summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-31 04:45:31 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-03 11:11:39 (GMT)
commitd192c628912d8a28bb9635d213ed68fb9af59412 (patch)
tree2faddab94988efc8f574eaf96b10a1ec6e32bb4a
parent34c865c7baac34b1615af0d336fdc86cda166918 (diff)
downloadpoky-d192c628912d8a28bb9635d213ed68fb9af59412.tar.gz
librsvg: Security fix CVE-2015-7558
CVE-2015-7558 librsvg2: Stack exhaustion causing DoS including two supporting patches. (From OE-Core master rev: 4945643bab1ee6b844115cc747e5c67d874d5fe6) (From OE-Core rev: 4e21caee47a0ca3e66e84a15d104d3b532731263) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch139
-rw-r--r--meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch230
-rw-r--r--meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch223
-rw-r--r--meta/recipes-gnome/librsvg/librsvg_2.40.6.bb6
4 files changed, 597 insertions, 1 deletions
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
new file mode 100644
index 0000000..a3ba41f
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
@@ -0,0 +1,139 @@
1From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
2From: Benjamin Otte <otte@redhat.com>
3Date: Wed, 7 Oct 2015 05:31:08 +0200
4Subject: [PATCH] state: Store mask as reference
5
6Instead of immediately looking up the mask, store the reference and look
7it up on use.
8
9Upstream-status: Backport
10
11supporting patch
12https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2
13
14CVE: CVE-2015-7558
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 rsvg-cairo-draw.c | 6 +++++-
19 rsvg-mask.c | 17 -----------------
20 rsvg-mask.h | 2 --
21 rsvg-styles.c | 12 ++++++++----
22 rsvg-styles.h | 2 +-
23 5 files changed, 14 insertions(+), 25 deletions(-)
24
25Index: librsvg-2.40.10/rsvg-cairo-draw.c
26===================================================================
27--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
28+++ librsvg-2.40.10/rsvg-cairo-draw.c
29@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
30 cairo_set_operator (render->cr, state->comp_op);
31
32 if (state->mask) {
33- rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
34+ RsvgNode *mask;
35+
36+ mask = rsvg_defs_lookup (ctx->defs, state->mask);
37+ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
38+ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
39 } else if (state->opacity != 0xFF)
40 cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
41 else
42Index: librsvg-2.40.10/rsvg-mask.c
43===================================================================
44--- librsvg-2.40.10.orig/rsvg-mask.c
45+++ librsvg-2.40.10/rsvg-mask.c
46@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
47 }
48
49 RsvgNode *
50-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
51-{
52- char *name;
53-
54- name = rsvg_get_url_string (str);
55- if (name) {
56- RsvgNode *val;
57- val = rsvg_defs_lookup (defs, name);
58- g_free (name);
59-
60- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
61- return val;
62- }
63- return NULL;
64-}
65-
66-RsvgNode *
67 rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
68 {
69 char *name;
70Index: librsvg-2.40.10/rsvg-mask.h
71===================================================================
72--- librsvg-2.40.10.orig/rsvg-mask.h
73+++ librsvg-2.40.10/rsvg-mask.h
74@@ -48,8 +48,6 @@ struct _RsvgMask {
75
76 G_GNUC_INTERNAL
77 RsvgNode *rsvg_new_mask (void);
78-G_GNUC_INTERNAL
79-RsvgNode *rsvg_mask_parse (const RsvgDefs * defs, const char *str);
80
81 typedef struct _RsvgClipPath RsvgClipPath;
82
83Index: librsvg-2.40.10/rsvg-styles.c
84===================================================================
85--- librsvg-2.40.10.orig/rsvg-styles.c
86+++ librsvg-2.40.10/rsvg-styles.c
87@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const
88
89 *dst = *src;
