_paint(rdpContext* context)
 	update->combineUpdates = FALSE;
 	update->numberOrders = 0;
 	update->offsetOrders = 0;
-	update->us = NULL;
+
 	rc = TRUE;
 fail:
 	Stream_Free(s, TRUE);

From 699ffa9da178a837d46ab5068d151b4a0a855b2f Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Thu, 26 Feb 2026 13:36:08 +0100
Subject: [PATCH 2/2] [crypto,certificate] add sanity checks to
 certificate_new_x509_certificate_chain

Check provided data and abort early if the values are not matching the
data received.
---
 libfreerdp/crypto/certificate.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/libfreerdp/crypto/certificate.c b/libfreerdp/crypto/certificate.c
index 44d0bd53f..751372fe2 100644
--- a/libfreerdp/crypto/certificate.c
+++ b/libfreerdp/crypto/certificate.c
@@ -439,16 +439,28 @@ error:
  * @return new X.509 certificate chain
  */
 
-static rdpX509CertChain certificate_new_x509_certificate_chain(UINT32 count)
+static BOOL certificate_new_x509_certificate_chain(UINT32 count, wStream* s,
+                                                   rdpX509CertChain* chain)
 {
+	WINPR_ASSERT(chain);
+
 	rdpX509CertChain x509_cert_chain = WINPR_C_ARRAY_INIT;
+	*chain = x509_cert_chain;
+
+	if (!Stream_CheckAndLogRequiredCapacityOfSize(TAG, s, count, sizeof(rdpCertBlob)))
+		return FALSE;
+
+	if (count == 0)
+		return TRUE;
 
 	x509_cert_chain.array = (rdpCertBlob*)calloc(count, sizeof(rdpCertBlob));
+	if (!x509_cert_chain.array)
+		return FALSE;
 
-	if (x509_cert_chain.array)
-		x509_cert_chain.count = count;
+	x509_cert_chain.count = count;
 
-	return x509_cert_chain;
+	*chain = x509_cert_chain;
+	return TRUE;
 }
 
 /**
@@ -1039,7 +1051,8 @@ static BOOL certificate_read_server_x509_certificate_chain(rdpCertificate* cert,
 
 	Stream_Read_UINT32(s, numCertBlobs); /* numCertBlobs */
 	certificate_free_x509_certificate_chain(&cert->x509_cert_chain);
-	cert->x509_cert_chain = certificate_new_x509_certificate_chain(numCertBlobs);
+	if (!certificate_new_x509_certificate_chain(numCertBlobs, s, &cert->x509_cert_chain))
+		return FALSE;
 
 	for (UINT32 i = 0; i < cert->x509_cert_chain.count; i++)
 	{