diff options
Diffstat (limited to 'meta/recipes-graphics/cairo')
4 files changed, 105 insertions, 23 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch index 5232cf70c6..a2dba6cb20 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch | |||
@@ -1,19 +1,20 @@ | |||
1 | There is a potential infinite-loop in function _arc_error_normalized(). | 1 | There is an assertion in function _cairo_arc_in_direction(). |
2 | 2 | ||
3 | CVE: CVE-2019-6461 | 3 | CVE: CVE-2019-6461 |
4 | Upstream-Status: Pending | 4 | Upstream-Status: Pending |
5 | Signed-off-by: Ross Burton <ross.burton@intel.com> | 5 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
6 | 6 | ||
7 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c | 7 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c |
8 | index 390397bae..f9249dbeb 100644 | 8 | index 390397bae..1bde774a4 100644 |
9 | --- a/src/cairo-arc.c | 9 | --- a/src/cairo-arc.c |
10 | +++ b/src/cairo-arc.c | 10 | +++ b/src/cairo-arc.c |
11 | @@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) | 11 | @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, |
12 | do { | 12 | if (cairo_status (cr)) |
13 | angle = M_PI / i++; | 13 | return; |
14 | error = _arc_error_normalized (angle); | ||
15 | - } while (error > tolerance); | ||
16 | + } while (error > tolerance && error > __DBL_EPSILON__); | ||
17 | 14 | ||
18 | return angle; | 15 | - assert (angle_max >= angle_min); |
19 | } | 16 | + if (angle_max < angle_min) |
17 | + return; | ||
18 | |||
19 | if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { | ||
20 | angle_max = fmod (angle_max - angle_min, 2 * M_PI); | ||
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch index 4e4598c5b5..7c3209291b 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch | |||
@@ -1,20 +1,40 @@ | |||
1 | There is an assertion in function _cairo_arc_in_direction(). | ||
2 | |||
3 | CVE: CVE-2019-6462 | 1 | CVE: CVE-2019-6462 |
4 | Upstream-Status: Pending | 2 | Upstream-Status: Backport |
5 | Signed-off-by: Ross Burton <ross.burton@intel.com> | 3 | Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> |
4 | |||
5 | From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001 | ||
6 | From: Heiko Lewin <hlewin@gmx.de> | ||
7 | Date: Sun, 1 Aug 2021 11:16:03 +0000 | ||
8 | Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop | ||
9 | |||
10 | --- | ||
11 | src/cairo-arc.c | 4 +++- | ||
12 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
6 | 13 | ||
7 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c | 14 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c |
8 | index 390397bae..1bde774a4 100644 | 15 | index 390397bae..1c891d1a0 100644 |
9 | --- a/src/cairo-arc.c | 16 | --- a/src/cairo-arc.c |
10 | +++ b/src/cairo-arc.c | 17 | +++ b/src/cairo-arc.c |
11 | @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, | 18 | @@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) |
12 | if (cairo_status (cr)) | 19 | { M_PI / 11.0, 9.81410988043554039085e-09 }, |
13 | return; | 20 | }; |
21 | int table_size = ARRAY_LENGTH (table); | ||
22 | + const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */ | ||
14 | 23 | ||
15 | - assert (angle_max >= angle_min); | 24 | for (i = 0; i < table_size; i++) |
16 | + if (angle_max < angle_min) | 25 | if (table[i].error < tolerance) |
17 | + return; | 26 | return table[i].angle; |
18 | 27 | ||
19 | if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { | 28 | ++i; |
20 | angle_max = fmod (angle_max - angle_min, 2 * M_PI); | 29 | + |
30 | do { | ||
31 | angle = M_PI / i++; | ||
32 | error = _arc_error_normalized (angle); | ||
33 | - } while (error > tolerance); | ||
34 | + } while (error > tolerance && i < max_segments); | ||
35 | |||
36 | return angle; | ||
37 | } | ||
38 | -- | ||
39 | 2.38.1 | ||
40 | |||
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..fb6ce5cfdf --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | Fix stack buffer overflow. | ||
2 | |||
3 | CVE: CVE-2020-35492 | ||
4 | Upstream-Status: Backport | ||
5 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
6 | |||
7 | From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 | ||
8 | From: Heiko Lewin <heiko.lewin@worldiety.de> | ||
9 | Date: Tue, 15 Dec 2020 16:48:19 +0100 | ||
10 | Subject: [PATCH] Fix mask usage in image-compositor | ||
11 | |||
12 | --- | ||
13 | src/cairo-image-compositor.c | 8 ++-- | ||
14 | test/Makefile.sources | 1 + | ||
15 | test/bug-image-compositor.c | 39 ++++++++++++++++++++ | ||
16 | test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes | ||
17 | 4 files changed, 44 insertions(+), 4 deletions(-) | ||
18 | create mode 100644 test/bug-image-compositor.c | ||
19 | create mode 100644 test/reference/bug-image-compositor.ref.png | ||
20 | |||
21 | diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c | ||
22 | index 79ad69f68..4f8aaed99 100644 | ||
23 | --- a/src/cairo-image-compositor.c | ||
24 | +++ b/src/cairo-image-compositor.c | ||
25 | @@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
26 | unsigned num_spans) | ||
27 | { | ||
28 | cairo_image_span_renderer_t *r = abstract_renderer; | ||
29 | - uint8_t *m; | ||
30 | + uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); | ||
31 | int x0; | ||
32 | |||
33 | if (num_spans == 0) | ||
34 | return CAIRO_STATUS_SUCCESS; | ||
35 | |||
36 | x0 = spans[0].x; | ||
37 | - m = r->_buf; | ||
38 | + m = base; | ||
39 | do { | ||
40 | int len = spans[1].x - spans[0].x; | ||
41 | if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { | ||
42 | @@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
43 | spans[0].x, y, | ||
44 | spans[1].x - spans[0].x, h); | ||
45 | |||
46 | - m = r->_buf; | ||
47 | + m = base; | ||
48 | x0 = spans[1].x; | ||
49 | } else if (spans[0].coverage == 0x0) { | ||
50 | if (spans[0].x != x0) { | ||
51 | @@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
52 | #endif | ||
53 | } | ||
54 | |||
55 | - m = r->_buf; | ||
56 | + m = base; | ||
57 | x0 = spans[1].x; | ||
58 | } else { | ||
59 | *m++ = spans[0].coverage; | ||
60 | -- | ||
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 8663dec404..4827374ffc 100644 --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb | |||
@@ -27,6 +27,7 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ | |||
27 | file://CVE-2018-19876.patch \ | 27 | file://CVE-2018-19876.patch \ |
28 | file://CVE-2019-6461.patch \ | 28 | file://CVE-2019-6461.patch \ |
29 | file://CVE-2019-6462.patch \ | 29 | file://CVE-2019-6462.patch \ |
30 | file://CVE-2020-35492.patch \ | ||
30 | " | 31 | " |
31 | 32 | ||
32 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" | 33 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" |