90 dst->parent = parent;
91+ dst->mask = g_strdup (src->mask);
92 dst->font_family = g_strdup (src->font_family);
93 dst->lang = g_strdup (src->lang);
94 rsvg_paint_server_ref (dst->fill);
95@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
96
97 if (inherituninheritables) {
98 dst->clip_path_ref = src->clip_path_ref;
99- dst->mask = src->mask;
100+ g_free (dst->mask);
101+ dst->mask = g_strdup (src->mask);
102 dst->enable_background = src->enable_background;
103 dst->adobe_blend = src->adobe_blend;
104 dst->opacity = src->opacity;
105@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
106 void
107 rsvg_state_finalize (RsvgState * state)
108 {
109+ g_free (state->mask);
110 g_free (state->font_family);
111 g_free (state->lang);
112 rsvg_paint_server_unref (state->fill);
113@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
114 state->adobe_blend = 11;
115 else
116 state->adobe_blend = 0;
117- } else if (g_str_equal (name, "mask"))
118- state->mask = rsvg_mask_parse (ctx->priv->defs, value);
119- else if (g_str_equal (name, "clip-path")) {
120+ } else if (g_str_equal (name, "mask")) {
121+ g_free (state->mask);
122+ state->mask = rsvg_get_url_string (value);
123+ } else if (g_str_equal (name, "clip-path")) {
124 state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
125 } else if (g_str_equal (name, "overflow")) {
126 if (!g_str_equal (value, "inherit")) {
127Index: librsvg-2.40.10/rsvg-styles.h
128===================================================================
129--- librsvg-2.40.10.orig/rsvg-styles.h
130+++ librsvg-2.40.10/rsvg-styles.h
131@@ -80,7 +80,7 @@ struct _RsvgState {
132 cairo_matrix_t personal_affine;
133
134 RsvgFilter *filter;
135- void *mask;
136+ char *mask;
137 void *clip_path_ref;
138 guint8 adobe_blend; /* 0..11 */
139 guint8 opacity; /* 0..255 */
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
new file mode 100644
index 0000000..9f6820e
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
@@ -0,0 +1,230 @@
1From 6cfaab12c70cd4a34c4730837f1ecdf792593c90 Mon Sep 17 00:00:00 2001
2From: Benjamin Otte <otte@redhat.com>
3Date: Wed, 7 Oct 2015 07:57:39 +0200
4Subject: [PATCH] state: Look up clip path lazily
5
6Upstream-status: Backport
7
8supporting patch
9https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=6cfaab12c70cd4a34c4730837f1ecdf792593c90
10
11CVE: CVE-2015-7558
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 rsvg-cairo-draw.c | 56 +++++++++++++++++++++++++++++++++----------------------
16 rsvg-mask.c | 17 -----------------
17 rsvg-mask.h | 2 --
18 rsvg-styles.c | 10 +++++++---
19 rsvg-styles.h | 2 +-
20 5 files changed, 42 insertions(+), 45 deletions(-)
21
22Index: librsvg-2.40.10/rsvg-cairo-draw.c
23===================================================================
24--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
25+++ librsvg-2.40.10/rsvg-cairo-draw.c
26@@ -461,7 +461,7 @@ rsvg_cairo_render_path (RsvgDrawingCtx *
27 return;
28
29 need_tmpbuf = ((state->fill != NULL) && (state->stroke != NULL) && state->opacity != 0xff)
30- || state->clip_path_ref || state->mask || state->filter
31+ || state->clip_path || state->mask || state->filter
32 || (state->comp_op != CAIRO_OPERATOR_OVER);
33
34 if (need_tmpbuf)
35@@ -708,18 +708,6 @@ rsvg_cairo_generate_mask (cairo_t * cr,
36 }
37
38 static void
39-rsvg_cairo_push_early_clips (RsvgDrawingCtx * ctx)
40-{
41- RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
42-
43- cairo_save (render->cr);
44- if (rsvg_current_state (ctx)->clip_path_ref)
45- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == userSpaceOnUse)
46- rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, NULL);
47-
48-}
49-
50-static void
51 rsvg_cairo_push_render_stack (RsvgDrawingCtx * ctx)
52 {
53 /* XXX: Untested, probably needs help wrt filters */
