diff options
author | Ross Burton <ross@burtonini.com> | 2021-05-10 11:48:38 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-11 11:54:26 +0100 |
commit | cb93117edb4edd104acbae297ad55cc7a0a8a8ab (patch) | |
tree | c8987cc2f504df330d3b7832bb0bf427be1636b2 /meta/recipes-graphics/cairo | |
parent | 217e7c61c52b89283f1ab30e38fd8c9c76f9bec1 (diff) | |
download | poky-cb93117edb4edd104acbae297ad55cc7a0a8a8ab.tar.gz |
cairo: backport patch for CVE-2020-35492
(From OE-Core rev: 0c4e6f99332ae253855708845a41fdfeb72d4c30)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics/cairo')
-rw-r--r-- | meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch | 60 | ||||
-rw-r--r-- | meta/recipes-graphics/cairo/cairo_1.16.0.bb | 1 |
2 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..fb6ce5cfdf --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | Fix stack buffer overflow. | ||
2 | |||
3 | CVE: CVE-2020-35492 | ||
4 | Upstream-Status: Backport | ||
5 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
6 | |||
7 | From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 | ||
8 | From: Heiko Lewin <heiko.lewin@worldiety.de> | ||
9 | Date: Tue, 15 Dec 2020 16:48:19 +0100 | ||
10 | Subject: [PATCH] Fix mask usage in image-compositor | ||
11 | |||
12 | --- | ||
13 | src/cairo-image-compositor.c | 8 ++-- | ||
14 | test/Makefile.sources | 1 + | ||
15 | test/bug-image-compositor.c | 39 ++++++++++++++++++++ | ||
16 | test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes | ||
17 | 4 files changed, 44 insertions(+), 4 deletions(-) | ||
18 | create mode 100644 test/bug-image-compositor.c | ||
19 | create mode 100644 test/reference/bug-image-compositor.ref.png | ||
20 | |||
21 | diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c | ||
22 | index 79ad69f68..4f8aaed99 100644 | ||
23 | --- a/src/cairo-image-compositor.c | ||
24 | +++ b/src/cairo-image-compositor.c | ||
25 | @@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
26 | unsigned num_spans) | ||
27 | { | ||
28 | cairo_image_span_renderer_t *r = abstract_renderer; | ||
29 | - uint8_t *m; | ||
30 | + uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); | ||
31 | int x0; | ||
32 | |||
33 | if (num_spans == 0) | ||
34 | return CAIRO_STATUS_SUCCESS; | ||
35 | |||
36 | x0 = spans[0].x; | ||
37 | - m = r->_buf; | ||
38 | + m = base; | ||
39 | do { | ||
40 | int len = spans[1].x - spans[0].x; | ||
41 | if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { | ||
42 | @@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
43 | spans[0].x, y, | ||
44 | spans[1].x - spans[0].x, h); | ||
45 | |||
46 | - m = r->_buf; | ||
47 | + m = base; | ||
48 | x0 = spans[1].x; | ||
49 | } else if (spans[0].coverage == 0x0) { | ||
50 | if (spans[0].x != x0) { | ||
51 | @@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
52 | #endif | ||
53 | } | ||
54 | |||
55 | - m = r->_buf; | ||
56 | + m = base; | ||
57 | x0 = spans[1].x; | ||
58 | } else { | ||
59 | *m++ = spans[0].coverage; | ||
60 | -- | ||
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 68f993d7ca..9d9fbfbe0d 100644 --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb | |||
@@ -27,6 +27,7 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ | |||
27 | file://CVE-2018-19876.patch \ | 27 | file://CVE-2018-19876.patch \ |
28 | file://CVE-2019-6461.patch \ | 28 | file://CVE-2019-6461.patch \ |
29 | file://CVE-2019-6462.patch \ | 29 | file://CVE-2019-6462.patch \ |
30 | file://CVE-2020-35492.patch \ | ||
30 | " | 31 | " |
31 | 32 | ||
32 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" | 33 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" |