diff options
Diffstat (limited to 'meta/recipes-graphics')
118 files changed, 6119 insertions, 460 deletions
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb index 0a64c31ab3..9d5cd8cde6 100644 --- a/meta/recipes-graphics/builder/builder_0.1.bb +++ b/meta/recipes-graphics/builder/builder_0.1.bb | |||
@@ -29,3 +29,5 @@ do_install () { | |||
29 | chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh | 29 | chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh |
30 | } | 30 | } |
31 | 31 | ||
32 | # -4178 is an unrelated 'builder' | ||
33 | CVE_CHECK_WHITELIST = "CVE-2008-4178" | ||
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch index 5232cf70c6..a2dba6cb20 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch | |||
@@ -1,19 +1,20 @@ | |||
1 | There is a potential infinite-loop in function _arc_error_normalized(). | 1 | There is an assertion in function _cairo_arc_in_direction(). |
2 | 2 | ||
3 | CVE: CVE-2019-6461 | 3 | CVE: CVE-2019-6461 |
4 | Upstream-Status: Pending | 4 | Upstream-Status: Pending |
5 | Signed-off-by: Ross Burton <ross.burton@intel.com> | 5 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
6 | 6 | ||
7 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c | 7 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c |
8 | index 390397bae..f9249dbeb 100644 | 8 | index 390397bae..1bde774a4 100644 |
9 | --- a/src/cairo-arc.c | 9 | --- a/src/cairo-arc.c |
10 | +++ b/src/cairo-arc.c | 10 | +++ b/src/cairo-arc.c |
11 | @@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) | 11 | @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, |
12 | do { | 12 | if (cairo_status (cr)) |
13 | angle = M_PI / i++; | 13 | return; |
14 | error = _arc_error_normalized (angle); | ||
15 | - } while (error > tolerance); | ||
16 | + } while (error > tolerance && error > __DBL_EPSILON__); | ||
17 | 14 | ||
18 | return angle; | 15 | - assert (angle_max >= angle_min); |
19 | } | 16 | + if (angle_max < angle_min) |
17 | + return; | ||
18 | |||
19 | if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { | ||
20 | angle_max = fmod (angle_max - angle_min, 2 * M_PI); | ||
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch index 4e4598c5b5..7c3209291b 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch | |||
@@ -1,20 +1,40 @@ | |||
1 | There is an assertion in function _cairo_arc_in_direction(). | ||
2 | |||
3 | CVE: CVE-2019-6462 | 1 | CVE: CVE-2019-6462 |
4 | Upstream-Status: Pending | 2 | Upstream-Status: Backport |
5 | Signed-off-by: Ross Burton <ross.burton@intel.com> | 3 | Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> |
4 | |||
5 | From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001 | ||
6 | From: Heiko Lewin <hlewin@gmx.de> | ||
7 | Date: Sun, 1 Aug 2021 11:16:03 +0000 | ||
8 | Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop | ||
9 | |||
10 | --- | ||
11 | src/cairo-arc.c | 4 +++- | ||
12 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
6 | 13 | ||
7 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c | 14 | diff --git a/src/cairo-arc.c b/src/cairo-arc.c |
8 | index 390397bae..1bde774a4 100644 | 15 | index 390397bae..1c891d1a0 100644 |
9 | --- a/src/cairo-arc.c | 16 | --- a/src/cairo-arc.c |
10 | +++ b/src/cairo-arc.c | 17 | +++ b/src/cairo-arc.c |
11 | @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, | 18 | @@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) |
12 | if (cairo_status (cr)) | 19 | { M_PI / 11.0, 9.81410988043554039085e-09 }, |
13 | return; | 20 | }; |
21 | int table_size = ARRAY_LENGTH (table); | ||
22 | + const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */ | ||
14 | 23 | ||
15 | - assert (angle_max >= angle_min); | 24 | for (i = 0; i < table_size; i++) |
16 | + if (angle_max < angle_min) | 25 | if (table[i].error < tolerance) |
17 | + return; | 26 | return table[i].angle; |
18 | 27 | ||
19 | if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { | 28 | ++i; |
20 | angle_max = fmod (angle_max - angle_min, 2 * M_PI); | 29 | + |
30 | do { | ||
31 | angle = M_PI / i++; | ||
32 | error = _arc_error_normalized (angle); | ||
33 | - } while (error > tolerance); | ||
34 | + } while (error > tolerance && i < max_segments); | ||
35 | |||
36 | return angle; | ||
37 | } | ||
38 | -- | ||
39 | 2.38.1 | ||
40 | |||
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..fb6ce5cfdf --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | Fix stack buffer overflow. | ||
2 | |||
3 | CVE: CVE-2020-35492 | ||
4 | Upstream-Status: Backport | ||
5 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
6 | |||
7 | From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 | ||
8 | From: Heiko Lewin <heiko.lewin@worldiety.de> | ||
9 | Date: Tue, 15 Dec 2020 16:48:19 +0100 | ||
10 | Subject: [PATCH] Fix mask usage in image-compositor | ||
11 | |||
12 | --- | ||
13 | src/cairo-image-compositor.c | 8 ++-- | ||
14 | test/Makefile.sources | 1 + | ||
15 | test/bug-image-compositor.c | 39 ++++++++++++++++++++ | ||
16 | test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes | ||
17 | 4 files changed, 44 insertions(+), 4 deletions(-) | ||
18 | create mode 100644 test/bug-image-compositor.c | ||
19 | create mode 100644 test/reference/bug-image-compositor.ref.png | ||
20 | |||
21 | diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c | ||
22 | index 79ad69f68..4f8aaed99 100644 | ||
23 | --- a/src/cairo-image-compositor.c | ||
24 | +++ b/src/cairo-image-compositor.c | ||
25 | @@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
26 | unsigned num_spans) | ||
27 | { | ||
28 | cairo_image_span_renderer_t *r = abstract_renderer; | ||
29 | - uint8_t *m; | ||
30 | + uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); | ||
31 | int x0; | ||
32 | |||
33 | if (num_spans == 0) | ||
34 | return CAIRO_STATUS_SUCCESS; | ||
35 | |||
36 | x0 = spans[0].x; | ||
37 | - m = r->_buf; | ||
38 | + m = base; | ||
39 | do { | ||
40 | int len = spans[1].x - spans[0].x; | ||
41 | if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { | ||
42 | @@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
43 | spans[0].x, y, | ||
44 | spans[1].x - spans[0].x, h); | ||
45 | |||
46 | - m = r->_buf; | ||
47 | + m = base; | ||
48 | x0 = spans[1].x; | ||
49 | } else if (spans[0].coverage == 0x0) { | ||
50 | if (spans[0].x != x0) { | ||
51 | @@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, | ||
52 | #endif | ||
53 | } | ||
54 | |||
55 | - m = r->_buf; | ||
56 | + m = base; | ||
57 | x0 = spans[1].x; | ||
58 | } else { | ||
59 | *m++ = spans[0].coverage; | ||
60 | -- | ||
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 8663dec404..4827374ffc 100644 --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb | |||
@@ -27,6 +27,7 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ | |||
27 | file://CVE-2018-19876.patch \ | 27 | file://CVE-2018-19876.patch \ |
28 | file://CVE-2019-6461.patch \ | 28 | file://CVE-2019-6461.patch \ |
29 | file://CVE-2019-6462.patch \ | 29 | file://CVE-2019-6462.patch \ |
30 | file://CVE-2020-35492.patch \ | ||
30 | " | 31 | " |
31 | 32 | ||
32 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" | 33 | SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" |
diff --git a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc index 7d9db1f38c..73315c97ec 100644 --- a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc +++ b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc | |||
@@ -1,5 +1,9 @@ | |||
1 | SUMMARY = "GStreamer integration library for Clutter" | 1 | SUMMARY = "GStreamer integration library for Clutter" |
2 | DESCRIPTION = "Clutter-Gst is an integration library for using GStreamer with Clutter. \ | ||
3 | It provides a GStreamer sink to upload frames to GL and an actor that \ | ||
4 | implements the ClutterGstPlayer interface using playbin." | ||
2 | HOMEPAGE = "http://www.clutter-project.org/" | 5 | HOMEPAGE = "http://www.clutter-project.org/" |
6 | BUGTRACKER = "https://gitlab.gnome.org/GNOME/clutter-gst/-/issues" | ||
3 | LICENSE = "LGPLv2+" | 7 | LICENSE = "LGPLv2+" |
4 | 8 | ||
5 | inherit clutter features_check upstream-version-is-even gobject-introspection | 9 | inherit clutter features_check upstream-version-is-even gobject-introspection |
diff --git a/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc b/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc index 7bf2278555..9a28b5219b 100644 --- a/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc +++ b/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc | |||
@@ -1,5 +1,10 @@ | |||
1 | SUMMARY = "Library for embedding a Clutter canvas in a GTK+ application" | 1 | SUMMARY = "Library for embedding a Clutter canvas in a GTK+ application" |
2 | DESCRIPTION = "Clutter-GTK is a library providing facilities to integrate Clutter into GTK+ \ | ||
3 | applications and vice versa. It provides a GTK+ widget, GtkClutterEmbed, for embedding the \ | ||
4 | a Clutter stage into any GtkContainer; and GtkClutterActor, a Clutter \ | ||
5 | actor for embedding any GtkWidget inside a Clutter stage." | ||
2 | HOMEPAGE = "http://www.clutter-project.org/" | 6 | HOMEPAGE = "http://www.clutter-project.org/" |
7 | BUGTRACKER = "https://gitlab.gnome.org/GNOME/clutter/-/issues" | ||
3 | LICENSE = "LGPLv2+" | 8 | LICENSE = "LGPLv2+" |
4 | 9 | ||
5 | CLUTTERBASEBUILDCLASS = "meson" | 10 | CLUTTERBASEBUILDCLASS = "meson" |
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch index fa8a29b798..31f9e32dc2 100644 --- a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch +++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch | |||
@@ -6,10 +6,13 @@ Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308). | |||
6 | This is CVE-2020-15999. | 6 | This is CVE-2020-15999. |
7 | 7 | ||
8 | * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. | 8 | * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. |
9 | CVE: CVE-2020-15999 | ||
9 | 10 | ||
10 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd] | 11 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd] |
11 | 12 | ||
12 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | 13 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> |
14 | Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> | ||
15 | Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> | ||
13 | --- | 16 | --- |
14 | src/sfnt/pngshim.c | 14 +++++++------- | 17 | src/sfnt/pngshim.c | 14 +++++++------- |
15 | 1 file changed, 7 insertions(+), 7 deletions(-) | 18 | 1 file changed, 7 insertions(+), 7 deletions(-) |
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch new file mode 100644 index 0000000000..e66400ddb1 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Thu, 17 Mar 2022 19:24:16 +0100 | ||
4 | Subject: [PATCH] [sfnt] Avoid invalid face index. | ||
5 | |||
6 | Fixes #1138. | ||
7 | |||
8 | * src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font): | ||
9 | Check `face_index` before decrementing. | ||
10 | |||
11 | CVE: CVE-2022-27404 | ||
12 | Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch] | ||
13 | Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code | ||
14 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
15 | --- | ||
16 | src/sfnt/sfobjs.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c | ||
20 | index f9d4d3858..9771c35df 100644 | ||
21 | --- a/src/sfnt/sfobjs.c | ||
22 | +++ b/src/sfnt/sfobjs.c | ||
23 | @@ -566,7 +566,7 @@ | ||
24 | face_index = FT_ABS( face_instance_index ) & 0xFFFF; | ||
25 | |||
26 | /* value -(N+1) requests information on index N */ | ||
27 | - if ( face_instance_index < 0 ) | ||
28 | + if ( face_instance_index < 0 && face_index > 0 ) | ||
29 | face_index--; | ||
30 | |||
31 | if ( face_index >= face->ttc_header.count ) | ||
32 | -- | ||
33 | GitLab | ||
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch new file mode 100644 index 0000000000..08fccd5a3b --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Sat, 19 Mar 2022 06:40:17 +0100 | ||
4 | Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard | ||
5 | `face_index`. | ||
6 | We must ensure that the cast to `FT_Int` doesn't change the sign. | ||
7 | Fixes #1139. | ||
8 | |||
9 | CVE: CVE-2022-27405 | ||
10 | Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5] | ||
11 | Comment: No Change in any hunk | ||
12 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
13 | --- | ||
14 | src/base/ftobjs.c | 9 +++++++++ | ||
15 | 1 file changed, 9 insertions(+) | ||
16 | |||
17 | diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c | ||
18 | index 2c0f0e6c9..10952a6c6 100644 | ||
19 | --- a/src/base/ftobjs.c | ||
20 | +++ b/src/base/ftobjs.c | ||
21 | @@ -2527,6 +2527,15 @@ | ||
22 | #endif | ||
23 | |||
24 | |||
25 | + /* only use lower 31 bits together with sign bit */ | ||
26 | + if ( face_index > 0 ) | ||
27 | + face_index &= 0x7FFFFFFFL; | ||
28 | + else | ||
29 | + { | ||
30 | + face_index &= 0x7FFFFFFFL; | ||
31 | + face_index = -face_index; | ||
32 | + } | ||
33 | + | ||
34 | #ifdef FT_DEBUG_LEVEL_TRACE | ||
35 | FT_TRACE3(( "FT_Open_Face: " )); | ||
36 | if ( face_index < 0 ) | ||
37 | -- | ||
38 | GitLab | ||