54@@ -731,9 +719,27 @@ rsvg_cairo_push_render_stack (RsvgDrawin
55 RsvgState *state = rsvg_current_state (ctx);
56 gboolean lateclip = FALSE;
57
58- if (rsvg_current_state (ctx)->clip_path_ref)
59- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
60- lateclip = TRUE;
61+ if (rsvg_current_state (ctx)->clip_path) {
62+ RsvgNode *node;
63+ node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
64+ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
65+ RsvgClipPath *clip_path = (RsvgClipPath *) node;
66+
67+ switch (clip_path->units) {
68+ case userSpaceOnUse:
69+ rsvg_cairo_clip (ctx, clip_path, NULL);
70+ break;
71+ case objectBoundingBox:
72+ lateclip = TRUE;
73+ break;
74+
75+ default:
76+ g_assert_not_reached ();
77+ break;
78+ }
79+
80+ }
81+ }
82
83 if (state->opacity == 0xFF
84 && !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
85@@ -774,7 +780,9 @@ rsvg_cairo_push_render_stack (RsvgDrawin
86 void
87 rsvg_cairo_push_discrete_layer (RsvgDrawingCtx * ctx)
88 {
89- rsvg_cairo_push_early_clips (ctx);
90+ RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
91+
92+ cairo_save (render->cr);
93 rsvg_cairo_push_render_stack (ctx);
94 }
95
96@@ -783,14 +791,18 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
97 {
98 RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
99 cairo_t *child_cr = render->cr;
100- gboolean lateclip = FALSE;
101+ RsvgClipPath *lateclip = NULL;
102 cairo_surface_t *surface = NULL;
103 RsvgState *state = rsvg_current_state (ctx);
104 gboolean nest;
105
106- if (rsvg_current_state (ctx)->clip_path_ref)
107- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
108- lateclip = TRUE;
109+ if (rsvg_current_state (ctx)->clip_path) {
110+ RsvgNode *node;
111+ node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
112+ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
113+ && ((RsvgClipPath *) node)->units == objectBoundingBox)
114+ lateclip = (RsvgClipPath *) node;
115+ }
116
117 if (state->opacity == 0xFF
118 && !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
119@@ -820,7 +832,7 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
120 nest ? 0 : render->offset_y);
121
122 if (lateclip)
123- rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, &render->bbox);
124+ rsvg_cairo_clip (ctx, lateclip, &render->bbox);
125
126 cairo_set_operator (render->cr, state->comp_op);
127
128Index: librsvg-2.40.10/rsvg-mask.c
129===================================================================
130--- librsvg-2.40.10.orig/rsvg-mask.c
131+++ librsvg-2.40.10/rsvg-mask.c
132@@ -102,23 +102,6 @@ rsvg_get_url_string (const char *str)
133 return NULL;
134 }
135
136-RsvgNode *
137-rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
138-{
139- char *name;
140-
141- name = rsvg_get_url_string (str);
142- if (name) {
143- RsvgNode *val;
144- val = rsvg_defs_lookup (defs, name);
145- g_free (name);
146-
147- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_CLIP_PATH)
148- return val;
149- }
150- return NULL;
151-}
152-
153 static void
154 rsvg_clip_path_set_atts (RsvgNode * self, RsvgHandle * ctx, RsvgPropertyBag * atts)
155 {
156Index: librsvg-2.40.10/rsvg-mask.h
157===================================================================
158--- librsvg-2.40.10.orig/rsvg-mask.h
159+++ librsvg-2.40.10/rsvg-mask.h
160@@ -58,8 +58,6 @@ struct _RsvgClipPath {
161
162 G_GNUC_INTERNAL
163 RsvgNode *rsvg_new_clip_path (void);
164-G_GNUC_INTERNAL
165-RsvgNode *rsvg_clip_path_parse (const RsvgDefs * defs, const char *str);
166
167 G_END_DECLS
168 #endif
169Index: librsvg-2.40.10/rsvg-styles.c
170===================================================================
171--- librsvg-2.40.10.orig/rsvg-styles.c
172+++ librsvg-2.40.10/rsvg-styles.c
173@@ -149,7 +149,7 @@ rsvg_state_init (RsvgState * state)
174 state->visible = TRUE;
175 state->cond_true = TRUE;
