- CVE-2023-39355: fix use-after-free in RDPGFX_CMDID_RESETGRAPHICS handling when context->maxPlaneSize == 0; update context->planesBuffer after free and prevent access to freed memory - CVE-2026-26965: fix heap out-of-bounds write in RLE planar decode that permit attacker-controlled pixel data and offset overwrite adjacent function pointer; validate (nYDst+nSrcHeight) and (nXDst+nSrcWidth) against destination bounds and ensure writes use correct buffer, prevent OOB write - CVE-2026-26955: fix heap buffer overflow in GDI surface pipeline caused by out-of-bounds ClearCodec destination rectangle; add top-level guard in clear_decompress() to validate nXDst/nYDst against destination surface dimensions protecting all code paths (bands, residual, glyph, subcodec); fix subcodec bounds checks to compare against destination dimensions