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch new file mode 100644 index 0000000000..4b5e629f30 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Sat, 19 Mar 2022 09:37:28 +0100 | ||
4 | Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`. | ||
5 | |||
6 | Fixes #1140. | ||
7 | |||
8 | CVE: CVE-2022-27406 | ||
9 | Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2] | ||
10 | Comment: No Change in any hunk | ||
11 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
12 | --- | ||
13 | src/base/ftobjs.c | 3 +++ | ||
14 | 1 file changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c | ||
17 | index 6492a1517..282c9121a 100644 | ||
18 | --- a/src/base/ftobjs.c | ||
19 | +++ b/src/base/ftobjs.c | ||
20 | @@ -3409,6 +3409,9 @@ | ||
21 | if ( !face ) | ||
22 | return FT_THROW( Invalid_Face_Handle ); | ||
23 | |||
24 | + if ( !face->size ) | ||
25 | + return FT_THROW( Invalid_Size_Handle ); | ||
26 | + | ||
27 | if ( !req || req->width < 0 || req->height < 0 || | ||
28 | req->type >= FT_SIZE_REQUEST_TYPE_MAX ) | ||
29 | return FT_THROW( Invalid_Argument ); | ||
30 | -- | ||
31 | GitLab | ||
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..800d77579e --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Mon, 14 Nov 2022 19:18:19 +0100 | ||
4 | Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer | ||
5 | overflow. | ||
6 | |||
7 | Reported as | ||
8 | |||
9 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611] | ||
12 | CVE: CVE-2023-2004 | ||
13 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
14 | --- | ||
15 | src/truetype/ttgxvar.c | 3 ++- | ||
16 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c | ||
19 | index 78d87dc..258d701 100644 | ||
20 | --- a/src/truetype/ttgxvar.c | ||
21 | +++ b/src/truetype/ttgxvar.c | ||
22 | @@ -43,6 +43,7 @@ | ||
23 | #include FT_INTERNAL_DEBUG_H | ||
24 | #include FT_CONFIG_CONFIG_H | ||
25 | #include FT_INTERNAL_STREAM_H | ||
26 | +#include <freetype/internal/ftcalc.h> | ||
27 | #include FT_INTERNAL_SFNT_H | ||
28 | #include FT_TRUETYPE_TAGS_H | ||
29 | #include FT_TRUETYPE_IDS_H | ||
30 | @@ -1065,7 +1066,7 @@ | ||
31 | delta == 1 ? "" : "s", | ||
32 | vertical ? "VVAR" : "HVAR" )); | ||
33 | |||
34 | - *avalue += delta; | ||
35 | + *avalue = ADD_INT( *avalue, delta ); | ||
36 | |||
37 | Exit: | ||
38 | return error; | ||
39 | -- | ||
40 | 2.17.1 | ||
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb index 2d444bbf19..6af744b981 100644 --- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb | |||
@@ -15,6 +15,10 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1 | |||
15 | SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ | 15 | SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ |
16 | file://use-right-libtool.patch \ | 16 | file://use-right-libtool.patch \ |
17 | file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \ | 17 | file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \ |
18 | file://CVE-2022-27404.patch \ | ||
19 | file://CVE-2022-27405.patch \ | ||
20 | file://CVE-2022-27406.patch \ | ||
21 | file://CVE-2023-2004.patch \ | ||
18 | " | 22 | " |
19 | SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" | 23 | SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" |
20 | SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" | 24 | SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" |
diff --git a/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch b/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch new file mode 100644 index 0000000000..7edcfe8de8 --- /dev/null +++ b/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | Upstream-Status: Submitted [https://github.com/nigels-com/glew/pull/311] | ||
2 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
3 | |||
4 | From 0ce0a85597db48a2fca619bd95e34af091e54ae8 Mon Sep 17 00:00:00 2001 | ||
5 | From: Ross Burton <ross.burton@arm.com> | ||
6 | Date: Thu, 22 Jul 2021 16:31:11 +0100 | ||
7 | Subject: [PATCH] Fix build race in Makefile | ||
8 | |||
9 | The current rule for the binaries is: | ||
10 | |||
11 | glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) | ||
12 | |||
13 | In parallel builds, all of those targets happen at the same time. This | ||
14 | means that 'bin' can happen *after* 'bin/$(GLEWINFO.BIN)', which is a | ||
15 | problem as the 'bin' target's responsibility is to create the directory | ||
16 | that the other target writes into. | ||
17 | |||
18 | Solve this by not having a separate 'create directory' target which is | ||
19 | fundamentally racy, and simply mkdir in each target which writes into it. | ||
20 | --- | ||
21 | Makefile | 9 ++++----- | ||
22 | 1 file changed, 4 insertions(+), 5 deletions(-) | ||
23 | |||
24 | diff --git a/Makefile b/Makefile | ||
25 | index d0e4614..04af44c 100644 | ||
26 | --- a/Makefile | ||
27 | +++ b/Makefile | ||
28 | @@ -171,21 +171,20 @@ VISUALINFO.BIN.OBJ := $(VISUALINFO.BIN.OBJ:.c=.o) | ||
29 | # Don't build glewinfo or visualinfo for NaCL, yet. | ||
30 | |||
31 | ifneq ($(filter nacl%,$(SYSTEM)),) | ||
32 | -glew.bin: glew.lib bin | ||
33 | +glew.bin: glew.lib | ||
34 | else | ||
35 | -glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) | ||
36 | +glew.bin: glew.lib bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) | ||
37 | endif | ||
38 | |||
39 | -bin: | ||
40 | - mkdir bin | ||
41 | - | ||
42 | bin/$(GLEWINFO.BIN): $(GLEWINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED) | ||
43 | + @mkdir -p $(dir $@) | ||
44 | $(CC) $(CFLAGS) -o $@ $(GLEWINFO.BIN.OBJ) $(BIN.LIBS) | ||
45 | ifneq ($(STRIP),) | ||
46 | $(STRIP) -x $@ | ||
47 | endif | ||
48 | |||
49 | bin/$(VISUALINFO.BIN): $(VISUALINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED) | ||
50 | + @mkdir -p $(dir $@) | ||
51 | $(CC) $(CFLAGS) -o $@ $(VISUALINFO.BIN.OBJ) $(BIN.LIBS) | ||
52 | ifneq ($(STRIP),) | ||
53 | $(STRIP) -x $@ | ||
54 | -- | ||
55 | 2.25.1 | ||
56 | |||
diff --git a/meta/recipes-graphics/glew/glew/notempdir.patch b/meta/recipes-graphics/glew/glew/notempdir.patch new file mode 100644 index 0000000000..8d79ce0cdf --- /dev/null +++ b/meta/recipes-graphics/glew/glew/notempdir.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | We don't use the dist-* targets and hence DIST_DIR isn't used. The current code | ||
2 | creates a new temp directory in /tmp/ for every invocation of make. Lets | ||
3 | not do that. | ||
4 | |||
5 | Upstream-Status: Pending [a revised version would be needed for upstream] | ||
6 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
7 | |||
8 | Index: glew-2.2.0/Makefile | ||
9 | =================================================================== | ||
10 | --- glew-2.2.0.orig/Makefile | ||
11 | +++ glew-2.2.0/Makefile | ||
12 | @@ -56,7 +56,6 @@ DIST_SRC_ZIP ?= $(shell pwd)/$(DIST_NAME | ||
13 | DIST_SRC_TGZ ?= $(shell pwd)/$(DIST_NAME).tgz | ||
14 | DIST_WIN32 ?= $(shell pwd)/$(DIST_NAME)-win32.zip | ||
15 | |||
16 | -DIST_DIR := $(shell mktemp -d /tmp/glew.XXXXXX)/$(DIST_NAME) | ||
17 | |||
18 | # To disable stripping of linked binaries either: | ||
19 | # - use STRIP= on gmake command-line | ||
diff --git a/meta/recipes-graphics/glew/glew_2.2.0.bb b/meta/recipes-graphics/glew/glew_2.2.0.bb index 8948444e08..d7a26a3438 100644 --- a/meta/recipes-graphics/glew/glew_2.2.0.bb +++ b/meta/recipes-graphics/glew/glew_2.2.0.bb | |||
@@ -6,6 +6,8 @@ LICENSE = "MIT" | |||
6 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2" | 6 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2" |
7 | 7 | ||
8 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \ | 8 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \ |
9 | file://0001-Fix-build-race-in-Makefile.patch \ | ||
10 | file://notempdir.patch \ | ||
9 | file://no-strip.patch" | 11 | file://no-strip.patch" |
10 | 12 | ||
11 | SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7" | 13 | SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7" |
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch new file mode 100644 index 0000000000..90d4cfefb4 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch | |||
@@ -0,0 +1,335 @@ | |||
1 | From 3122c2cdc45a964efedad8953a2df67205c3e3a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Behdad Esfahbod <behdad@behdad.org> | ||
3 | Date: Sat, 4 Dec 2021 19:50:33 -0800 | ||
4 | Subject: [PATCH] [buffer] Add HB_GLYPH_FLAG_UNSAFE_TO_CONCAT | ||
5 | |||
6 | Fixes https://github.com/harfbuzz/harfbuzz/issues/1463 | ||
7 | Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/3122c2cdc45a964efedad8953a2df67205c3e3a8] | ||
8 | Comment1: To backport the fix for CVE-2023-25193, add defination for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT. This patch is needed along with CVE-2023-25193-pre1.patch for sucessfull porting. | ||
9 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
10 | --- | ||
11 | src/hb-buffer.cc | 10 ++--- | ||
12 | src/hb-buffer.h | 76 ++++++++++++++++++++++++++++++------ | ||
13 | src/hb-buffer.hh | 33 ++++++++++------ | ||
14 | src/hb-ot-layout-gsubgpos.hh | 39 +++++++++++++++--- | ||
15 | src/hb-ot-shape.cc | 8 +--- | ||
16 | 5 files changed, 124 insertions(+), 42 deletions(-) | ||
17 | |||
18 | diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc | ||
19 | index 6131c86..bba5eae 100644 | ||
20 | --- a/src/hb-buffer.cc | ||
21 | +++ b/src/hb-buffer.cc | ||
22 | @@ -610,14 +610,14 @@ done: | ||
23 | } | ||
24 | |||
25 | void | ||
26 | -hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end) | ||
27 | +hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end, hb_mask_t mask) | ||
28 | { | ||
29 | unsigned int cluster = (unsigned int) -1; | ||
30 | cluster = _unsafe_to_break_find_min_cluster (info, start, end, cluster); | ||
31 | - _unsafe_to_break_set_mask (info, start, end, cluster); | ||
32 | + _unsafe_to_break_set_mask (info, start, end, cluster, mask); | ||
33 | } | ||
34 | void | ||
35 | -hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end) | ||
36 | +hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end, hb_mask_t mask) | ||
37 | { | ||
38 | if (!have_output) | ||
39 | { | ||
40 | @@ -631,8 +631,8 @@ hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int en | ||
41 | unsigned int cluster = (unsigned int) -1; | ||
42 | cluster = _unsafe_to_break_find_min_cluster (out_info, start, out_len, cluster); | ||
43 | cluster = _unsafe_to_break_find_min_cluster (info, idx, end, cluster); | ||
44 | - _unsafe_to_break_set_mask (out_info, start, out_len, cluster); | ||
45 | - _unsafe_to_break_set_mask (info, idx, end, cluster); | ||
46 | + _unsafe_to_break_set_mask (out_info, start, out_len, cluster, mask); | ||
47 | + _unsafe_to_break_set_mask (info, idx, end, cluster, mask); | ||
48 | } | ||
49 | |||
50 | void | ||
51 | diff --git a/src/hb-buffer.h b/src/hb-buffer.h | ||
52 | index d5cb746..42dc92a 100644 | ||
53 | --- a/src/hb-buffer.h | ||
54 | +++ b/src/hb-buffer.h | ||
55 | @@ -77,26 +77,76 @@ typedef struct hb_glyph_info_t | ||
56 | * @HB_GLYPH_FLAG_UNSAFE_TO_BREAK: Indicates that if input text is broken at the | ||
57 | * beginning of the cluster this glyph is part of, | ||
58 | * then both sides need to be re-shaped, as the | ||
59 | - * result might be different. On the flip side, | ||
60 | - * it means that when this flag is not present, | ||
61 | - * then it's safe to break the glyph-run at the | ||
62 | - * beginning of this cluster, and the two sides | ||
63 | - * represent the exact same result one would get | ||
64 | - * if breaking input text at the beginning of | ||
65 | - * this cluster and shaping the two sides | ||
66 | - * separately. This can be used to optimize | ||
67 | - * paragraph layout, by avoiding re-shaping | ||
68 | - * of each line after line-breaking, or limiting | ||
69 | - * the reshaping to a small piece around the | ||
70 | - * breaking point only. | ||
71 | + * result might be different. | ||
72 | + * | ||
73 | + * On the flip side, it means that when this | ||
74 | + * flag is not present, then it is safe to break | ||
75 | + * the glyph-run at the beginning of this | ||
76 | + * cluster, and the two sides will represent the | ||
77 | + * exact same result one would get if breaking | ||
78 | + * input text at the beginning of this cluster | ||
79 | + * and shaping the two sides separately. | ||
80 | + * | ||
81 | + * This can be used to optimize paragraph | ||
82 | + * layout, by avoiding re-shaping of each line | ||
83 | + * after line-breaking. | ||
84 | + * | ||
85 | + * @HB_GLYPH_FLAG_UNSAFE_TO_CONCAT: Indicates that if input text is changed on one | ||
86 | + * side of the beginning of the cluster this glyph | ||
87 | + * is part of, then the shaping results for the | ||
88 | + * other side might change. | ||
89 | + * | ||
90 | + * Note that the absence of this flag will NOT by | ||
91 | + * itself mean that it IS safe to concat text. | ||
92 | + * Only two pieces of text both of which clear of | ||
93 | + * this flag can be concatenated safely. | ||
94 | + * | ||
95 | + * This can be used to optimize paragraph | ||
96 | + * layout, by avoiding re-shaping of each line | ||
97 | + * after line-breaking, by limiting the | ||