176 state->filter = NULL;
177- state->clip_path_ref = NULL;
178+ state->clip_path = NULL;
179 state->startMarker = NULL;
180 state->middleMarker = NULL;
181 state->endMarker = NULL;
182@@ -222,6 +222,7 @@ rsvg_state_clone (RsvgState * dst, const
183 *dst = *src;
184 dst->parent = parent;
185 dst->mask = g_strdup (src->mask);
186+ dst->clip_path = g_strdup (src->clip_path);
187 dst->font_family = g_strdup (src->font_family);
188 dst->lang = g_strdup (src->lang);
189 rsvg_paint_server_ref (dst->fill);
190@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
191 }
192
193 if (inherituninheritables) {
194- dst->clip_path_ref = src->clip_path_ref;
195+ g_free (dst->clip_path);
196+ dst->clip_path = g_strdup (src->clip_path);
197 g_free (dst->mask);
198 dst->mask = g_strdup (src->mask);
199 dst->enable_background = src->enable_background;
200@@ -447,6 +449,7 @@ void
201 rsvg_state_finalize (RsvgState * state)
202 {
203 g_free (state->mask);
204+ g_free (state->clip_path);
205 g_free (state->font_family);
206 g_free (state->lang);
207 rsvg_paint_server_unref (state->fill);
208@@ -524,7 +527,8 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
209 g_free (state->mask);
210 state->mask = rsvg_get_url_string (value);
211 } else if (g_str_equal (name, "clip-path")) {
212- state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
213+ g_free (state->clip_path);
214+ state->clip_path = rsvg_get_url_string (value);
215 } else if (g_str_equal (name, "overflow")) {
216 if (!g_str_equal (value, "inherit")) {
217 state->overflow = rsvg_css_parse_overflow (value, &state->has_overflow);
218Index: librsvg-2.40.10/rsvg-styles.h
219===================================================================
220--- librsvg-2.40.10.orig/rsvg-styles.h
221+++ librsvg-2.40.10/rsvg-styles.h
222@@ -81,7 +81,7 @@ struct _RsvgState {
223
224 RsvgFilter *filter;
225 char *mask;
226- void *clip_path_ref;
227+ char *clip_path;
228 guint8 adobe_blend; /* 0..11 */
229 guint8 opacity; /* 0..255 */
230
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
new file mode 100644
index 0000000..dd67ab7
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
@@ -0,0 +1,223 @@
1From a51919f7e1ca9c535390a746fbf6e28c8402dc61 Mon Sep 17 00:00:00 2001
2From: Benjamin Otte <otte@redhat.com>
3Date: Wed, 7 Oct 2015 08:45:37 +0200
4Subject: [PATCH] rsvg: Add rsvg_acquire_node()
5
6This function does proper recursion checks when looking up resources
7from URLs and thereby helps avoiding infinite loops when cyclic
8references span multiple types of elements.
9
10Upstream-status: Backport
11
12https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61
13
14CVE: CVE-2015-7558
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 rsvg-base.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
19 rsvg-cairo-draw.c | 15 +++++++++++----
20 rsvg-cairo-render.c | 1 +
21 rsvg-filter.c | 9 +++++++--
22 rsvg-private.h | 5 +++++
23 5 files changed, 79 insertions(+), 6 deletions(-)
24
25Index: librsvg-2.40.10/rsvg-base.c
26===================================================================
27--- librsvg-2.40.10.orig/rsvg-base.c
28+++ librsvg-2.40.10/rsvg-base.c
29@@ -1236,6 +1236,8 @@ rsvg_drawing_ctx_free (RsvgDrawingCtx *
30 g_slist_free (handle->drawsub_stack);
31
32 g_slist_free (handle->ptrs);
33+ g_warn_if_fail (handle->acquired_nodes == NULL);
34+ g_slist_free (handle->acquired_nodes);
35
36 if (handle->base_uri)
37 g_free (handle->base_uri);
38@@ -2018,6 +2020,59 @@ rsvg_push_discrete_layer (RsvgDrawingCtx
39 ctx->render->push_discrete_layer (ctx);
40 }
41
42+/*
43+ * rsvg_acquire_node:
44+ * @ctx: The drawing context in use
45+ * @url: The IRI to lookup
46+ *
47+ * Use this function when looking up urls to other nodes. This
48+ * function does proper recursion checking and thereby avoids
49+ * infinite loops.
