diff options
author | Changqing Li <changqing.li@windriver.com> | 2021-04-22 16:10:10 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-05 17:43:23 +0100 |
commit | 5faaedd8e39746930f982a088c4de9541652aa97 (patch) | |
tree | 2f0117c3306689b3a9bb27d6fa16b2a627d74d4e /meta/recipes-graphics | |
parent | 1c8bded8ed7139ddac2e05c06f4eec65fb840191 (diff) | |
download | poky-5faaedd8e39746930f982a088c4de9541652aa97.tar.gz |
cairo: fix CVE-2020-35492
(From OE-Core rev: 58e9ecbda48faff9c1babc90504eb76805eb9266)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r-- | meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch | 121 | ||||
-rw-r--r-- | meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png | bin | 0 -> 185 bytes | |||
-rw-r--r-- | meta/recipes-graphics/cairo/cairo_1.16.0.bb | 11 |
3 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..f8e69beb0b --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 | ||
2 | From: Heiko Lewin <heiko.lewin@worldiety.de> | ||
3 | Date: Tue, 15 Dec 2020 16:48:19 +0100 | ||
4 | Subject: [PATCH] Fix mask usage in image-compositor | ||
5 | |||
6 | CVE: CVE-2020-35492 | ||
7 | |||
8 | Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85] | ||
9 | |||
10 | original patch from upstream has a binary file, it will cause | ||
11 | do_patch failed with "git binary diffs are not supported". | ||
12 | |||
13 | so add do_patch_append in recipe to add this binary source. when removing | ||
14 | this patch, please also remove do_patch_append for this patch | ||
15 | |||
16 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
17 | --- | ||
18 | src/cairo-image-compositor.c | 8 ++-- | ||
19 | test/Makefile.sources | 1 + | ||
20 | test/bug-image-compositor.c | 39 ++++++++++++++++++++ | ||
21 | 3 files changed, 44 insertions(+), 4 deletions(-) | ||
22 | create mode 100644 test/bug-image-compositor.c | ||
23 | |||
24 | diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c | ||
25 | index 79ad69f68..4f8aaed99 100644 | ||
26 | --- a/src/cairo-image-compositor.c | ||
27 | +++ b/src/cairo-image-compositor.c | ||
28 | @@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
29 | unsigned num_spans) | ||
30 | { | ||
31 | cairo_image_span_renderer_t *r = abstract_renderer; | ||
32 | - uint8_t *m; | ||
33 | + uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); | ||
34 | int x0; | ||
35 | |||
36 | if (num_spans == 0) | ||
37 | return CAIRO_STATUS_SUCCESS; | ||
38 | |||
39 | x0 = spans[0].x; | ||
40 | - m = r->_buf; | ||
41 | + m = base; | ||
42 | do { | ||
43 | int len = spans[1].x - spans[0].x; | ||
44 | if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { | ||
45 | @@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
46 | spans[0].x, y, | ||
47 | spans[1].x - spans[0].x, h); | ||
48 | |||
49 | - m = r->_buf; | ||
50 | + m = base; | ||
51 | x0 = spans[1].x; | ||
52 | } else if (spans[0].coverage == 0x0) { | ||
53 | if (spans[0].x != x0) { | ||
54 | @@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
55 | #endif | ||
56 | } | ||
57 | |||
58 | - m = r->_buf; | ||
59 | + m = base; | ||
60 | x0 = spans[1].x; | ||
61 | } else { | ||
62 | *m++ = spans[0].coverage; | ||
63 | diff --git a/test/Makefile.sources b/test/Makefile.sources | ||
64 | index 7eb73647f..86494348d 100644 | ||
65 | --- a/test/Makefile.sources | ||
66 | +++ b/test/Makefile.sources | ||
67 | @@ -34,6 +34,7 @@ test_sources = \ | ||