98 | + * reshaping to a small piece around the | ||
99 | + * breaking positin only, even if the breaking | ||
100 | + * position carries the | ||
101 | + * #HB_GLYPH_FLAG_UNSAFE_TO_BREAK or when | ||
102 | + * hyphenation or other text transformation | ||
103 | + * happens at line-break position, in the following | ||
104 | + * way: | ||
105 | + * | ||
106 | + * 1. Iterate back from the line-break position till | ||
107 | + * the the first cluster start position that is | ||
108 | + * NOT unsafe-to-concat, 2. shape the segment from | ||
109 | + * there till the end of line, 3. check whether the | ||
110 | + * resulting glyph-run also is clear of the | ||
111 | + * unsafe-to-concat at its start-of-text position; | ||
112 | + * if it is, just splice it into place and the line | ||
113 | + * is shaped; If not, move on to a position further | ||
114 | + * back that is clear of unsafe-to-concat and retry | ||
115 | + * from there, and repeat. | ||
116 | + * | ||
117 | + * At the start of next line a similar algorithm can | ||
118 | + * be implemented. A slight complication will arise, | ||
119 | + * because while our buffer API has a way to | ||
120 | + * return flags for position corresponding to | ||
121 | + * start-of-text, there is currently no position | ||
122 | + * corresponding to end-of-text. This limitation | ||
123 | + * can be alleviated by shaping more text than needed | ||
124 | + * and looking for unsafe-to-concat flag within text | ||
125 | + * clusters. | ||
126 | + * | ||
127 | + * The #HB_GLYPH_FLAG_UNSAFE_TO_BREAK flag will | ||
128 | + * always imply this flag. | ||
129 | + * | ||
130 | + * Since: REPLACEME | ||
131 | + * | ||
132 | * @HB_GLYPH_FLAG_DEFINED: All the currently defined flags. | ||
133 | * | ||
134 | * Since: 1.5.0 | ||
135 | */ | ||
136 | typedef enum { /*< flags >*/ | ||
137 | HB_GLYPH_FLAG_UNSAFE_TO_BREAK = 0x00000001, | ||
138 | + HB_GLYPH_FLAG_UNSAFE_TO_CONCAT = 0x00000002, | ||
139 | |||
140 | - HB_GLYPH_FLAG_DEFINED = 0x00000001 /* OR of all defined flags */ | ||
141 | + HB_GLYPH_FLAG_DEFINED = 0x00000003 /* OR of all defined flags */ | ||
142 | } hb_glyph_flags_t; | ||
143 | |||
144 | HB_EXTERN hb_glyph_flags_t | ||
145 | diff --git a/src/hb-buffer.hh b/src/hb-buffer.hh | ||
146 | index b5596d9..beac7b6 100644 | ||
147 | --- a/src/hb-buffer.hh | ||
148 | +++ b/src/hb-buffer.hh | ||
149 | @@ -67,8 +67,8 @@ enum hb_buffer_scratch_flags_t { | ||
150 | HB_BUFFER_SCRATCH_FLAG_HAS_DEFAULT_IGNORABLES = 0x00000002u, | ||
151 | HB_BUFFER_SCRATCH_FLAG_HAS_SPACE_FALLBACK = 0x00000004u, | ||
152 | HB_BUFFER_SCRATCH_FLAG_HAS_GPOS_ATTACHMENT = 0x00000008u, | ||
153 | - HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK = 0x00000010u, | ||
154 | - HB_BUFFER_SCRATCH_FLAG_HAS_CGJ = 0x00000020u, | ||
155 | + HB_BUFFER_SCRATCH_FLAG_HAS_CGJ = 0x00000010u, | ||
156 | + HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS = 0x00000020u, | ||
157 | |||
158 | /* Reserved for complex shapers' internal use. */ | ||
159 | HB_BUFFER_SCRATCH_FLAG_COMPLEX0 = 0x01000000u, | ||
160 | @@ -324,8 +324,19 @@ struct hb_buffer_t | ||
161 | return; | ||
162 | unsafe_to_break_impl (start, end); | ||
163 | } | ||
164 | - HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end); | ||
165 | - HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end); | ||
166 | + void unsafe_to_concat (unsigned int start, | ||
167 | + unsigned int end) | ||
168 | + { | ||
169 | + if (end - start < 2) | ||
170 | + return; | ||
171 | + unsafe_to_break_impl (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); | ||
172 | + } | ||
173 | + HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end, | ||
174 | + hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); | ||
175 | + HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end, | ||
176 | + hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); | ||
177 | + void unsafe_to_concat_from_outbuffer (unsigned int start, unsigned int end) | ||
178 | + { unsafe_to_break_from_outbuffer (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); } | ||
179 | |||
180 | |||
181 | /* Internal methods */ | ||
182 | @@ -377,12 +388,7 @@ struct hb_buffer_t | ||
183 | set_cluster (hb_glyph_info_t &inf, unsigned int cluster, unsigned int mask = 0) | ||
184 | { | ||
185 | if (inf.cluster != cluster) | ||
186 | - { | ||
187 | - if (mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK) | ||
188 | - inf.mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK; | ||
189 | - else | ||
190 | - inf.mask &= ~HB_GLYPH_FLAG_UNSAFE_TO_BREAK; | ||
191 | - } | ||
192 | + inf.mask = (inf.mask & ~HB_GLYPH_FLAG_DEFINED) | (mask & HB_GLYPH_FLAG_DEFINED); | ||
193 | inf.cluster = cluster; | ||
194 | } | ||
195 | |||
196 | @@ -398,13 +404,14 @@ struct hb_buffer_t | ||
197 | void | ||
198 | _unsafe_to_break_set_mask (hb_glyph_info_t *infos, | ||
199 | unsigned int start, unsigned int end, | ||
200 | - unsigned int cluster) | ||
201 | + unsigned int cluster, | ||
202 | + hb_mask_t mask) | ||
203 | { | ||
204 | for (unsigned int i = start; i < end; i++) | ||
205 | if (cluster != infos[i].cluster) | ||
206 | { | ||
207 | - scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK; | ||
208 | - infos[i].mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK; | ||
209 | + scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS; | ||
210 | + infos[i].mask |= mask; | ||
211 | } | ||
212 | } | ||
213 | |||
214 | diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh | ||
215 | index 579d178..a6ca456 100644 | ||
216 | --- a/src/hb-ot-layout-gsubgpos.hh | ||
217 | +++ b/src/hb-ot-layout-gsubgpos.hh | ||
218 | @@ -369,7 +369,7 @@ struct hb_ot_apply_context_t : | ||
219 | may_skip (const hb_glyph_info_t &info) const | ||
220 | { return matcher.may_skip (c, info); } | ||
221 | |||
222 | - bool next () | ||
223 | + bool next (unsigned *unsafe_to = nullptr) | ||
224 | { | ||
225 | assert (num_items > 0); | ||
226 | while (idx + num_items < end) | ||
227 | @@ -392,11 +392,17 @@ struct hb_ot_apply_context_t : | ||
228 | } | ||
229 | |||
230 | if (skip == matcher_t::SKIP_NO) | ||
231 | + { | ||
232 | + if (unsafe_to) | ||
233 | + *unsafe_to = idx + 1; | ||
234 | return false; | ||
235 | + } | ||
236 | } | ||
237 | + if (unsafe_to) | ||
238 | + *unsafe_to = end; | ||
239 | return false; | ||
240 | } | ||
241 | - bool prev () | ||
242 | + bool prev (unsigned *unsafe_from = nullptr) | ||
243 | { | ||
244 | assert (num_items > 0); | ||
245 | while (idx > num_items - 1) | ||
246 | @@ -419,8 +425,14 @@ struct hb_ot_apply_context_t : | ||
247 | } | ||
248 | |||
249 | if (skip == matcher_t::SKIP_NO) | ||
250 | + { | ||
251 | + if (unsafe_from) | ||
252 | + *unsafe_from = hb_max (1u, idx) - 1u; | ||
253 | return false; | ||
254 | + } | ||
255 | } | ||
256 | + if (unsafe_from) | ||
257 | + *unsafe_from = 0; | ||
258 | return false; | ||
259 | } | ||
260 | |||
261 | @@ -834,7 +846,12 @@ static inline bool match_input (hb_ot_apply_context_t *c, | ||
262 | match_positions[0] = buffer->idx; | ||
263 | for (unsigned int i = 1; i < count; i++) | ||
264 | { | ||
265 | - if (!skippy_iter.next ()) return_trace (false); | ||
266 | + unsigned unsafe_to; | ||
267 | + if (!skippy_iter.next (&unsafe_to)) | ||
268 | + { | ||
269 | + c->buffer->unsafe_to_concat (c->buffer->idx, unsafe_to); | ||
270 | + return_trace (false); | ||
271 | + } | ||
272 | |||
273 | match_positions[i] = skippy_iter.idx; | ||
274 | |||
275 | @@ -1022,8 +1039,14 @@ static inline bool match_backtrack (hb_ot_apply_context_t *c, | ||
276 | skippy_iter.set_match_func (match_func, match_data, backtrack); | ||
277 | |||
278 | for (unsigned int i = 0; i < count; i++) | ||
279 | - if (!skippy_iter.prev ()) | ||
280 | + { | ||
281 | + unsigned unsafe_from; | ||
282 | + if (!skippy_iter.prev (&unsafe_from)) | ||
283 | + { | ||
284 | + c->buffer->unsafe_to_concat_from_outbuffer (unsafe_from, c->buffer->idx); | ||
285 | return_trace (false); | ||
286 | + } | ||
287 | + } | ||
288 | |||
289 | *match_start = skippy_iter.idx; | ||
290 | |||
291 | @@ -1045,8 +1068,14 @@ static inline bool match_lookahead (hb_ot_apply_context_t *c, | ||
292 | skippy_iter.set_match_func (match_func, match_data, lookahead); | ||
293 | |||
294 | for (unsigned int i = 0; i < count; i++) | ||
295 | - if (!skippy_iter.next ()) | ||
296 | + { | ||
297 | + unsigned unsafe_to; | ||
298 | + if (!skippy_iter.next (&unsafe_to)) | ||
299 | + { | ||
300 | + c->buffer->unsafe_to_concat (c->buffer->idx + offset, unsafe_to); | ||
301 | return_trace (false); | ||
302 | + } | ||
303 | + } | ||
304 | |||
305 | *end_index = skippy_iter.idx + 1; | ||
306 | |||
307 | diff --git a/src/hb-ot-shape.cc b/src/hb-ot-shape.cc | ||
308 | index 5d9a70c..5d10b30 100644 | ||
309 | --- a/src/hb-ot-shape.cc | ||
310 | +++ b/src/hb-ot-shape.cc | ||
311 | @@ -1008,7 +1008,7 @@ hb_propagate_flags (hb_buffer_t *buffer) | ||
312 | /* Propagate cluster-level glyph flags to be the same on all cluster glyphs. | ||
313 | * Simplifies using them. */ | ||
314 | |||
315 | - if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK)) | ||
316 | + if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS)) | ||
317 | return; | ||
318 | |||
319 | hb_glyph_info_t *info = buffer->info; | ||
320 | @@ -1017,11 +1017,7 @@ hb_propagate_flags (hb_buffer_t *buffer) | ||
321 | { | ||
322 | unsigned int mask = 0; | ||
323 | for (unsigned int i = start; i < end; i++) | ||
324 | - if (info[i].mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK) | ||
325 | - { | ||
326 | - mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK; | ||
327 | - break; | ||
328 | - } | ||
329 | + mask |= info[i].mask & HB_GLYPH_FLAG_DEFINED; | ||
330 | if (mask) | ||
331 | for (unsigned int i = start; i < end; i++) | ||
332 | info[i].mask |= mask; | ||
333 | -- | ||
334 | 2.25.1 | ||
335 | |||
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch new file mode 100644 index 0000000000..4994e0ef68 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch | |||
@@ -0,0 +1,135 @@ | |||
1 | From b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324 Mon Sep 17 00:00:00 2001 | ||
2 | From: Behdad Esfahbod <behdad@behdad.org> | ||
3 | Date: Mon, 6 Feb 2023 13:08:52 -0700 | ||
4 | Subject: [PATCH] [gsubgpos] Refactor skippy_iter.match() | ||
5 | |||
6 | Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324] | ||
7 | Comment1: To backport the fix for CVE-2023-25193, add defination for MATCH, NOT_MATCH and SKIP. | ||
8 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
9 | --- | ||
10 | src/hb-ot-layout-gsubgpos.hh | 94 +++++++++++++++++++++--------------- | ||
11 | 1 file changed, 54 insertions(+), 40 deletions(-) | ||
12 | |||
13 | diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh | ||
14 | index a6ca456..5a7e564 100644 | ||
15 | --- a/src/hb-ot-layout-gsubgpos.hh | ||
16 | +++ b/src/hb-ot-layout-gsubgpos.hh | ||
17 | @@ -369,33 +369,52 @@ struct hb_ot_apply_context_t : | ||
18 | may_skip (const hb_glyph_info_t &info) const | ||
19 | { return matcher.may_skip (c, info); } | ||
20 | |||
21 | + enum match_t { | ||
22 | + MATCH, | ||
23 | + NOT_MATCH, | ||
24 | + SKIP | ||
25 | + }; | ||
26 | + | ||
27 | + match_t match (hb_glyph_info_t &info) | ||
28 | + { | ||
29 | + matcher_t::may_skip_t skip = matcher.may_skip (c, info); | ||
30 | + if (unlikely (skip == matcher_t::SKIP_YES)) | ||
31 | + return SKIP; | ||
32 | + | ||
33 | + matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); | ||
34 | + if (match == matcher_t::MATCH_YES || | ||
35 | + (match == matcher_t::MATCH_MAYBE && | ||
36 | + skip == matcher_t::SKIP_NO)) | ||
37 | + return MATCH; | ||
38 | + | ||
39 | + if (skip == matcher_t::SKIP_NO) | ||
40 | + return NOT_MATCH; | ||
41 | + | ||
42 | + return SKIP; | ||
43 | + } | ||
44 | + | ||
45 | bool next (unsigned *unsafe_to = nullptr) | ||
46 | { | ||
47 | assert (num_items > 0); | ||
48 | while (idx + num_items < end) | ||
49 | { | ||
50 | idx++; | ||
51 | - const hb_glyph_info_t &info = c->buffer->info[idx]; | ||
52 | - | ||
53 | - matcher_t::may_skip_t skip = matcher.may_skip (c, info); | ||
54 | - if (unlikely (skip == matcher_t::SKIP_YES)) | ||
55 | - continue; | ||
56 | - | ||
57 | - matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); | ||
58 | - if (match == matcher_t::MATCH_YES || | ||
59 | - (match == matcher_t::MATCH_MAYBE && | ||
60 | - skip == matcher_t::SKIP_NO)) | ||
61 | - { | ||
62 | - num_items--; | ||
63 | - if (match_glyph_data) match_glyph_data++; | ||
64 | - return true; | ||
65 | - } | ||
66 | - | ||
67 | - if (skip == matcher_t::SKIP_NO) | ||
68 | + switch (match (c->buffer->info[idx])) | ||
69 | { | ||
70 | - if (unsafe_to) | ||
71 | - *unsafe_to = idx + 1; | ||
72 | - return false; | ||
73 | + case MATCH: | ||
74 | + { | ||
75 | + num_items--; | ||
76 | + if (match_glyph_data) match_glyph_data++; | ||
77 | + return true; | ||
78 | + } | ||
79 | + case NOT_MATCH: | ||
80 | + { | ||
81 | + if (unsafe_to) | ||
82 | + *unsafe_to = idx + 1; | ||
83 | + return false; | ||
84 | + } | ||
85 | + case SKIP: | ||
86 | + continue; | ||
87 | } | ||
88 | } | ||
89 | if (unsafe_to) | ||