50+ *
51+ * Nodes acquired by this function must be released using
52+ * rsvg_release_node() in reverse acquiring order.
53+ *
54+ * Returns: The node referenced by @url or %NULL if the @url
55+ * does not reference a node.
56+ */
57+RsvgNode *
58+rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url)
59+{
60+ RsvgNode *node;
61+
62+ node = rsvg_defs_lookup (ctx->defs, url);
63+ if (node == NULL)
64+ return NULL;
65+
66+ if (g_slist_find (ctx->acquired_nodes, node))
67+ return NULL;
68+
69+ ctx->acquired_nodes = g_slist_prepend (ctx->acquired_nodes, node);
70+
71+ return node;
72+}
73+
74+/*
75+ * rsvg_release_node:
76+ * @ctx: The drawing context the node was acquired from
77+ * @node: Node to release
78+ *
79+ * Releases a node previously acquired via rsvg_acquire_node().
80+ *
81+ * if @node is %NULL, this function does nothing.
82+ */
83+void
84+rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node)
85+{
86+ if (node == NULL)
87+ return;
88+
89+ g_return_if_fail (ctx->acquired_nodes != NULL);
90+ g_return_if_fail (ctx->acquired_nodes->data == node);
91+
92+ ctx->acquired_nodes = g_slist_remove (ctx->acquired_nodes, node);
93+}
94+
95 void
96 rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path)
97 {
98Index: librsvg-2.40.10/rsvg-cairo-draw.c
99===================================================================
100--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
101+++ librsvg-2.40.10/rsvg-cairo-draw.c
102@@ -721,7 +721,7 @@ rsvg_cairo_push_render_stack (RsvgDrawin
103
104 if (rsvg_current_state (ctx)->clip_path) {
105 RsvgNode *node;
106- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
107+ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
108 if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
109 RsvgClipPath *clip_path = (RsvgClipPath *) node;
110
111@@ -739,6 +739,8 @@ rsvg_cairo_push_render_stack (RsvgDrawin
112 }
113
114 }
115+
116+ rsvg_release_node (ctx, node);
117 }
118
119 if (state->opacity == 0xFF
120@@ -798,10 +800,12 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
121
122 if (rsvg_current_state (ctx)->clip_path) {
123 RsvgNode *node;
124- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
125+ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
126 if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
127 && ((RsvgClipPath *) node)->units == objectBoundingBox)
128 lateclip = (RsvgClipPath *) node;
129+ else
130+ rsvg_release_node (ctx, node);
131 }
132
133 if (state->opacity == 0xFF
134@@ -831,17 +835,20 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
135 nest ? 0 : render->offset_x,
136 nest ? 0 : render->offset_y);
137
138- if (lateclip)
139+ if (lateclip) {
140 rsvg_cairo_clip (ctx, lateclip, &render->bbox);
141+ rsvg_release_node (ctx, (RsvgNode *) lateclip);
142+ }
143
144 cairo_set_operator (render->cr, state->comp_op);
145
146 if (state->mask) {
147 RsvgNode *mask;
148
149- mask = rsvg_defs_lookup (ctx->defs, state->mask);
150+ mask = rsvg_acquire_node (ctx, state->mask);
151 if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
152 rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
153+ rsvg_release_node (ctx, mask);
154 } else if (state->opacity != 0xFF)
155 cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
156 else
