diff options
Diffstat (limited to 'meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch')
-rw-r--r-- | meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch b/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch new file mode 100644 index 0000000000..7d02ab9474 --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 042421e9e3d266ad0bb7805132041ef51ad3234d Mon Sep 17 00:00:00 2001 | ||
2 | From: Adrian Johnson <ajohnson@redneon.com> | ||
3 | Date: Wed, 16 Aug 2017 22:52:35 -0400 | ||
4 | Subject: [PATCH] cairo: Fix CVE-2017-9814 | ||
5 | |||
6 | The bug happens because in some scenarios the variable size can | ||
7 | have a value of 0 at line 1288. And malloc(0) is not returning | ||
8 | NULL as some people could expect: | ||
9 | |||
10 | https://stackoverflow.com/questions/1073157/zero-size-malloc | ||
11 | |||
12 | malloc(0) returns the smallest chunk possible. So the line 1290 | ||
13 | with the return is not execute. And the execution continues with | ||
14 | an invalid map. | ||
15 | |||
16 | Since the size is 0 the variable map is not initialized correctly | ||
17 | at load_trutype_table. So, later when the variable map is accessed | ||
18 | previous values from a freed chunk are used. This could allows an | ||
19 | attacker to control the variable map. | ||
20 | |||
21 | This patch have not merge in upstream now. | ||
22 | |||
23 | Upstream-Status: Backport [https://bugs.freedesktop.org/show_bug.cgi?id=101547] | ||
24 | CVE: CVE-2017-9814 | ||
25 | Signed-off-by: Dengke Du <dengke.du@windriver.com> | ||
26 | --- | ||
27 | src/cairo-truetype-subset.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c | ||
31 | index e3449a0..f77d11c 100644 | ||
32 | --- a/src/cairo-truetype-subset.c | ||
33 | +++ b/src/cairo-truetype-subset.c | ||
34 | @@ -1285,7 +1285,7 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font, | ||
35 | return CAIRO_INT_STATUS_UNSUPPORTED; | ||
36 | |||
37 | size = be16_to_cpu (map->length); | ||
38 | - map = malloc (size); | ||
39 | + map = _cairo_malloc (size); | ||
40 | if (unlikely (map == NULL)) | ||
41 | return _cairo_error (CAIRO_STATUS_NO_MEMORY); | ||
42 | |||
43 | -- | ||
44 | 2.8.1 | ||
45 | |||