90 | @@ -408,27 +427,22 @@ struct hb_ot_apply_context_t : | ||
91 | while (idx > num_items - 1) | ||
92 | { | ||
93 | idx--; | ||
94 | - const hb_glyph_info_t &info = c->buffer->out_info[idx]; | ||
95 | - | ||
96 | - matcher_t::may_skip_t skip = matcher.may_skip (c, info); | ||
97 | - if (unlikely (skip == matcher_t::SKIP_YES)) | ||
98 | - continue; | ||
99 | - | ||
100 | - matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); | ||
101 | - if (match == matcher_t::MATCH_YES || | ||
102 | - (match == matcher_t::MATCH_MAYBE && | ||
103 | - skip == matcher_t::SKIP_NO)) | ||
104 | + switch (match (c->buffer->out_info[idx])) | ||
105 | { | ||
106 | - num_items--; | ||
107 | - if (match_glyph_data) match_glyph_data++; | ||
108 | - return true; | ||
109 | - } | ||
110 | - | ||
111 | - if (skip == matcher_t::SKIP_NO) | ||
112 | - { | ||
113 | - if (unsafe_from) | ||
114 | - *unsafe_from = hb_max (1u, idx) - 1u; | ||
115 | - return false; | ||
116 | + case MATCH: | ||
117 | + { | ||
118 | + num_items--; | ||
119 | + if (match_glyph_data) match_glyph_data++; | ||
120 | + return true; | ||
121 | + } | ||
122 | + case NOT_MATCH: | ||
123 | + { | ||
124 | + if (unsafe_from) | ||
125 | + *unsafe_from = hb_max (1u, idx) - 1u; | ||
126 | + return false; | ||
127 | + } | ||
128 | + case SKIP: | ||
129 | + continue; | ||
130 | } | ||
131 | } | ||
132 | if (unsafe_from) | ||
133 | -- | ||
134 | 2.25.1 | ||
135 | |||
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch new file mode 100644 index 0000000000..e4ac13dbad --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch | |||
@@ -0,0 +1,179 @@ | |||
1 | From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Behdad Esfahbod <behdad@behdad.org> | ||
3 | Date: Mon, 6 Feb 2023 14:51:25 -0700 | ||
4 | Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment | ||
5 | |||
6 | Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] | ||
7 | Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc] causes regression and was reverted. This Patch completes the fix. | ||
8 | Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00 | ||
9 | CVE: CVE-2023-25193 | ||
10 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
11 | Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com> | ||
12 | |||
13 | --- | ||
14 | src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++---------- | ||
15 | src/hb-ot-layout-gsubgpos.hh | 5 +- | ||
16 | 2 files changed, 78 insertions(+), 30 deletions(-) | ||
17 | |||
18 | diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh | ||
19 | index 024312d..db5f9ae 100644 | ||
20 | --- a/src/hb-ot-layout-gpos-table.hh | ||
21 | +++ b/src/hb-ot-layout-gpos-table.hh | ||
22 | @@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1 | ||
23 | |||
24 | const Coverage &get_coverage () const { return this+markCoverage; } | ||
25 | |||
26 | + static inline bool accept (hb_buffer_t *buffer, unsigned idx) | ||
27 | + { | ||
28 | + /* We only want to attach to the first of a MultipleSubst sequence. | ||
29 | + * https://github.com/harfbuzz/harfbuzz/issues/740 | ||
30 | + * Reject others... | ||
31 | + * ...but stop if we find a mark in the MultipleSubst sequence: | ||
32 | + * https://github.com/harfbuzz/harfbuzz/issues/1020 */ | ||
33 | + return !_hb_glyph_info_multiplied (&buffer->info[idx]) || | ||
34 | + 0 == _hb_glyph_info_get_lig_comp (&buffer->info[idx]) || | ||
35 | + (idx == 0 || | ||
36 | + _hb_glyph_info_is_mark (&buffer->info[idx - 1]) || | ||
37 | + !_hb_glyph_info_multiplied (&buffer->info[idx - 1]) || | ||
38 | + _hb_glyph_info_get_lig_id (&buffer->info[idx]) != | ||
39 | + _hb_glyph_info_get_lig_id (&buffer->info[idx - 1]) || | ||
40 | + _hb_glyph_info_get_lig_comp (&buffer->info[idx]) != | ||
41 | + _hb_glyph_info_get_lig_comp (&buffer->info[idx - 1]) + 1 | ||
42 | + ); | ||
43 | + } | ||
44 | + | ||
45 | bool apply (hb_ot_apply_context_t *c) const | ||
46 | { | ||
47 | TRACE_APPLY (this); | ||
48 | @@ -1465,37 +1484,46 @@ struct MarkBasePosFormat1 | ||
49 | unsigned int mark_index = (this+markCoverage).get_coverage (buffer->cur().codepoint); | ||
50 | if (likely (mark_index == NOT_COVERED)) return_trace (false); | ||
51 | |||
52 | - /* Now we search backwards for a non-mark glyph */ | ||
53 | + /* Now we search backwards for a non-mark glyph. | ||
54 | + * We don't use skippy_iter.prev() to avoid O(n^2) behavior. */ | ||
55 | + | ||
56 | hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; | ||
57 | - skippy_iter.reset (buffer->idx, 1); | ||
58 | skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); | ||
59 | - do { | ||
60 | - if (!skippy_iter.prev ()) return_trace (false); | ||
61 | - /* We only want to attach to the first of a MultipleSubst sequence. | ||
62 | - * https://github.com/harfbuzz/harfbuzz/issues/740 | ||
63 | - * Reject others... | ||
64 | - * ...but stop if we find a mark in the MultipleSubst sequence: | ||
65 | - * https://github.com/harfbuzz/harfbuzz/issues/1020 */ | ||
66 | - if (!_hb_glyph_info_multiplied (&buffer->info[skippy_iter.idx]) || | ||
67 | - 0 == _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) || | ||
68 | - (skippy_iter.idx == 0 || | ||
69 | - _hb_glyph_info_is_mark (&buffer->info[skippy_iter.idx - 1]) || | ||
70 | - _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx]) != | ||
71 | - _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx - 1]) || | ||
72 | - _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) != | ||
73 | - _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx - 1]) + 1 | ||
74 | - )) | ||
75 | - break; | ||
76 | - skippy_iter.reject (); | ||
77 | - } while (true); | ||
78 | + unsigned j; | ||
79 | + for (j = buffer->idx; j > c->last_base_until; j--) | ||
80 | + { | ||
81 | + auto match = skippy_iter.match (buffer->info[j - 1]); | ||
82 | + if (match == skippy_iter.MATCH) | ||
83 | + { | ||
84 | + if (!accept (buffer, j - 1)) | ||
85 | + match = skippy_iter.SKIP; | ||
86 | + } | ||
87 | + if (match == skippy_iter.MATCH) | ||
88 | + { | ||
89 | + c->last_base = (signed) j - 1; | ||
90 | + break; | ||
91 | + } | ||
92 | + } | ||
93 | + c->last_base_until = buffer->idx; | ||
94 | + if (c->last_base == -1) | ||
95 | + { | ||
96 | + buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1); | ||
97 | + return_trace (false); | ||
98 | + } | ||
99 | + | ||
100 | + unsigned idx = (unsigned) c->last_base; | ||
101 | |||
102 | /* Checking that matched glyph is actually a base glyph by GDEF is too strong; disabled */ | ||
103 | - //if (!_hb_glyph_info_is_base_glyph (&buffer->info[skippy_iter.idx])) { return_trace (false); } | ||
104 | + //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); } | ||
105 | |||
106 | - unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint); | ||
107 | - if (base_index == NOT_COVERED) return_trace (false); | ||
108 | + unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint); | ||
109 | + if (base_index == NOT_COVERED) | ||
110 | + { | ||
111 | + buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1); | ||
112 | + return_trace (false); | ||
113 | + } | ||
114 | |||
115 | - return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, skippy_iter.idx)); | ||
116 | + return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, idx)); | ||
117 | } | ||
118 | |||
119 | bool subset (hb_subset_context_t *c) const | ||
120 | @@ -1587,15 +1615,32 @@ struct MarkLigPosFormat1 | ||
121 | if (likely (mark_index == NOT_COVERED)) return_trace (false); | ||
122 | |||
123 | /* Now we search backwards for a non-mark glyph */ | ||
124 | + | ||
125 | hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; | ||
126 | - skippy_iter.reset (buffer->idx, 1); | ||
127 | skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); | ||
128 | - if (!skippy_iter.prev ()) return_trace (false); | ||
129 | + | ||
130 | + unsigned j; | ||
131 | + for (j = buffer->idx; j > c->last_base_until; j--) | ||
132 | + { | ||
133 | + auto match = skippy_iter.match (buffer->info[j - 1]); | ||
134 | + if (match == skippy_iter.MATCH) | ||
135 | + { | ||
136 | + c->last_base = (signed) j - 1; | ||
137 | + break; | ||
138 | + } | ||
139 | + } | ||
140 | + c->last_base_until = buffer->idx; | ||
141 | + if (c->last_base == -1) | ||
142 | + { | ||
143 | + buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1); | ||
144 | + return_trace (false); | ||
145 | + } | ||
146 | + | ||
147 | + j = (unsigned) c->last_base; | ||
148 | |||
149 | /* Checking that matched glyph is actually a ligature by GDEF is too strong; disabled */ | ||
150 | - //if (!_hb_glyph_info_is_ligature (&buffer->info[skippy_iter.idx])) { return_trace (false); } | ||
151 | + //if (!_hb_glyph_info_is_ligature (&buffer->info[idx])) { return_trace (false); } | ||
152 | |||
153 | - unsigned int j = skippy_iter.idx; | ||
154 | unsigned int lig_index = (this+ligatureCoverage).get_coverage (buffer->info[j].codepoint); | ||
155 | if (lig_index == NOT_COVERED) return_trace (false); | ||
156 | |||
157 | diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh | ||
158 | index 5a7e564..437123c 100644 | ||
159 | --- a/src/hb-ot-layout-gsubgpos.hh | ||
160 | +++ b/src/hb-ot-layout-gsubgpos.hh | ||
161 | @@ -503,6 +503,9 @@ struct hb_ot_apply_context_t : | ||
162 | uint32_t random_state; | ||
163 | |||
164 | |||
165 | + signed last_base = -1; // GPOS uses | ||
166 | + unsigned last_base_until = 0; // GPOS uses | ||
167 | + | ||
168 | hb_ot_apply_context_t (unsigned int table_index_, | ||
169 | hb_font_t *font_, | ||
170 | hb_buffer_t *buffer_) : | ||
171 | @@ -536,7 +539,7 @@ struct hb_ot_apply_context_t : | ||
172 | iter_context.init (this, true); | ||
173 | } | ||
174 | |||
175 | - void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); } | ||
176 | + void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); } | ||
177 | void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } | ||
178 | void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } | ||
179 | void set_random (bool random_) { random = random_; } | ||
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb index ee08c12bee..0cfe01f1e5 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb | |||
@@ -7,7 +7,10 @@ LICENSE = "MIT" | |||
7 | LIC_FILES_CHKSUM = "file://COPYING;md5=e11f5c3149cdec4bb309babb020b32b9 \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=e11f5c3149cdec4bb309babb020b32b9 \ |
8 | file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc" | 8 | file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc" |
9 | 9 | ||
10 | SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz" | 10 | SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz \ |
11 | file://CVE-2023-25193-pre0.patch \ | ||
12 | file://CVE-2023-25193-pre1.patch \ | ||
13 | file://CVE-2023-25193.patch" | ||
11 | SRC_URI[md5sum] = "2b3a4dfdb3e5e50055f941978944da9f" | 14 | SRC_URI[md5sum] = "2b3a4dfdb3e5e50055f941978944da9f" |
12 | SRC_URI[sha256sum] = "9413b8d96132d699687ef914ebb8c50440efc87b3f775d25856d7ec347c03c12" | 15 | SRC_URI[sha256sum] = "9413b8d96132d699687ef914ebb8c50440efc87b3f775d25856d7ec347c03c12" |
13 | 16 | ||
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch new file mode 100644 index 0000000000..8a52ed01e9 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch | |||
@@ -0,0 +1,457 @@ | |||
1 | From 9120a247436e84c0b4eea828cb11e8f665fcde30 Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Thu, 23 Jul 2020 21:24:38 -0500 | ||
4 | Subject: [PATCH] Fix jpeg_skip_scanlines() segfault w/merged upsamp | ||
5 | |||
6 | The additional segfault mentioned in #244 was due to the fact that | ||
7 | the merged upsamplers use a different private structure than the | ||
8 | non-merged upsamplers. jpeg_skip_scanlines() was assuming the latter, so | ||
9 | when merged upsampling was enabled, jpeg_skip_scanlines() clobbered one | ||
10 | of the IDCT method pointers in the merged upsampler's private structure. | ||
11 | |||
12 | For reasons unknown, the test image in #441 did not encounter this | ||
13 | segfault (too small?), but it encountered an issue similar to the one | ||
14 | fixed in 5bc43c7821df982f65aa1c738f67fbf7cba8bd69, whereby it was | ||
15 | necessary to set up a dummy postprocessing function in | ||
16 | read_and_discard_scanlines() when merged upsampling was enabled. | ||
17 | Failing to do so caused either a segfault in merged_2v_upsample() (due | ||
18 | to a NULL pointer being passed to jcopy_sample_rows()) or an error | ||
19 | ("Corrupt JPEG data: premature end of data segment"), depending on the | ||
20 | number of scanlines skipped and whether the first scanline skipped was | ||
21 | an odd- or even-numbered row. | ||
22 | |||
23 | Fixes #441 | ||
24 | Fixes #244 (for real this time) | ||
25 | |||
26 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9120a247436e84c0b4eea828cb11e8f665fcde30] | ||
27 | CVE: CVE-2020-35538 | ||
28 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
29 | --- | ||
30 | ChangeLog.md | 7 +++++ | ||
31 | jdapistd.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++------ | ||
32 | jdmerge.c | 46 +++++++-------------------------- | ||
33 | jdmerge.h | 47 ++++++++++++++++++++++++++++++++++ | ||