68 | bug-source-cu.c \ | ||
69 | bug-extents.c \ | ||
70 | bug-seams.c \ | ||
71 | + bug-image-compositor.c \ | ||
72 | caps.c \ | ||
73 | checkerboard.c \ | ||
74 | caps-joins.c \ | ||
75 | diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c | ||
76 | new file mode 100644 | ||
77 | index 000000000..fc4fd370b | ||
78 | --- /dev/null | ||
79 | +++ b/test/bug-image-compositor.c | ||
80 | @@ -0,0 +1,39 @@ | ||
81 | +#include "cairo-test.h" | ||
82 | + | ||
83 | +static cairo_test_status_t | ||
84 | +draw (cairo_t *cr, int width, int height) | ||
85 | +{ | ||
86 | + cairo_set_source_rgb (cr, 0., 0., 0.); | ||
87 | + cairo_paint (cr); | ||
88 | + | ||
89 | + cairo_set_source_rgb (cr, 1., 1., 1.); | ||
90 | + cairo_set_line_width (cr, 1.); | ||
91 | + | ||
92 | + cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height); | ||
93 | + cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); | ||
94 | + cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); | ||
95 | + cairo_set_source (cr, p); | ||
96 | + | ||
97 | + cairo_move_to (cr, 0.5, -1); | ||
98 | + for (int i = 0; i < width; i+=3) { | ||
99 | + cairo_rel_line_to (cr, 2, 2); | ||
100 | + cairo_rel_line_to (cr, 1, -2); | ||
101 | + } | ||
102 | + | ||
103 | + cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); | ||
104 | + cairo_stroke (cr); | ||
105 | + | ||
106 | + cairo_pattern_destroy(p); | ||
107 | + | ||
108 | + return CAIRO_TEST_SUCCESS; | ||
109 | +} | ||
110 | + | ||
111 | + | ||
112 | +CAIRO_TEST (bug_image_compositor, | ||
113 | + "Crash in image-compositor", | ||
114 | + "stroke, stress", /* keywords */ | ||
115 | + NULL, /* requirements */ | ||
116 | + 10000, 1, | ||
117 | + NULL, draw) | ||
118 | + | ||
119 | + | ||
120 | -- | ||
121 | GitLab | ||
diff --git a/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png new file mode 100644 index 0000000000..939f659d2c --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png | |||
Binary files differ | |||
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 68f993d7ca..d48da1a4c7 100644 --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb | |||
@@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ | |||
27 | file://CVE-2018-19876.patch \ | 27 | file://CVE-2018-19876.patch \ |
28 | file://CVE-2019-6461.patch \ | 28 | file://CVE-2019-6461.patch \ |
29 | file://CVE-2019-6462.patch \ | 29 | file://CVE-2019-6462.patch \ |
30 | file://CVE-2020-35492.patch \ | ||
31 | file://bug-image-compositor.ref.png \ | ||
30 | " | 32 | " |
31 | 33 | ||
32 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" | 34 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" |
@@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no" | |||
64 | # Ensure we don't depend on LZO | 66 | # Ensure we don't depend on LZO |
65 | export ac_cv_lib_lzo2_lzo2a_decompress="no" | 67 | export ac_cv_lib_lzo2_lzo2a_decompress="no" |
66 | 68 | ||
69 | #for CVE-2020-35492.patch | ||
70 | do_patch_append() { | ||
71 | bb.build.exec_func('do_cp_binary_source', d) | ||
72 | } | ||
73 | |||
74 | do_cp_binary_source () { | ||
75 | cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/ | ||
76 | } | ||
77 | |||
67 | do_install_append () { | 78 | do_install_append () { |
68 | rm -rf ${D}${bindir}/cairo-sphinx | 79 | rm -rf ${D}${bindir}/cairo-sphinx |
69 | rm -rf ${D}${libdir}/cairo/cairo-fdr* | 80 | rm -rf ${D}${libdir}/cairo/cairo-fdr* |