157Index: librsvg-2.40.10/rsvg-cairo-render.c
158===================================================================
159--- librsvg-2.40.10.orig/rsvg-cairo-render.c
160+++ librsvg-2.40.10/rsvg-cairo-render.c
161@@ -155,6 +155,7 @@ rsvg_cairo_new_drawing_ctx (cairo_t * cr
162 draw->pango_context = NULL;
163 draw->drawsub_stack = NULL;
164 draw->ptrs = NULL;
165+ draw->acquired_nodes = NULL;
166
167 rsvg_state_push (draw);
168 state = rsvg_current_state (draw);
169Index: librsvg-2.40.10/rsvg-filter.c
170===================================================================
171--- librsvg-2.40.10.orig/rsvg-filter.c
172+++ librsvg-2.40.10/rsvg-filter.c
173@@ -3921,6 +3921,7 @@ rsvg_filter_primitive_image_render_in (R
174 RsvgDrawingCtx *ctx;
175 RsvgFilterPrimitiveImage *upself;
176 RsvgNode *drawable;
177+ cairo_surface_t *result;
178
179 ctx = context->ctx;
180
181@@ -3929,13 +3930,17 @@ rsvg_filter_primitive_image_render_in (R
182 if (!upself->href)
183 return NULL;
184
185- drawable = rsvg_defs_lookup (ctx->defs, upself->href->str);
186+ drawable = rsvg_acquire_node (ctx, upself->href->str);
187 if (!drawable)
188 return NULL;
189
190 rsvg_current_state (ctx)->affine = context->paffine;
191
192- return rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
193+ result = rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
194+
195+ rsvg_release_node (ctx, drawable);
196+
197+ return result;
198 }
199
200 static cairo_surface_t *
201Index: librsvg-2.40.10/rsvg-private.h
202===================================================================
203--- librsvg-2.40.10.orig/rsvg-private.h
204+++ librsvg-2.40.10/rsvg-private.h
205@@ -200,6 +200,7 @@ struct RsvgDrawingCtx {
206 GSList *vb_stack;
207 GSList *drawsub_stack;
208 GSList *ptrs;
209+ GSList *acquired_nodes;
210 };
211
212 /*Abstract base class for context for our backends (one as yet)*/
213@@ -360,6 +361,10 @@ void rsvg_pop_discrete_layer (RsvgDra
214 G_GNUC_INTERNAL
215 void rsvg_push_discrete_layer (RsvgDrawingCtx * ctx);
216 G_GNUC_INTERNAL
217+RsvgNode *rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url);
218+G_GNUC_INTERNAL
219+void rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node);
220+G_GNUC_INTERNAL
221 void rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path);
222 G_GNUC_INTERNAL
223 void rsvg_render_surface (RsvgDrawingCtx * ctx, cairo_surface_t *surface,
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.40.6.bb b/meta/recipes-gnome/librsvg/librsvg_2.40.6.bb
index 483d309..8a272cd 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.40.6.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.40.6.bb
@@ -14,7 +14,11 @@ inherit autotools pkgconfig gnomebase gtk-doc pixbufcache
14 14
15GNOME_COMPRESS_TYPE = "xz" 15GNOME_COMPRESS_TYPE = "xz"
16 16
17SRC_URI += "file://gtk-option.patch" 17SRC_URI += "file://gtk-option.patch \
18 file://CVE-2015-7558_1.patch \
19 file://CVE-2015-7558_2.patch \
20 file://CVE-2015-7558_3.patch \
21 "
18 22
19SRC_URI[archive.md5sum] = "259fd160b47ec11f3c27d7e18e507c99" 23SRC_URI[archive.md5sum] = "259fd160b47ec11f3c27d7e18e507c99"
20SRC_URI[archive.sha256sum] = "8af349f241677b04b7a1ea6b9b33a6343e781bcccc8a09d00208a47342584f06" 24SRC_URI[archive.sha256sum] = "8af349f241677b04b7a1ea6b9b33a6343e781bcccc8a09d00208a47342584f06"