34 | jdmrg565.c | 10 ++++---- | ||
35 | jdmrgext.c | 6 ++--- | ||
36 | 6 files changed, 135 insertions(+), 53 deletions(-) | ||
37 | create mode 100644 jdmerge.h | ||
38 | |||
39 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
40 | index 2ebfe71..19d18fa 100644 | ||
41 | --- a/ChangeLog.md | ||
42 | +++ b/ChangeLog.md | ||
43 | @@ -54,6 +54,13 @@ a 16-bit binary PGM file into an RGB image buffer. | ||
44 | generated when using the `tjLoadImage()` function to load a 16-bit binary PPM | ||
45 | file into an extended RGB image buffer. | ||
46 | |||
47 | +2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors | ||
48 | +in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG | ||
49 | +images using the merged (non-fancy) upsampling algorithms (that is, when | ||
50 | +setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a similar fix, | ||
51 | +but it did not cover all cases. | ||
52 | + | ||
53 | + | ||
54 | 2.0.3 | ||
55 | ===== | ||
56 | |||
57 | diff --git a/jdapistd.c b/jdapistd.c | ||
58 | index 2c808fa..91da642 100644 | ||
59 | --- a/jdapistd.c | ||
60 | +++ b/jdapistd.c | ||
61 | @@ -4,7 +4,7 @@ | ||
62 | * This file was part of the Independent JPEG Group's software: | ||
63 | * Copyright (C) 1994-1996, Thomas G. Lane. | ||
64 | * libjpeg-turbo Modifications: | ||
65 | - * Copyright (C) 2010, 2015-2018, D. R. Commander. | ||
66 | + * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander. | ||
67 | * Copyright (C) 2015, Google, Inc. | ||
68 | * For conditions of distribution and use, see the accompanying README.ijg | ||
69 | * file. | ||
70 | @@ -21,6 +21,8 @@ | ||
71 | #include "jinclude.h" | ||
72 | #include "jdmainct.h" | ||
73 | #include "jdcoefct.h" | ||
74 | +#include "jdmaster.h" | ||
75 | +#include "jdmerge.h" | ||
76 | #include "jdsample.h" | ||
77 | #include "jmemsys.h" | ||
78 | |||
79 | @@ -304,6 +306,16 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf, | ||
80 | } | ||
81 | |||
82 | |||
83 | +/* Dummy postprocessing function used by jpeg_skip_scanlines() */ | ||
84 | +LOCAL(void) | ||
85 | +noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
86 | + JDIMENSION *in_row_group_ctr, | ||
87 | + JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf, | ||
88 | + JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) | ||
89 | +{ | ||
90 | +} | ||
91 | + | ||
92 | + | ||
93 | /* | ||
94 | * In some cases, it is best to call jpeg_read_scanlines() and discard the | ||
95 | * output, rather than skipping the scanlines, because this allows us to | ||
96 | @@ -316,11 +328,17 @@ LOCAL(void) | ||
97 | read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
98 | { | ||
99 | JDIMENSION n; | ||
100 | + my_master_ptr master = (my_master_ptr)cinfo->master; | ||
101 | void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
102 | JDIMENSION input_row, JSAMPARRAY output_buf, | ||
103 | int num_rows) = NULL; | ||
104 | void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf, | ||
105 | JSAMPARRAY output_buf, int num_rows) = NULL; | ||
106 | + void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
107 | + JDIMENSION *in_row_group_ctr, | ||
108 | + JDIMENSION in_row_groups_avail, | ||
109 | + JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, | ||
110 | + JDIMENSION out_rows_avail) = NULL; | ||
111 | |||
112 | if (cinfo->cconvert && cinfo->cconvert->color_convert) { | ||
113 | color_convert = cinfo->cconvert->color_convert; | ||
114 | @@ -332,6 +350,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
115 | cinfo->cquantize->color_quantize = noop_quantize; | ||
116 | } | ||
117 | |||
118 | + if (master->using_merged_upsample && cinfo->post && | ||
119 | + cinfo->post->post_process_data) { | ||
120 | + post_process_data = cinfo->post->post_process_data; | ||
121 | + cinfo->post->post_process_data = noop_post_process; | ||
122 | + } | ||
123 | + | ||
124 | for (n = 0; n < num_lines; n++) | ||
125 | jpeg_read_scanlines(cinfo, NULL, 1); | ||
126 | |||
127 | @@ -340,6 +364,9 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
128 | |||
129 | if (color_quantize) | ||
130 | cinfo->cquantize->color_quantize = color_quantize; | ||
131 | + | ||
132 | + if (post_process_data) | ||
133 | + cinfo->post->post_process_data = post_process_data; | ||
134 | } | ||
135 | |||
136 | |||
137 | @@ -382,7 +409,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
138 | { | ||
139 | my_main_ptr main_ptr = (my_main_ptr)cinfo->main; | ||
140 | my_coef_ptr coef = (my_coef_ptr)cinfo->coef; | ||
141 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
142 | + my_master_ptr master = (my_master_ptr)cinfo->master; | ||
143 | JDIMENSION i, x; | ||
144 | int y; | ||
145 | JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row; | ||
146 | @@ -445,8 +472,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
147 | main_ptr->buffer_full = FALSE; | ||
148 | main_ptr->rowgroup_ctr = 0; | ||
149 | main_ptr->context_state = CTX_PREPARE_FOR_IMCU; | ||
150 | - upsample->next_row_out = cinfo->max_v_samp_factor; | ||
151 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
152 | + if (master->using_merged_upsample) { | ||
153 | + my_merged_upsample_ptr upsample = | ||
154 | + (my_merged_upsample_ptr)cinfo->upsample; | ||
155 | + upsample->spare_full = FALSE; | ||
156 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
157 | + } else { | ||
158 | + my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
159 | + upsample->next_row_out = cinfo->max_v_samp_factor; | ||
160 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
161 | + } | ||
162 | } | ||
163 | |||
164 | /* Skipping is much simpler when context rows are not required. */ | ||
165 | @@ -458,8 +493,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
166 | cinfo->output_scanline += lines_left_in_iMCU_row; | ||
167 | main_ptr->buffer_full = FALSE; | ||
168 | main_ptr->rowgroup_ctr = 0; | ||
169 | - upsample->next_row_out = cinfo->max_v_samp_factor; | ||
170 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
171 | + if (master->using_merged_upsample) { | ||
172 | + my_merged_upsample_ptr upsample = | ||
173 | + (my_merged_upsample_ptr)cinfo->upsample; | ||
174 | + upsample->spare_full = FALSE; | ||
175 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
176 | + } else { | ||
177 | + my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
178 | + upsample->next_row_out = cinfo->max_v_samp_factor; | ||
179 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
180 | + } | ||
181 | } | ||
182 | } | ||
183 | |||
184 | @@ -494,7 +537,14 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
185 | cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row; | ||
186 | increment_simple_rowgroup_ctr(cinfo, lines_to_read); | ||
187 | } | ||
188 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
189 | + if (master->using_merged_upsample) { | ||
190 | + my_merged_upsample_ptr upsample = | ||
191 | + (my_merged_upsample_ptr)cinfo->upsample; | ||
192 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
193 | + } else { | ||
194 | + my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
195 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
196 | + } | ||
197 | return num_lines; | ||
198 | } | ||
199 | |||
200 | @@ -535,7 +585,13 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
201 | * bit odd, since "rows_to_go" seems to be redundantly keeping track of | ||
202 | * output_scanline. | ||
203 | */ | ||
204 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
205 | + if (master->using_merged_upsample) { | ||
206 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
207 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
208 | + } else { | ||
209 | + my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
210 | + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
211 | + } | ||
212 | |||
213 | /* Always skip the requested number of lines. */ | ||
214 | return num_lines; | ||
215 | diff --git a/jdmerge.c b/jdmerge.c | ||
216 | index dff5a35..833ad67 100644 | ||
217 | --- a/jdmerge.c | ||
218 | +++ b/jdmerge.c | ||
219 | @@ -5,7 +5,7 @@ | ||
220 | * Copyright (C) 1994-1996, Thomas G. Lane. | ||
221 | * libjpeg-turbo Modifications: | ||
222 | * Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB | ||
223 | - * Copyright (C) 2009, 2011, 2014-2015, D. R. Commander. | ||
224 | + * Copyright (C) 2009, 2011, 2014-2015, 2020, D. R. Commander. | ||
225 | * Copyright (C) 2013, Linaro Limited. | ||
226 | * For conditions of distribution and use, see the accompanying README.ijg | ||
227 | * file. | ||
228 | @@ -40,41 +40,13 @@ | ||
229 | #define JPEG_INTERNALS | ||
230 | #include "jinclude.h" | ||
231 | #include "jpeglib.h" | ||
232 | +#include "jdmerge.h" | ||
233 | #include "jsimd.h" | ||
234 | #include "jconfigint.h" | ||
235 | |||
236 | #ifdef UPSAMPLE_MERGING_SUPPORTED | ||
237 | |||
238 | |||
239 | -/* Private subobject */ | ||
240 | - | ||
241 | -typedef struct { | ||
242 | - struct jpeg_upsampler pub; /* public fields */ | ||
243 | - | ||
244 | - /* Pointer to routine to do actual upsampling/conversion of one row group */ | ||
245 | - void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
246 | - JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf); | ||
247 | - | ||
248 | - /* Private state for YCC->RGB conversion */ | ||
249 | - int *Cr_r_tab; /* => table for Cr to R conversion */ | ||
250 | - int *Cb_b_tab; /* => table for Cb to B conversion */ | ||
251 | - JLONG *Cr_g_tab; /* => table for Cr to G conversion */ | ||
252 | - JLONG *Cb_g_tab; /* => table for Cb to G conversion */ | ||
253 | - | ||
254 | - /* For 2:1 vertical sampling, we produce two output rows at a time. | ||
255 | - * We need a "spare" row buffer to hold the second output row if the | ||
256 | - * application provides just a one-row buffer; we also use the spare | ||
257 | - * to discard the dummy last row if the image height is odd. | ||
258 | - */ | ||
259 | - JSAMPROW spare_row; | ||
260 | - boolean spare_full; /* T if spare buffer is occupied */ | ||
261 | - | ||
262 | - JDIMENSION out_row_width; /* samples per output row */ | ||
263 | - JDIMENSION rows_to_go; /* counts rows remaining in image */ | ||
264 | -} my_upsampler; | ||
265 | - | ||
266 | -typedef my_upsampler *my_upsample_ptr; | ||
267 | - | ||
268 | #define SCALEBITS 16 /* speediest right-shift on some machines */ | ||
269 | #define ONE_HALF ((JLONG)1 << (SCALEBITS - 1)) | ||
270 | #define FIX(x) ((JLONG)((x) * (1L << SCALEBITS) + 0.5)) | ||
271 | @@ -189,7 +161,7 @@ typedef my_upsampler *my_upsample_ptr; | ||
272 | LOCAL(void) | ||
273 | build_ycc_rgb_table(j_decompress_ptr cinfo) | ||
274 | { | ||
275 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
276 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
277 | int i; | ||
278 | JLONG x; | ||
279 | SHIFT_TEMPS | ||
280 | @@ -232,7 +204,7 @@ build_ycc_rgb_table(j_decompress_ptr cinfo) | ||
281 | METHODDEF(void) | ||
282 | start_pass_merged_upsample(j_decompress_ptr cinfo) | ||
283 | { | ||
284 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
285 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
286 | |||
287 | /* Mark the spare buffer empty */ | ||
288 | upsample->spare_full = FALSE; | ||
289 | @@ -254,7 +226,7 @@ merged_2v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
290 | JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) | ||
291 | /* 2:1 vertical sampling case: may need a spare row. */ | ||
292 | { | ||
293 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
294 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
295 | JSAMPROW work_ptrs[2]; | ||
296 | JDIMENSION num_rows; /* number of rows returned to caller */ | ||
297 | |||
298 | @@ -305,7 +277,7 @@ merged_1v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
299 | JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) | ||
300 | /* 1:1 vertical sampling case: much easier, never need a spare row. */ | ||
301 | { | ||
302 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
303 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
304 | |||
305 | /* Just do the upsampling. */ | ||
306 | (*upsample->upmethod) (cinfo, input_buf, *in_row_group_ctr, | ||
307 | @@ -566,11 +538,11 @@ h2v2_merged_upsample_565D(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
308 | GLOBAL(void) | ||
309 | jinit_merged_upsampler(j_decompress_ptr cinfo) | ||
310 | { | ||
311 | - my_upsample_ptr upsample; | ||
312 | + my_merged_upsample_ptr upsample; | ||
313 | |||
314 | - upsample = (my_upsample_ptr) | ||
315 | + upsample = (my_merged_upsample_ptr) | ||
316 | (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, | ||
317 | - sizeof(my_upsampler)); | ||
318 | + sizeof(my_merged_upsampler)); | ||
319 | cinfo->upsample = (struct jpeg_upsampler *)upsample; | ||
320 | upsample->pub.start_pass = start_pass_merged_upsample; | ||
321 | upsample->pub.need_context_rows = FALSE; | ||
322 | diff --git a/jdmerge.h b/jdmerge.h | ||
323 | new file mode 100644 | ||
324 | index 0000000..b583396 | ||
325 | --- /dev/null | ||
326 | +++ b/jdmerge.h | ||
327 | @@ -0,0 +1,47 @@ | ||
328 | +/* | ||
329 | + * jdmerge.h | ||
