3 files changed, 104 insertions, 23 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
index 5232cf70c6..a2dba6cb20 100644
--- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
@@ -1,19 +1,20 @@
-There is a potential infinite-loop in function _arc_error_normalized().
+There is an assertion in function _cairo_arc_in_direction().
 CVE: CVE-2019-6461
 Upstream-Status: Pending
 Signed-off-by: Ross Burton <ross.burton@intel.com>
 diff --git a/src/cairo-arc.c b/src/cairo-arc.c
-index 390397bae..f9249dbeb 100644
+index 390397bae..1bde774a4 100644
 --- a/src/cairo-arc.c
 +++ b/src/cairo-arc.c
-@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t      *cr,
-     do {
+     if (cairo_status (cr))
-        angle = M_PI / i++;
+         return;
-        error = _arc_error_normalized (angle);
-    } while (error > tolerance);
-+    } while (error > tolerance && error > __DBL_EPSILON__);
 
-     return angle;
+-    assert (angle_max >= angle_min);
- }
+    if (angle_max < angle_min)
+       return;
+ 
+     if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
+        angle_max = fmod (angle_max - angle_min, 2 * M_PI);
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
index 4e4598c5b5..7c3209291b 100644
--- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
@@ -1,20 +1,40 @@
-There is an assertion in function _cairo_arc_in_direction().
 CVE: CVE-2019-6462
-Upstream-Status: Pending
+Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@gmx.de>
+Date: Sun, 1 Aug 2021 11:16:03 +0000
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/src/cairo-arc.c b/src/cairo-arc.c
-index 390397bae..1bde774a4 100644
+index 390397bae..1c891d1a0 100644
 --- a/src/cairo-arc.c
 +++ b/src/cairo-arc.c
-@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t      *cr,
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
-     if (cairo_status (cr))
+        { M_PI / 11.0,  9.81410988043554039085e-09 },
-         return;
+     };
+     int table_size = ARRAY_LENGTH (table);
+    const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
 
-    assert (angle_max >= angle_min);
+     for (i = 0; i < table_size; i++)
-+    if (angle_max < angle_min)
+        if (table[i].error < tolerance)
-+       return;
+            return table[i].angle;
 
-     if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
+     ++i;
-        angle_max = fmod (angle_max - angle_min, 2 * M_PI);
+
+     do {
+        angle = M_PI / i++;
+        error = _arc_error_normalized (angle);
+-    } while (error > tolerance);
+    } while (error > tolerance && i < max_segments);
+ 
+     return angle;
+ }
+-- 
+2.38.1
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
new file mode 100644
index 0000000000..fb6ce5cfdf
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@@ -0,0 +1,60 @@
+Fix stack buffer overflow.
+CVE: CVE-2020-35492
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+---
+ src/cairo-image-compositor.c                |   8 ++--
+ test/Makefile.sources                       |   1 +
+ test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
+ test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes
+ 4 files changed, 44 insertions(+), 4 deletions(-)
+ create mode 100644 test/bug-image-compositor.c
+ create mode 100644 test/reference/bug-image-compositor.ref.png
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 79ad69f68..4f8aaed99 100644
+--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
+@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+                    unsigned num_spans)
+ {
+     cairo_image_span_renderer_t *r = abstract_renderer;
+-    uint8_t *m;
+    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+     int x0;
+ 
+     if (num_spans == 0)
+        return CAIRO_STATUS_SUCCESS;
+ 
+     x0 = spans[0].x;
+-    m = r->_buf;
+    m = base;
+     do {
+        int len = spans[1].x - spans[0].x;
+        if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+                                      spans[0].x, y,
+                                      spans[1].x - spans[0].x, h);
+ 
+-           m = r->_buf;
+           m = base;
+            x0 = spans[1].x;
+        } else if (spans[0].coverage == 0x0) {
+            if (spans[0].x != x0) {
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+            }
+ 
+-           m = r->_buf;
+           m = base;
+            x0 = spans[1].x;
+        } else {
+            *m++ = spans[0].coverage;
+--

diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch index 5232cf70c6..a2dba6cb20 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
@@ -1,19 +1,20 @@
1	There is a potential infinite-loop in function _arc_error_normalized().	1	There is an assertion in function _cairo_arc_in_direction().
2		2
3	CVE: CVE-2019-6461	3	CVE: CVE-2019-6461
4	Upstream-Status: Pending	4	Upstream-Status: Pending
5	Signed-off-by: Ross Burton <ross.burton@intel.com>	5	Signed-off-by: Ross Burton <ross.burton@intel.com>
6		6
7	diff --git a/src/cairo-arc.c b/src/cairo-arc.c	7	diff --git a/src/cairo-arc.c b/src/cairo-arc.c
8	index 390397bae..f9249dbeb 100644	8	index 390397bae..1bde774a4 100644
9	--- a/src/cairo-arc.c	9	--- a/src/cairo-arc.c
10	+++ b/src/cairo-arc.c	10	+++ b/src/cairo-arc.c
11	@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)	11	@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr,
12	do {	12	if (cairo_status (cr))
13	angle = M_PI / i++;	13	return;
14	error = _arc_error_normalized (angle);
15	- } while (error > tolerance);
16	+ } while (error > tolerance && error > __DBL_EPSILON__);
17		14
18	return angle;	15	- assert (angle_max >= angle_min);
19	}	16	+ if (angle_max < angle_min)
		17	+ return;
		18
		19	if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
		20	angle_max = fmod (angle_max - angle_min, 2 * M_PI);


diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch index 4e4598c5b5..7c3209291b 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
@@ -1,20 +1,40 @@
1	There is an assertion in function _cairo_arc_in_direction().
2
3	CVE: CVE-2019-6462	1	CVE: CVE-2019-6462
4	Upstream-Status: Pending	2	Upstream-Status: Backport
5	Signed-off-by: Ross Burton <ross.burton@intel.com>	3	Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
		4
		5	From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001
		6	From: Heiko Lewin <hlewin@gmx.de>
		7	Date: Sun, 1 Aug 2021 11:16:03 +0000
		8	Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
		9
		10	---
		11	src/cairo-arc.c \| 4 +++-
		12	1 file changed, 3 insertions(+), 1 deletion(-)
6		13
7	diff --git a/src/cairo-arc.c b/src/cairo-arc.c	14	diff --git a/src/cairo-arc.c b/src/cairo-arc.c
8	index 390397bae..1bde774a4 100644	15	index 390397bae..1c891d1a0 100644
9	--- a/src/cairo-arc.c	16	--- a/src/cairo-arc.c
10	+++ b/src/cairo-arc.c	17	+++ b/src/cairo-arc.c
11	@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr,	18	@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
12	if (cairo_status (cr))	19	{ M_PI / 11.0, 9.81410988043554039085e-09 },
13	return;	20	};
		21	int table_size = ARRAY_LENGTH (table);
		22	+ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
14		23
15	- assert (angle_max >= angle_min);	24	for (i = 0; i < table_size; i++)
16	+ if (angle_max < angle_min)	25	if (table[i].error < tolerance)
17	+ return;	26	return table[i].angle;
18		27
19	if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {	28	++i;
20	angle_max = fmod (angle_max - angle_min, 2 * M_PI);	29	+
		30	do {
		31	angle = M_PI / i++;
		32	error = _arc_error_normalized (angle);
		33	- } while (error > tolerance);
		34	+ } while (error > tolerance && i < max_segments);
		35
		36	return angle;
		37	}
		38	--
		39	2.38.1
		40


diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..fb6ce5cfdf --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@@ -0,0 +1,60 @@
		1	Fix stack buffer overflow.
		2
		3	CVE: CVE-2020-35492
		4	Upstream-Status: Backport
		5	Signed-off-by: Ross Burton <ross.burton@arm.com>
		6
		7	From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
		8	From: Heiko Lewin <heiko.lewin@worldiety.de>
		9	Date: Tue, 15 Dec 2020 16:48:19 +0100
		10	Subject: [PATCH] Fix mask usage in image-compositor
		11
		12	---
		13	src/cairo-image-compositor.c \| 8 ++--
		14	test/Makefile.sources \| 1 +
		15	test/bug-image-compositor.c \| 39 ++++++++++++++++++++
		16	test/reference/bug-image-compositor.ref.png \| Bin 0 -> 185 bytes
		17	4 files changed, 44 insertions(+), 4 deletions(-)
		18	create mode 100644 test/bug-image-compositor.c
		19	create mode 100644 test/reference/bug-image-compositor.ref.png
		20
		21	diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
		22	index 79ad69f68..4f8aaed99 100644
		23	--- a/src/cairo-image-compositor.c
		24	+++ b/src/cairo-image-compositor.c
		25	@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
		26	unsigned num_spans)
		27	{
		28	cairo_image_span_renderer_t *r = abstract_renderer;
		29	- uint8_t *m;
		30	+ uint8_t m, base = (uint8_t*)pixman_image_get_data(r->mask);
		31	int x0;
		32
		33	if (num_spans == 0)
		34	return CAIRO_STATUS_SUCCESS;
		35
		36	x0 = spans[0].x;
		37	- m = r->_buf;
		38	+ m = base;
		39	do {
		40	int len = spans[1].x - spans[0].x;
		41	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
		42	@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
		43	spans[0].x, y,
		44	spans[1].x - spans[0].x, h);
		45
		46	- m = r->_buf;
		47	+ m = base;
		48	x0 = spans[1].x;
		49	} else if (spans[0].coverage == 0x0) {
		50	if (spans[0].x != x0) {
		51	@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
		52	#endif
		53	}
		54
		55	- m = r->_buf;
		56	+ m = base;
		57	x0 = spans[1].x;
		58	} else {
		59	*m++ = spans[0].coverage;
		60	--