summaryrefslogtreecommitdiffstats
path: root/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch')
-rw-r--r--meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch139
1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
new file mode 100644
index 0000000000..a3ba41f505
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
@@ -0,0 +1,139 @@
1From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
2From: Benjamin Otte <otte@redhat.com>
3Date: Wed, 7 Oct 2015 05:31:08 +0200
4Subject: [PATCH] state: Store mask as reference
5
6Instead of immediately looking up the mask, store the reference and look
7it up on use.
8
9Upstream-status: Backport
10
11supporting patch
12https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2
13
14CVE: CVE-2015-7558
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 rsvg-cairo-draw.c | 6 +++++-
19 rsvg-mask.c | 17 -----------------
20 rsvg-mask.h | 2 --
21 rsvg-styles.c | 12 ++++++++----
22 rsvg-styles.h | 2 +-
23 5 files changed, 14 insertions(+), 25 deletions(-)
24
25Index: librsvg-2.40.10/rsvg-cairo-draw.c
26===================================================================
27--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
28+++ librsvg-2.40.10/rsvg-cairo-draw.c
29@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
30 cairo_set_operator (render->cr, state->comp_op);
31
32 if (state->mask) {
33- rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
34+ RsvgNode *mask;
35+
36+ mask = rsvg_defs_lookup (ctx->defs, state->mask);
37+ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
38+ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
39 } else if (state->opacity != 0xFF)
40 cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
41 else
42Index: librsvg-2.40.10/rsvg-mask.c
43===================================================================
44--- librsvg-2.40.10.orig/rsvg-mask.c
45+++ librsvg-2.40.10/rsvg-mask.c
46@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
47 }
48
49 RsvgNode *
50-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
51-{
52- char *name;
53-
54- name = rsvg_get_url_string (str);
55- if (name) {
56- RsvgNode *val;
57- val = rsvg_defs_lookup (defs, name);
58- g_free (name);
59-
60- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
61- return val;
62- }
63- return NULL;
64-}
65-
66-RsvgNode *
67 rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
68 {
69 char *name;
70Index: librsvg-2.40.10/rsvg-mask.h
71===================================================================
72--- librsvg-2.40.10.orig/rsvg-mask.h
73+++ librsvg-2.40.10/rsvg-mask.h
74@@ -48,8 +48,6 @@ struct _RsvgMask {
75
76 G_GNUC_INTERNAL
77 RsvgNode *rsvg_new_mask (void);
78-G_GNUC_INTERNAL
79-RsvgNode *rsvg_mask_parse (const RsvgDefs * defs, const char *str);
80
81 typedef struct _RsvgClipPath RsvgClipPath;
82
83Index: librsvg-2.40.10/rsvg-styles.c
84===================================================================
85--- librsvg-2.40.10.orig/rsvg-styles.c
86+++ librsvg-2.40.10/rsvg-styles.c
87@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const
88
89 *dst = *src;
90 dst->parent = parent;
91+ dst->mask = g_strdup (src->mask);
92 dst->font_family = g_strdup (src->font_family);
93 dst->lang = g_strdup (src->lang);
94 rsvg_paint_server_ref (dst->fill);
95@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
96
97 if (inherituninheritables) {
98 dst->clip_path_ref = src->clip_path_ref;
99- dst->mask = src->mask;
100+ g_free (dst->mask);
101+ dst->mask = g_strdup (src->mask);
102 dst->enable_background = src->enable_background;
103 dst->adobe_blend = src->adobe_blend;
104 dst->opacity = src->opacity;
105@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
106 void
107 rsvg_state_finalize (RsvgState * state)
108 {
109+ g_free (state->mask);
110 g_free (state->font_family);
111 g_free (state->lang);
112 rsvg_paint_server_unref (state->fill);
113@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
114 state->adobe_blend = 11;
115 else
116 state->adobe_blend = 0;
117- } else if (g_str_equal (name, "mask"))
118- state->mask = rsvg_mask_parse (ctx->priv->defs, value);
119- else if (g_str_equal (name, "clip-path")) {
120+ } else if (g_str_equal (name, "mask")) {
121+ g_free (state->mask);
122+ state->mask = rsvg_get_url_string (value);
123+ } else if (g_str_equal (name, "clip-path")) {
124 state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
125 } else if (g_str_equal (name, "overflow")) {
126 if (!g_str_equal (value, "inherit")) {
127Index: librsvg-2.40.10/rsvg-styles.h
128===================================================================
129--- librsvg-2.40.10.orig/rsvg-styles.h
130+++ librsvg-2.40.10/rsvg-styles.h
131@@ -80,7 +80,7 @@ struct _RsvgState {
132 cairo_matrix_t personal_affine;
133
134 RsvgFilter *filter;
135- void *mask;
136+ char *mask;
137 void *clip_path_ref;
138 guint8 adobe_blend; /* 0..11 */
139 guint8 opacity; /* 0..255 */