summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch45
-rw-r--r--meta/recipes-graphics/cairo/cairo_1.14.10.bb1
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch b/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch
new file mode 100644
index 0000000000..7d02ab9474
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch
@@ -0,0 +1,45 @@
1From 042421e9e3d266ad0bb7805132041ef51ad3234d Mon Sep 17 00:00:00 2001
2From: Adrian Johnson <ajohnson@redneon.com>
3Date: Wed, 16 Aug 2017 22:52:35 -0400
4Subject: [PATCH] cairo: Fix CVE-2017-9814
5
6The bug happens because in some scenarios the variable size can
7have a value of 0 at line 1288. And malloc(0) is not returning
8NULL as some people could expect:
9
10 https://stackoverflow.com/questions/1073157/zero-size-malloc
11
12malloc(0) returns the smallest chunk possible. So the line 1290
13with the return is not execute. And the execution continues with
14an invalid map.
15
16Since the size is 0 the variable map is not initialized correctly
17at load_trutype_table. So, later when the variable map is accessed
18previous values from a freed chunk are used. This could allows an
19attacker to control the variable map.
20
21This patch have not merge in upstream now.
22
23Upstream-Status: Backport [https://bugs.freedesktop.org/show_bug.cgi?id=101547]
24CVE: CVE-2017-9814
25Signed-off-by: Dengke Du <dengke.du@windriver.com>
26---
27 src/cairo-truetype-subset.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
31index e3449a0..f77d11c 100644
32--- a/src/cairo-truetype-subset.c
33+++ b/src/cairo-truetype-subset.c
34@@ -1285,7 +1285,7 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
35 return CAIRO_INT_STATUS_UNSUPPORTED;
36
37 size = be16_to_cpu (map->length);
38- map = malloc (size);
39+ map = _cairo_malloc (size);
40 if (unlikely (map == NULL))
41 return _cairo_error (CAIRO_STATUS_NO_MEMORY);
42
43--
442.8.1
45
diff --git a/meta/recipes-graphics/cairo/cairo_1.14.10.bb b/meta/recipes-graphics/cairo/cairo_1.14.10.bb
index ba38c34f0a..fcdddc6d9e 100644
--- a/meta/recipes-graphics/cairo/cairo_1.14.10.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.14.10.bb
@@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e73e999e0c72b5ac9012424fa157ad77"
4 4
5SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ 5SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
6 file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \ 6 file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \
7 file://0001-cairo-Fix-CVE-2017-9814.patch \
7 " 8 "
8 9
9SRC_URI[md5sum] = "146f5f4d0b4439fc3792fd3452b7b12a" 10SRC_URI[md5sum] = "146f5f4d0b4439fc3792fd3452b7b12a"