330 | + * | ||
331 | + * This file was part of the Independent JPEG Group's software: | ||
332 | + * Copyright (C) 1994-1996, Thomas G. Lane. | ||
333 | + * libjpeg-turbo Modifications: | ||
334 | + * Copyright (C) 2020, D. R. Commander. | ||
335 | + * For conditions of distribution and use, see the accompanying README.ijg | ||
336 | + * file. | ||
337 | + */ | ||
338 | + | ||
339 | +#define JPEG_INTERNALS | ||
340 | +#include "jpeglib.h" | ||
341 | + | ||
342 | +#ifdef UPSAMPLE_MERGING_SUPPORTED | ||
343 | + | ||
344 | + | ||
345 | +/* Private subobject */ | ||
346 | + | ||
347 | +typedef struct { | ||
348 | + struct jpeg_upsampler pub; /* public fields */ | ||
349 | + | ||
350 | + /* Pointer to routine to do actual upsampling/conversion of one row group */ | ||
351 | + void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
352 | + JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf); | ||
353 | + | ||
354 | + /* Private state for YCC->RGB conversion */ | ||
355 | + int *Cr_r_tab; /* => table for Cr to R conversion */ | ||
356 | + int *Cb_b_tab; /* => table for Cb to B conversion */ | ||
357 | + JLONG *Cr_g_tab; /* => table for Cr to G conversion */ | ||
358 | + JLONG *Cb_g_tab; /* => table for Cb to G conversion */ | ||
359 | + | ||
360 | + /* For 2:1 vertical sampling, we produce two output rows at a time. | ||
361 | + * We need a "spare" row buffer to hold the second output row if the | ||
362 | + * application provides just a one-row buffer; we also use the spare | ||
363 | + * to discard the dummy last row if the image height is odd. | ||
364 | + */ | ||
365 | + JSAMPROW spare_row; | ||
366 | + boolean spare_full; /* T if spare buffer is occupied */ | ||
367 | + | ||
368 | + JDIMENSION out_row_width; /* samples per output row */ | ||
369 | + JDIMENSION rows_to_go; /* counts rows remaining in image */ | ||
370 | +} my_merged_upsampler; | ||
371 | + | ||
372 | +typedef my_merged_upsampler *my_merged_upsample_ptr; | ||
373 | + | ||
374 | +#endif /* UPSAMPLE_MERGING_SUPPORTED */ | ||
375 | diff --git a/jdmrg565.c b/jdmrg565.c | ||
376 | index 1b87e37..53f1e16 100644 | ||
377 | --- a/jdmrg565.c | ||
378 | +++ b/jdmrg565.c | ||
379 | @@ -5,7 +5,7 @@ | ||
380 | * Copyright (C) 1994-1996, Thomas G. Lane. | ||
381 | * libjpeg-turbo Modifications: | ||
382 | * Copyright (C) 2013, Linaro Limited. | ||
383 | - * Copyright (C) 2014-2015, 2018, D. R. Commander. | ||
384 | + * Copyright (C) 2014-2015, 2018, 2020, D. R. Commander. | ||
385 | * For conditions of distribution and use, see the accompanying README.ijg | ||
386 | * file. | ||
387 | * | ||
388 | @@ -19,7 +19,7 @@ h2v1_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
389 | JDIMENSION in_row_group_ctr, | ||
390 | JSAMPARRAY output_buf) | ||
391 | { | ||
392 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
393 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
394 | register int y, cred, cgreen, cblue; | ||
395 | int cb, cr; | ||
396 | register JSAMPROW outptr; | ||
397 | @@ -90,7 +90,7 @@ h2v1_merged_upsample_565D_internal(j_decompress_ptr cinfo, | ||
398 | JDIMENSION in_row_group_ctr, | ||
399 | JSAMPARRAY output_buf) | ||
400 | { | ||
401 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
402 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
403 | register int y, cred, cgreen, cblue; | ||
404 | int cb, cr; | ||
405 | register JSAMPROW outptr; | ||
406 | @@ -163,7 +163,7 @@ h2v2_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
407 | JDIMENSION in_row_group_ctr, | ||
408 | JSAMPARRAY output_buf) | ||
409 | { | ||
410 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
411 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
412 | register int y, cred, cgreen, cblue; | ||
413 | int cb, cr; | ||
414 | register JSAMPROW outptr0, outptr1; | ||
415 | @@ -259,7 +259,7 @@ h2v2_merged_upsample_565D_internal(j_decompress_ptr cinfo, | ||
416 | JDIMENSION in_row_group_ctr, | ||
417 | JSAMPARRAY output_buf) | ||
418 | { | ||
419 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
420 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
421 | register int y, cred, cgreen, cblue; | ||
422 | int cb, cr; | ||
423 | register JSAMPROW outptr0, outptr1; | ||
424 | diff --git a/jdmrgext.c b/jdmrgext.c | ||
425 | index b1c27df..c9a44d8 100644 | ||
426 | --- a/jdmrgext.c | ||
427 | +++ b/jdmrgext.c | ||
428 | @@ -4,7 +4,7 @@ | ||
429 | * This file was part of the Independent JPEG Group's software: | ||
430 | * Copyright (C) 1994-1996, Thomas G. Lane. | ||
431 | * libjpeg-turbo Modifications: | ||
432 | - * Copyright (C) 2011, 2015, D. R. Commander. | ||
433 | + * Copyright (C) 2011, 2015, 2020, D. R. Commander. | ||
434 | * For conditions of distribution and use, see the accompanying README.ijg | ||
435 | * file. | ||
436 | * | ||
437 | @@ -25,7 +25,7 @@ h2v1_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
438 | JDIMENSION in_row_group_ctr, | ||
439 | JSAMPARRAY output_buf) | ||
440 | { | ||
441 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
442 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
443 | register int y, cred, cgreen, cblue; | ||
444 | int cb, cr; | ||
445 | register JSAMPROW outptr; | ||
446 | @@ -97,7 +97,7 @@ h2v2_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
447 | JDIMENSION in_row_group_ctr, | ||
448 | JSAMPARRAY output_buf) | ||
449 | { | ||
450 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
451 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
452 | register int y, cred, cgreen, cblue; | ||
453 | int cb, cr; | ||
454 | register JSAMPROW outptr0, outptr1; | ||
455 | -- | ||
456 | 2.25.1 | ||
457 | |||
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch new file mode 100644 index 0000000000..f86175dff0 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch | |||
@@ -0,0 +1,400 @@ | |||
1 | From a46c111d9f3642f0ef3819e7298846ccc61869e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Mon, 27 Jul 2020 14:21:23 -0500 | ||
4 | Subject: [PATCH] Further jpeg_skip_scanlines() fixes | ||
5 | |||
6 | - Introduce a partial image decompression regression test script that | ||
7 | validates the correctness of jpeg_skip_scanlines() and | ||
8 | jpeg_crop_scanlines() for a variety of cropping regions and libjpeg | ||
9 | settings. | ||
10 | |||
11 | This regression test catches the following issues: | ||
12 | #182, fixed in 5bc43c7 | ||
13 | #237, fixed in 6e95c08 | ||
14 | #244, fixed in 398c1e9 | ||
15 | #441, fully fixed in this commit | ||
16 | |||
17 | It does not catch the following issues: | ||
18 | #194, fixed in 773040f | ||
19 | #244 (additional segfault), fixed in | ||
20 | 9120a24 | ||
21 | |||
22 | - Modify the libjpeg-turbo regression test suite (make test) so that it | ||
23 | checks for the issue reported in #441 (segfault in | ||
24 | jpeg_skip_scanlines() when used with 4:2:0 merged upsampling/color | ||
25 | conversion.) | ||
26 | |||
27 | - Fix issues in jpeg_skip_scanlines() that caused incorrect output with | ||
28 | h2v2 (4:2:0) merged upsampling/color conversion. The previous commit | ||
29 | fixed the segfault reported in #441, but that was a symptom of a | ||
30 | larger problem. Because merged 4:2:0 upsampling uses a "spare row" | ||
31 | buffer, it is necessary to allow the upsampler to run when skipping | ||
32 | rows (fancy 4:2:0 upsampling, which uses context rows, also requires | ||
33 | this.) Otherwise, if skipping starts at an odd-numbered row, the | ||
34 | output image will be incorrect. | ||
35 | |||
36 | - Throw an error if jpeg_skip_scanlines() is called with two-pass color | ||
37 | quantization enabled. With two-pass color quantization, the first | ||
38 | pass occurs within jpeg_start_decompress(), so subsequent calls to | ||
39 | jpeg_skip_scanlines() interfere with the multipass state and prevent | ||
40 | the second pass from occurring during subsequent calls to | ||
41 | jpeg_read_scanlines(). | ||
42 | |||
43 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a46c111d9f3642f0ef3819e7298846ccc61869e0] | ||
44 | CVE: CVE-2020-35538 | ||
45 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
46 | --- | ||
47 | CMakeLists.txt | 9 +++-- | ||
48 | ChangeLog.md | 15 +++++--- | ||
49 | croptest.in | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
50 | jdapistd.c | 70 +++++++++++-------------------------- | ||
51 | libjpeg.txt | 6 ++-- | ||
52 | 5 files changed, 136 insertions(+), 59 deletions(-) | ||
53 | create mode 100755 croptest.in | ||
54 | |||
55 | diff --git a/CMakeLists.txt b/CMakeLists.txt | ||
56 | index aee74c9..de451f4 100644 | ||
57 | --- a/CMakeLists.txt | ||
58 | +++ b/CMakeLists.txt | ||
59 | @@ -753,7 +753,7 @@ else() | ||
60 | set(MD5_PPM_3x2_IFAST fd283664b3b49127984af0a7f118fccd) | ||
61 | set(MD5_JPEG_420_ISLOW_ARI e986fb0a637a8d833d96e8a6d6d84ea1) | ||
62 | set(MD5_JPEG_444_ISLOW_PROGARI 0a8f1c8f66e113c3cf635df0a475a617) | ||
63 | - set(MD5_PPM_420M_IFAST_ARI 72b59a99bcf1de24c5b27d151bde2437) | ||
64 | + set(MD5_PPM_420M_IFAST_ARI 57251da28a35b46eecb7177d82d10e0e) | ||
65 | set(MD5_JPEG_420_ISLOW 9a68f56bc76e466aa7e52f415d0f4a5f) | ||
66 | set(MD5_PPM_420M_ISLOW_2_1 9f9de8c0612f8d06869b960b05abf9c9) | ||
67 | set(MD5_PPM_420M_ISLOW_15_8 b6875bc070720b899566cc06459b63b7) | ||
68 | @@ -1131,7 +1131,7 @@ foreach(libtype ${TEST_LIBTYPES}) | ||
69 | |||
70 | if(WITH_ARITH_DEC) | ||
71 | # CC: RGB->YCC SAMP: h2v2 merged IDCT: ifast ENT: arith | ||
72 | - add_bittest(djpeg 420m-ifast-ari "-fast;-ppm" | ||
73 | + add_bittest(djpeg 420m-ifast-ari "-fast;-skip;1,20;-ppm" | ||
74 | testout_420m_ifast_ari.ppm ${TESTIMAGES}/testimgari.jpg | ||
75 | ${MD5_PPM_420M_IFAST_ARI}) | ||
76 | |||
77 | @@ -1266,6 +1266,11 @@ endforeach() | ||
78 | add_custom_target(testclean COMMAND ${CMAKE_COMMAND} -P | ||
79 | ${CMAKE_CURRENT_SOURCE_DIR}/cmakescripts/testclean.cmake) | ||
80 | |||
81 | +configure_file(croptest.in croptest @ONLY) | ||
82 | +add_custom_target(croptest | ||
83 | + COMMAND echo croptest | ||
84 | + COMMAND ${BASH} ${CMAKE_CURRENT_BINARY_DIR}/croptest) | ||
85 | + | ||
86 | if(WITH_TURBOJPEG) | ||
87 | configure_file(tjbenchtest.in tjbenchtest @ONLY) | ||
88 | configure_file(tjexampletest.in tjexampletest @ONLY) | ||
89 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
90 | index 19d18fa..4562eff 100644 | ||
91 | --- a/ChangeLog.md | ||
92 | +++ b/ChangeLog.md | ||
93 | @@ -54,11 +54,16 @@ a 16-bit binary PGM file into an RGB image buffer. | ||
94 | generated when using the `tjLoadImage()` function to load a 16-bit binary PPM | ||
95 | file into an extended RGB image buffer. | ||
96 | |||
97 | -2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors | ||
98 | -in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG | ||
99 | -images using the merged (non-fancy) upsampling algorithms (that is, when | ||
100 | -setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a similar fix, | ||
101 | -but it did not cover all cases. | ||
102 | +2. Fixed or worked around multiple issues with `jpeg_skip_scanlines()`: | ||
103 | + | ||
104 | + - Fixed segfaults or "Corrupt JPEG data: premature end of data segment" | ||
105 | +errors in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or | ||
106 | +4:2:0 JPEG images using merged (non-fancy) upsampling/color conversion (that | ||
107 | +is, when setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a | ||
108 | +similar fix, but it did not cover all cases. | ||
109 | + - `jpeg_skip_scanlines()` now throws an error if two-pass color | ||
110 | +quantization is enabled. Two-pass color quantization never worked properly | ||
111 | +with `jpeg_skip_scanlines()`, and the issues could not readily be fixed. | ||
112 | |||
113 | |||
114 | 2.0.3 | ||
115 | diff --git a/croptest.in b/croptest.in | ||
116 | new file mode 100755 | ||
117 | index 0000000..7e3c293 | ||
118 | --- /dev/null | ||
119 | +++ b/croptest.in | ||
120 | @@ -0,0 +1,95 @@ | ||
121 | +#!/bin/bash | ||
122 | + | ||
123 | +set -u | ||
124 | +set -e | ||
125 | +trap onexit INT | ||
126 | +trap onexit TERM | ||
127 | +trap onexit EXIT | ||
128 | + | ||
129 | +onexit() | ||
130 | +{ | ||
131 | + if [ -d $OUTDIR ]; then | ||
132 | + rm -rf $OUTDIR | ||
133 | + fi | ||
134 | +} | ||
135 | + | ||
136 | +runme() | ||
137 | +{ | ||
138 | + echo \*\*\* $* | ||
139 | + $* | ||
140 | +} | ||
141 | + | ||
142 | +IMAGE=vgl_6548_0026a.bmp | ||
143 | +WIDTH=128 | ||
144 | +HEIGHT=95 | ||
145 | +IMGDIR=@CMAKE_CURRENT_SOURCE_DIR@/testimages | ||
146 | +OUTDIR=`mktemp -d /tmp/__croptest_output.XXXXXX` | ||
147 | +EXEDIR=@CMAKE_CURRENT_BINARY_DIR@ | ||
148 | + | ||
149 | +if [ -d $OUTDIR ]; then | ||
150 | + rm -rf $OUTDIR | ||
151 | +fi | ||
152 | +mkdir -p $OUTDIR | ||
153 | + | ||
154 | +exec >$EXEDIR/croptest.log | ||
155 | + | ||
156 | +echo "============================================================" | ||
157 | +echo "$IMAGE ($WIDTH x $HEIGHT)" | ||
158 | +echo "============================================================" | ||
159 | +echo | ||
160 | + | ||
161 | +for PROGARG in "" -progressive; do | ||
162 | + | ||
163 | + cp $IMGDIR/$IMAGE $OUTDIR | ||
164 | + basename=`basename $IMAGE .bmp` | ||
