diff options
Diffstat (limited to 'meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch')
-rw-r--r-- | meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch new file mode 100644 index 0000000000..a3ba41f505 --- /dev/null +++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch | |||
@@ -0,0 +1,139 @@ | |||
1 | From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Otte <otte@redhat.com> | ||
3 | Date: Wed, 7 Oct 2015 05:31:08 +0200 | ||
4 | Subject: [PATCH] state: Store mask as reference | ||
5 | |||
6 | Instead of immediately looking up the mask, store the reference and look | ||
7 | it up on use. | ||
8 | |||
9 | Upstream-status: Backport | ||
10 | |||
11 | supporting patch | ||
12 | https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2 | ||
13 | |||
14 | CVE: CVE-2015-7558 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | rsvg-cairo-draw.c | 6 +++++- | ||
19 | rsvg-mask.c | 17 ----------------- | ||
20 | rsvg-mask.h | 2 -- | ||
21 | rsvg-styles.c | 12 ++++++++---- | ||
22 | rsvg-styles.h | 2 +- | ||
23 | 5 files changed, 14 insertions(+), 25 deletions(-) | ||
24 | |||
25 | Index: librsvg-2.40.10/rsvg-cairo-draw.c | ||
26 | =================================================================== | ||
27 | --- librsvg-2.40.10.orig/rsvg-cairo-draw.c | ||
28 | +++ librsvg-2.40.10/rsvg-cairo-draw.c | ||
29 | @@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing | ||
30 | cairo_set_operator (render->cr, state->comp_op); | ||
31 | |||
32 | if (state->mask) { | ||
33 | - rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox); | ||
34 | + RsvgNode *mask; | ||
35 | + | ||
36 | + mask = rsvg_defs_lookup (ctx->defs, state->mask); | ||
37 | + if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK) | ||
38 | + rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox); | ||
39 | } else if (state->opacity != 0xFF) | ||
40 | cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0); | ||
41 | else | ||
42 | Index: librsvg-2.40.10/rsvg-mask.c | ||
43 | =================================================================== | ||
44 | --- librsvg-2.40.10.orig/rsvg-mask.c | ||
45 | +++ librsvg-2.40.10/rsvg-mask.c | ||
46 | @@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str) | ||
47 | } | ||
48 | |||
49 | RsvgNode * | ||
50 | -rsvg_mask_parse (const RsvgDefs * defs, const char *str) | ||
51 | -{ | ||
52 | - char *name; | ||
53 | - | ||
54 | - name = rsvg_get_url_string (str); | ||
55 | - if (name) { | ||
56 | - RsvgNode *val; | ||
57 | - val = rsvg_defs_lookup (defs, name); | ||
58 | - g_free (name); | ||
59 | - | ||
60 | - if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK) | ||
61 | - return val; | ||
62 | - } | ||
63 | - return NULL; | ||
64 | -} | ||
65 | - | ||
66 | -RsvgNode * | ||
67 | rsvg_clip_path_parse (const RsvgDefs * defs, const char *str) | ||
68 | { | ||
69 | char *name; | ||
70 | Index: librsvg-2.40.10/rsvg-mask.h | ||
71 | =================================================================== | ||
72 | --- librsvg-2.40.10.orig/rsvg-mask.h | ||
73 | +++ librsvg-2.40.10/rsvg-mask.h | ||
74 | @@ -48,8 +48,6 @@ struct _RsvgMask { | ||
75 | |||
76 | G_GNUC_INTERNAL | ||
77 | RsvgNode *rsvg_new_mask (void); | ||
78 | -G_GNUC_INTERNAL | ||
79 | -RsvgNode *rsvg_mask_parse (const RsvgDefs * defs, const char *str); | ||
80 | |||
81 | typedef struct _RsvgClipPath RsvgClipPath; | ||
82 | |||
83 | Index: librsvg-2.40.10/rsvg-styles.c | ||
84 | =================================================================== | ||
85 | --- librsvg-2.40.10.orig/rsvg-styles.c | ||
86 | +++ librsvg-2.40.10/rsvg-styles.c | ||
87 | @@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const | ||
88 | |||
89 | *dst = *src; | ||
90 | dst->parent = parent; | ||
91 | + dst->mask = g_strdup (src->mask); | ||
92 | dst->font_family = g_strdup (src->font_family); | ||
93 | dst->lang = g_strdup (src->lang); | ||
94 | rsvg_paint_server_ref (dst->fill); | ||
95 | @@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst, | ||
96 | |||
97 | if (inherituninheritables) { | ||
98 | dst->clip_path_ref = src->clip_path_ref; | ||
99 | - dst->mask = src->mask; | ||
100 | + g_free (dst->mask); | ||
101 | + dst->mask = g_strdup (src->mask); | ||
102 | dst->enable_background = src->enable_background; | ||
103 | dst->adobe_blend = src->adobe_blend; | ||
104 | dst->opacity = src->opacity; | ||
105 | @@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con | ||
106 | void | ||
107 | rsvg_state_finalize (RsvgState * state) | ||
108 | { | ||
109 | + g_free (state->mask); | ||
110 | g_free (state->font_family); | ||
111 | g_free (state->lang); | ||
112 | rsvg_paint_server_unref (state->fill); | ||
113 | @@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx, | ||
114 | state->adobe_blend = 11; | ||
115 | else | ||
116 | state->adobe_blend = 0; | ||
117 | - } else if (g_str_equal (name, "mask")) | ||
118 | - state->mask = rsvg_mask_parse (ctx->priv->defs, value); | ||
119 | - else if (g_str_equal (name, "clip-path")) { | ||
120 | + } else if (g_str_equal (name, "mask")) { | ||
121 | + g_free (state->mask); | ||
122 | + state->mask = rsvg_get_url_string (value); | ||
123 | + } else if (g_str_equal (name, "clip-path")) { | ||
124 | state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value); | ||
125 | } else if (g_str_equal (name, "overflow")) { | ||
126 | if (!g_str_equal (value, "inherit")) { | ||
127 | Index: librsvg-2.40.10/rsvg-styles.h | ||
128 | =================================================================== | ||
129 | --- librsvg-2.40.10.orig/rsvg-styles.h | ||
130 | +++ librsvg-2.40.10/rsvg-styles.h | ||
131 | @@ -80,7 +80,7 @@ struct _RsvgState { | ||
132 | cairo_matrix_t personal_affine; | ||
133 | |||
134 | RsvgFilter *filter; | ||
135 | - void *mask; | ||
136 | + char *mask; | ||
137 | void *clip_path_ref; | ||
138 | guint8 adobe_blend; /* 0..11 */ | ||
139 | guint8 opacity; /* 0..255 */ | ||