165 | + echo "------------------------------------------------------------" | ||
166 | + echo "Generating test images" | ||
167 | + echo "------------------------------------------------------------" | ||
168 | + echo | ||
169 | + runme $EXEDIR/cjpeg $PROGARG -grayscale -outfile $OUTDIR/${basename}_GRAY.jpg $IMGDIR/${basename}.bmp | ||
170 | + runme $EXEDIR/cjpeg $PROGARG -sample 2x2 -outfile $OUTDIR/${basename}_420.jpg $IMGDIR/${basename}.bmp | ||
171 | + runme $EXEDIR/cjpeg $PROGARG -sample 2x1 -outfile $OUTDIR/${basename}_422.jpg $IMGDIR/${basename}.bmp | ||
172 | + runme $EXEDIR/cjpeg $PROGARG -sample 1x2 -outfile $OUTDIR/${basename}_440.jpg $IMGDIR/${basename}.bmp | ||
173 | + runme $EXEDIR/cjpeg $PROGARG -sample 1x1 -outfile $OUTDIR/${basename}_444.jpg $IMGDIR/${basename}.bmp | ||
174 | + echo | ||
175 | + | ||
176 | + for NSARG in "" -nosmooth; do | ||
177 | + | ||
178 | + for COLORSARG in "" "-colors 256 -dither none -onepass"; do | ||
179 | + | ||
180 | + for Y in {0..16}; do | ||
181 | + | ||
182 | + for H in {1..16}; do | ||
183 | + | ||
184 | + X=$(( (Y*16)%128 )) | ||
185 | + W=$(( WIDTH-X-7 )) | ||
186 | + if [ $Y -le 15 ]; then | ||
187 | + CROPSPEC="${W}x${H}+${X}+${Y}" | ||
188 | + else | ||
189 | + Y2=$(( HEIGHT-H )); | ||
190 | + CROPSPEC="${W}x${H}+${X}+${Y2}" | ||
191 | + fi | ||
192 | + | ||
193 | + echo "------------------------------------------------------------" | ||
194 | + echo $PROGARG $NSARG $COLORSARG -crop $CROPSPEC | ||
195 | + echo "------------------------------------------------------------" | ||
196 | + echo | ||
197 | + for samp in GRAY 420 422 440 444; do | ||
198 | + $EXEDIR/djpeg $NSARG $COLORSARG -rgb -outfile $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}.jpg | ||
199 | + convert -crop $CROPSPEC $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}_ref.ppm | ||
200 | + runme $EXEDIR/djpeg $NSARG $COLORSARG -crop $CROPSPEC -rgb -outfile $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}.jpg | ||
201 | + runme cmp $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}_ref.ppm | ||
202 | + done | ||
203 | + echo | ||
204 | + | ||
205 | + done | ||
206 | + | ||
207 | + done | ||
208 | + | ||
209 | + done | ||
210 | + | ||
211 | + done | ||
212 | + | ||
213 | +done | ||
214 | + | ||
215 | +echo SUCCESS! | ||
216 | diff --git a/jdapistd.c b/jdapistd.c | ||
217 | index 91da642..c502909 100644 | ||
218 | --- a/jdapistd.c | ||
219 | +++ b/jdapistd.c | ||
220 | @@ -306,16 +306,6 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf, | ||
221 | } | ||
222 | |||
223 | |||
224 | -/* Dummy postprocessing function used by jpeg_skip_scanlines() */ | ||
225 | -LOCAL(void) | ||
226 | -noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
227 | - JDIMENSION *in_row_group_ctr, | ||
228 | - JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf, | ||
229 | - JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) | ||
230 | -{ | ||
231 | -} | ||
232 | - | ||
233 | - | ||
234 | /* | ||
235 | * In some cases, it is best to call jpeg_read_scanlines() and discard the | ||
236 | * output, rather than skipping the scanlines, because this allows us to | ||
237 | @@ -329,16 +319,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
238 | { | ||
239 | JDIMENSION n; | ||
240 | my_master_ptr master = (my_master_ptr)cinfo->master; | ||
241 | + JSAMPARRAY scanlines = NULL; | ||
242 | void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
243 | JDIMENSION input_row, JSAMPARRAY output_buf, | ||
244 | int num_rows) = NULL; | ||
245 | void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf, | ||
246 | JSAMPARRAY output_buf, int num_rows) = NULL; | ||
247 | - void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, | ||
248 | - JDIMENSION *in_row_group_ctr, | ||
249 | - JDIMENSION in_row_groups_avail, | ||
250 | - JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, | ||
251 | - JDIMENSION out_rows_avail) = NULL; | ||
252 | |||
253 | if (cinfo->cconvert && cinfo->cconvert->color_convert) { | ||
254 | color_convert = cinfo->cconvert->color_convert; | ||
255 | @@ -350,23 +336,19 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
256 | cinfo->cquantize->color_quantize = noop_quantize; | ||
257 | } | ||
258 | |||
259 | - if (master->using_merged_upsample && cinfo->post && | ||
260 | - cinfo->post->post_process_data) { | ||
261 | - post_process_data = cinfo->post->post_process_data; | ||
262 | - cinfo->post->post_process_data = noop_post_process; | ||
263 | + if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) { | ||
264 | + my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
265 | + scanlines = &upsample->spare_row; | ||
266 | } | ||
267 | |||
268 | for (n = 0; n < num_lines; n++) | ||
269 | - jpeg_read_scanlines(cinfo, NULL, 1); | ||
270 | + jpeg_read_scanlines(cinfo, scanlines, 1); | ||
271 | |||
272 | if (color_convert) | ||
273 | cinfo->cconvert->color_convert = color_convert; | ||
274 | |||
275 | if (color_quantize) | ||
276 | cinfo->cquantize->color_quantize = color_quantize; | ||
277 | - | ||
278 | - if (post_process_data) | ||
279 | - cinfo->post->post_process_data = post_process_data; | ||
280 | } | ||
281 | |||
282 | |||
283 | @@ -380,6 +362,12 @@ increment_simple_rowgroup_ctr(j_decompress_ptr cinfo, JDIMENSION rows) | ||
284 | { | ||
285 | JDIMENSION rows_left; | ||
286 | my_main_ptr main_ptr = (my_main_ptr)cinfo->main; | ||
287 | + my_master_ptr master = (my_master_ptr)cinfo->master; | ||
288 | + | ||
289 | + if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) { | ||
290 | + read_and_discard_scanlines(cinfo, rows); | ||
291 | + return; | ||
292 | + } | ||
293 | |||
294 | /* Increment the counter to the next row group after the skipped rows. */ | ||
295 | main_ptr->rowgroup_ctr += rows / cinfo->max_v_samp_factor; | ||
296 | @@ -410,11 +398,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
297 | my_main_ptr main_ptr = (my_main_ptr)cinfo->main; | ||
298 | my_coef_ptr coef = (my_coef_ptr)cinfo->coef; | ||
299 | my_master_ptr master = (my_master_ptr)cinfo->master; | ||
300 | + my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
301 | JDIMENSION i, x; | ||
302 | int y; | ||
303 | JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row; | ||
304 | JDIMENSION lines_to_skip, lines_to_read; | ||
305 | |||
306 | + /* Two-pass color quantization is not supported. */ | ||
307 | + if (cinfo->quantize_colors && cinfo->two_pass_quantize) | ||
308 | + ERREXIT(cinfo, JERR_NOTIMPL); | ||
309 | + | ||
310 | if (cinfo->global_state != DSTATE_SCANNING) | ||
311 | ERREXIT1(cinfo, JERR_BAD_STATE, cinfo->global_state); | ||
312 | |||
313 | @@ -472,13 +465,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
314 | main_ptr->buffer_full = FALSE; | ||
315 | main_ptr->rowgroup_ctr = 0; | ||
316 | main_ptr->context_state = CTX_PREPARE_FOR_IMCU; | ||
317 | - if (master->using_merged_upsample) { | ||
318 | - my_merged_upsample_ptr upsample = | ||
319 | - (my_merged_upsample_ptr)cinfo->upsample; | ||
320 | - upsample->spare_full = FALSE; | ||
321 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
322 | - } else { | ||
323 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
324 | + if (!master->using_merged_upsample) { | ||
325 | upsample->next_row_out = cinfo->max_v_samp_factor; | ||
326 | upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
327 | } | ||
328 | @@ -493,13 +480,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
329 | cinfo->output_scanline += lines_left_in_iMCU_row; | ||
330 | main_ptr->buffer_full = FALSE; | ||
331 | main_ptr->rowgroup_ctr = 0; | ||
332 | - if (master->using_merged_upsample) { | ||
333 | - my_merged_upsample_ptr upsample = | ||
334 | - (my_merged_upsample_ptr)cinfo->upsample; | ||
335 | - upsample->spare_full = FALSE; | ||
336 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
337 | - } else { | ||
338 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
339 | + if (!master->using_merged_upsample) { | ||
340 | upsample->next_row_out = cinfo->max_v_samp_factor; | ||
341 | upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
342 | } | ||
343 | @@ -537,14 +518,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
344 | cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row; | ||
345 | increment_simple_rowgroup_ctr(cinfo, lines_to_read); | ||
346 | } | ||
347 | - if (master->using_merged_upsample) { | ||
348 | - my_merged_upsample_ptr upsample = | ||
349 | - (my_merged_upsample_ptr)cinfo->upsample; | ||
350 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
351 | - } else { | ||
352 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
353 | + if (!master->using_merged_upsample) | ||
354 | upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
355 | - } | ||
356 | return num_lines; | ||
357 | } | ||
358 | |||
359 | @@ -585,13 +560,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) | ||
360 | * bit odd, since "rows_to_go" seems to be redundantly keeping track of | ||
361 | * output_scanline. | ||
362 | */ | ||
363 | - if (master->using_merged_upsample) { | ||
364 | - my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; | ||
365 | + if (!master->using_merged_upsample) | ||
366 | upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
367 | - } else { | ||
368 | - my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; | ||
369 | - upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; | ||
370 | - } | ||
371 | |||
372 | /* Always skip the requested number of lines. */ | ||
373 | return num_lines; | ||
374 | diff --git a/libjpeg.txt b/libjpeg.txt | ||
375 | index c50cf90..c233ecb 100644 | ||
376 | --- a/libjpeg.txt | ||
377 | +++ b/libjpeg.txt | ||
378 | @@ -3,7 +3,7 @@ USING THE IJG JPEG LIBRARY | ||
379 | This file was part of the Independent JPEG Group's software: | ||
380 | Copyright (C) 1994-2013, Thomas G. Lane, Guido Vollbeding. | ||
381 | libjpeg-turbo Modifications: | ||
382 | -Copyright (C) 2010, 2014-2018, D. R. Commander. | ||
383 | +Copyright (C) 2010, 2014-2018, 2020, D. R. Commander. | ||
384 | Copyright (C) 2015, Google, Inc. | ||
385 | For conditions of distribution and use, see the accompanying README.ijg file. | ||
386 | |||
387 | @@ -750,7 +750,9 @@ multiple rows in the JPEG image. | ||
388 | |||
389 | Suspending data sources are not supported by this function. Calling | ||
390 | jpeg_skip_scanlines() with a suspending data source will result in undefined | ||
391 | -behavior. | ||
392 | +behavior. Two-pass color quantization is also not supported by this function. | ||
393 | +Calling jpeg_skip_scanlines() with two-pass color quantization enabled will | ||
394 | +result in an error. | ||
395 | |||
396 | jpeg_skip_scanlines() will not allow skipping past the bottom of the image. If | ||
397 | the value of num_lines is large enough to skip past the bottom of the image, | ||
398 | -- | ||
399 | 2.25.1 | ||
400 | |||
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch new file mode 100644 index 0000000000..68cf89e628 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Tue, 6 Apr 2021 12:51:03 -0500 | ||
4 | Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs | ||
5 | |||
6 | - The PPM reader now throws an error rather than segfaulting (due to a | ||
7 | buffer overrun) if an application attempts to load a 16-bit PPM file | ||
8 | into a grayscale uncompressed image buffer. No known applications | ||
9 | allowed that (not even the test applications in libjpeg-turbo), | ||
10 | because that mode of operation was never expected to work and did not | ||
11 | work under any circumstances. (In fact, it was necessary to modify | ||
12 | TJBench in order to reproduce the issue outside of a fuzzing | ||
13 | environment.) This was purely a matter of making the library bow out | ||
14 | gracefully rather than crash if an application tries to do something | ||
15 | really stupid. | ||
16 | |||
17 | - The PPM reader now throws an error rather than generating incorrect | ||
18 | pixels if an application attempts to load a 16-bit PGM file into an | ||
19 | RGB uncompressed image buffer. | ||
20 | |||
21 | - The PPM reader now correctly loads 16-bit PPM files into extended | ||
22 | RGB uncompressed image buffers. (Previously it generated incorrect | ||
23 | pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.) | ||
24 | |||
25 | The only way that users could have potentially encountered these issues | ||
26 | was through the tjLoadImage() function. cjpeg and TJBench were | ||
27 | unaffected. | ||
28 | |||
29 | CVE: CVE-2021-46822 | ||
30 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch] | ||
31 | Comment: Refreshed hunks from ChangeLog.md | ||
32 | Refreshed hunks from rdppm.c | ||
33 | |||
34 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
35 | |||
36 | --- | ||
37 | ChangeLog.md | 10 ++++++++++ | ||
38 | rdppm.c | 26 ++++++++++++++++++++------ | ||
39 | 2 files changed, 30 insertions(+), 6 deletions(-) | ||
40 | |||
41 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
42 | index 968969c6b..12e730a0e 100644 | ||
43 | --- a/ChangeLog.md | ||
44 | +++ b/ChangeLog.md | ||
45 | @@ -44,6 +44,15 @@ | ||
46 | that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a | ||
47 | similar fix for binary PPM/PGM files with maximum values greater than 255. | ||
48 | |||
49 | +7. The PPM reader now throws an error, rather than segfaulting (due to a buffer | ||
50 | +overrun) or generating incorrect pixels, if an application attempts to use the | ||
51 | +`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file | ||
52 | +with a maximum value greater than 255) into a grayscale image buffer or to load | ||
53 | +a 16-bit binary PGM file into an RGB image buffer. | ||
54 | + | ||
55 | +8. Fixed an issue in the PPM reader that caused incorrect pixels to be | ||
56 | +generated when using the `tjLoadImage()` function to load a 16-bit binary PPM | ||
57 | +file into an extended RGB image buffer. | ||
58 | |||
59 | 2.0.3 | ||
60 | ===== | ||
61 | diff --git a/rdppm.c b/rdppm.c | ||
62 | index c4c937e8a..6ac8fdbf7 100644 | ||
63 | --- a/rdppm.c | ||
64 | +++ b/rdppm.c | ||
65 | @@ -5,7 +5,7 @@ | ||
66 | * Copyright (C) 1991-1997, Thomas G. Lane. | ||
67 | * Modified 2009 by Bill Allombert, Guido Vollbeding. | ||
68 | * libjpeg-turbo Modifications: | ||
69 | - * Copyright (C) 2015-2017, 2020, D. R. Commander. | ||
70 | + * Copyright (C) 2015-2017, 2020-2021, D. R. Commander. | ||
71 | * For conditions of distribution and use, see the accompanying README.ijg | ||
72 | * file. | ||
73 | * | ||
74 | @@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) | ||
75 | register JSAMPLE *rescale = source->rescale; | ||
76 | JDIMENSION col; | ||
77 | unsigned int maxval = source->maxval; | ||
78 | + register int rindex = rgb_red[cinfo->in_color_space]; | ||
79 | + register int gindex = rgb_green[cinfo->in_color_space]; | ||
80 | + register int bindex = rgb_blue[cinfo->in_color_space]; | ||
81 | + register int aindex = alpha_index[cinfo->in_color_space]; | ||
82 | + register int ps = rgb_pixelsize[cinfo->in_color_space]; | ||
83 | |||
84 | if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width)) | ||
85 | ERREXIT(cinfo, JERR_INPUT_EOF); | ||
86 | @@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) | ||
87 | temp |= UCH(*bufferptr++); | ||
88 | if (temp > maxval) | ||
89 | ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); | ||
90 | - *ptr++ = rescale[temp]; | ||
91 | + ptr[rindex] = rescale[temp]; | ||
92 | temp = UCH(*bufferptr++) << 8; | ||
93 | temp |= UCH(*bufferptr++); | ||
94 | if (temp > maxval) | ||
95 | ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); | ||
96 | - *ptr++ = rescale[temp]; | ||
97 | + ptr[gindex] = rescale[temp]; | ||
98 | temp = UCH(*bufferptr++) << 8; | ||
99 | temp |= UCH(*bufferptr++); | ||
100 | if (temp > maxval) | ||
101 | ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); | ||
102 | - *ptr++ = rescale[temp]; | ||
103 | + ptr[bindex] = rescale[temp]; | ||
104 | + if (aindex >= 0) | ||
105 | + ptr[aindex] = 0xFF; | ||
106 | + ptr += ps; | ||
107 | } | ||
108 | return 1; | ||
109 | } | ||
110 | @@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) | ||
111 | cinfo->in_color_space = JCS_GRAYSCALE; | ||
112 | TRACEMS2(cinfo, 1, JTRC_PGM, w, h); | ||
113 | if (maxval > 255) { | ||
114 | - source->pub.get_pixel_rows = get_word_gray_row; | ||
115 | + if (cinfo->in_color_space == JCS_GRAYSCALE) | ||
116 | + source->pub.get_pixel_rows = get_word_gray_row; | ||
117 | + else | ||
118 | + ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); | ||
119 | } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && | ||
120 | cinfo->in_color_space == JCS_GRAYSCALE) { | ||
121 | source->pub.get_pixel_rows = get_raw_row; | ||
122 | @@ -657,7 +657,10 @@ | ||
123 | cinfo->in_color_space = JCS_EXT_RGB; | ||
124 | TRACEMS2(cinfo, 1, JTRC_PPM, w, h); | ||
125 | if (maxval > 255) { | ||
126 | - source->pub.get_pixel_rows = get_word_rgb_row; | ||
127 | + if (IsExtRGB(cinfo->in_color_space)) | ||
128 | + source->pub.get_pixel_rows = get_word_rgb_row; | ||
129 | + else | ||
130 | + ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); | ||
131 | } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && | ||
132 | (cinfo->in_color_space == JCS_EXT_RGB | ||
133 | #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3 | ||
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..6668f6e41d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Tue, 4 Apr 2023 19:06:20 -0500 | ||
4 | Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565 | ||
5 | |||
6 | The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565 | ||
7 | is the only 3-component colorspace that doesn't have 3-sample pixels, so | ||
8 | we need to treat it as a special case when determining whether to enable | ||
9 | 2-pass color quantization. Otherwise, attempting to initialize 2-pass | ||
10 | color quantization with an RGB565 output buffer could cause | ||
11 | prescan_quantize() to read from uninitialized memory and subsequently | ||
12 | underflow/overflow the histogram array. | ||
13 | |||
14 | djpeg is supposed to fail gracefully if both -rgb565 and -colors are | ||
15 | specified, because none of its destination managers (image writers) | ||
16 | support color quantization with RGB565. However, prescan_quantize() was | ||
17 | called before that could occur. It is possible but very unlikely that | ||
18 | these issues could have been reproduced in applications other than | ||
19 | djpeg. The issues involve the use of two features (12-bit precision and | ||
20 | RGB565) that are incompatible, and they also involve the use of two | ||
21 | rarely-used legacy features (RGB565 and color quantization) that don't | ||
22 | make much sense when combined. | ||
23 | |||
24 | Fixes #668 | ||
25 | Fixes #671 | ||
26 | Fixes #680 | ||
27 | |||
28 | CVE: CVE-2023-2804 | ||
29 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d] | ||
30 | |||
31 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
32 | --- | ||
33 | ChangeLog.md | 6 ++++++ | ||
34 | jdmaster.c | 5 +++-- | ||
35 | jquant2.c | 5 +++-- | ||
36 | 3 files changed, 12 insertions(+), 4 deletions(-) | ||
37 | |||
38 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
39 | index e605abe73..de0c4d0dd 100644 | ||
40 | --- a/ChangeLog.md | ||
41 | +++ b/ChangeLog.md | ||
42 | @@ -1,3 +1,9 @@ quality values. | ||
43 | +9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer | ||
44 | +overruns when attempting to decompress various specially-crafted malformed | ||
45 | +12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg | ||
46 | +(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion | ||
47 | +enabled. | ||
48 | + | ||
49 | 2.0.4 | ||
50 | ===== | ||
51 | |||
52 | diff --git a/jdmaster.c b/jdmaster.c | ||
53 | index b20906438..8d8ef9956 100644 | ||
54 | --- a/jdmaster.c | ||
55 | +++ b/jdmaster.c | ||
56 | @@ -5,7 +5,7 @@ | ||
57 | * Copyright (C) 1991-1997, Thomas G. Lane. | ||
58 | * Modified 2002-2009 by Guido Vollbeding. | ||
59 | * libjpeg-turbo Modifications: | ||
60 | - * Copyright (C) 2009-2011, 2016, D. R. Commander. | ||
61 | + * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander. | ||
62 | * Copyright (C) 2013, Linaro Limited. | ||
63 | * Copyright (C) 2015, Google, Inc. | ||
64 | * For conditions of distribution and use, see the accompanying README.ijg | ||
65 | @@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo) | ||
66 | if (cinfo->raw_data_out) | ||
67 | ERREXIT(cinfo, JERR_NOTIMPL); | ||
68 | /* 2-pass quantizer only works in 3-component color space. */ | ||
69 | - if (cinfo->out_color_components != 3) { | ||
70 | + if (cinfo->out_color_components != 3 || | ||
71 | + cinfo->out_color_space == JCS_RGB565) { | ||
72 | cinfo->enable_1pass_quant = TRUE; | ||
73 | cinfo->enable_external_quant = FALSE; | ||
74 | cinfo->enable_2pass_quant = FALSE; | ||
75 | diff --git a/jquant2.c b/jquant2.c | ||
76 | index 6570613bb..c760380fb 100644 | ||
77 | --- a/jquant2.c | ||
78 | +++ b/jquant2.c | ||
79 | @@ -4,7 +4,7 @@ | ||
80 | * This file was part of the Independent JPEG Group's software: | ||
81 | * Copyright (C) 1991-1996, Thomas G. Lane. | ||
82 | * libjpeg-turbo Modifications: | ||
83 | - * Copyright (C) 2009, 2014-2015, D. R. Commander. | ||
84 | + * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander. | ||
85 | * For conditions of distribution and use, see the accompanying README.ijg | ||
86 | * file. | ||
87 | * | ||
88 | @@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo) | ||
89 | cquantize->error_limiter = NULL; | ||
90 | |||
91 | /* Make sure jdmaster didn't give me a case I can't handle */ | ||
92 | - if (cinfo->out_color_components != 3) | ||
93 | + if (cinfo->out_color_components != 3 || | ||
94 | + cinfo->out_color_space == JCS_RGB565) | ||
95 | ERREXIT(cinfo, JERR_NOTIMPL); | ||
96 | |||
97 | /* Allocate the histogram/inverse colormap storage */ | ||
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..bcba0b513d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Thu, 6 Apr 2023 18:33:41 -0500 | ||
4 | Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp | ||
5 | |||
6 | When computing the downsampled width for a particular component, | ||
7 | jpeg_crop_scanline() needs to take into account the fact that the | ||
8 | libjpeg code uses a combination of IDCT scaling and upsampling to | ||
9 | implement 4x2 and 2x4 upsampling with certain decompression scaling | ||
10 | factors. Failing to account for that led to incomplete upsampling of | ||
11 | 4x2- or 2x4-subsampled components, which caused the color converter to | ||
12 | read from uninitialized memory. With 12-bit data precision, this caused | ||
13 | a buffer overrun or underrun and subsequent segfault if the | ||
14 | uninitialized memory contained a value that was outside of the valid | ||
15 | sample range (because the color converter uses the value as an array | ||
16 | index.) | ||
17 | |||
18 | Fixes #669 | ||
19 | |||
20 | CVE: CVE-2023-2804 | ||
21 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001] | ||
22 | |||
23 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
24 | --- | ||
25 | ChangeLog.md | 8 ++++++++ | ||
26 | jdapistd.c | 10 ++++++---- | ||
27 | 2 files changed, 14 insertions(+), 4 deletions(-) | ||
28 | |||
29 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
30 | index de0c4d0dd..159bd1610 100644 | ||
31 | --- a/ChangeLog.md | ||
32 | +++ b/ChangeLog.md | ||
33 | @@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed | ||
34 | (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion | ||
35 | enabled. | ||
36 | |||
37 | +10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the | ||
38 | +downsampled width for components with 4x2 or 2x4 subsampling factors if | ||
39 | +decompression scaling was enabled. This caused the components to be upsampled | ||
40 | +incompletely, which caused the color converter to read from uninitialized | ||
41 | +memory. With 12-bit data precision, this caused a buffer overrun or underrun | ||
42 | +and subsequent segfault if the sample value read from unitialized memory was | ||
43 | +outside of the valid sample range. | ||
44 | + | ||
45 | 2.0.4 | ||
46 | ===== | ||
47 | |||
48 | diff --git a/jdapistd.c b/jdapistd.c | ||
49 | index 628626254..eb577928c 100644 | ||
50 | --- a/jdapistd.c | ||
51 | +++ b/jdapistd.c | ||
52 | @@ -4,7 +4,7 @@ | ||
53 | * This file was part of the Independent JPEG Group's software: | ||
54 | * Copyright (C) 1994-1996, Thomas G. Lane. | ||
55 | * libjpeg-turbo Modifications: | ||
56 | - * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander. | ||
57 | + * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander. | ||
58 | * Copyright (C) 2015, Google, Inc. | ||
59 | * For conditions of distribution and use, see the accompanying README.ijg | ||
60 | * file. | ||
61 | @@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset, | ||
62 | /* Set downsampled_width to the new output width. */ | ||
63 | orig_downsampled_width = compptr->downsampled_width; | ||
64 | compptr->downsampled_width = | ||
65 | - (JDIMENSION)jdiv_round_up((long)(cinfo->output_width * | ||
66 | - compptr->h_samp_factor), | ||
67 | - (long)cinfo->max_h_samp_factor); | ||
68 | + (JDIMENSION)jdiv_round_up((long)cinfo->output_width * | ||
69 | + (long)(compptr->h_samp_factor * | ||
70 | + compptr->_DCT_scaled_size), | ||
71 | + (long)(cinfo->max_h_samp_factor * | ||
72 | + cinfo->_min_DCT_scaled_size)); | ||
73 | if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2) | ||
74 | reinit_upsampler = TRUE; | ||
75 | |||
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 3005a8a789..fda425c219 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb | |||
@@ -13,6 +13,11 @@ DEPENDS_append_x86_class-target = " nasm-native" | |||
13 | SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ | 13 | SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ |
14 | file://0001-libjpeg-turbo-fix-package_qa-error.patch \ | 14 | file://0001-libjpeg-turbo-fix-package_qa-error.patch \ |
15 | file://CVE-2020-13790.patch \ | 15 | file://CVE-2020-13790.patch \ |
16 | file://CVE-2021-46822.patch \ | ||
17 | file://CVE-2020-35538-1.patch \ | ||
18 | file://CVE-2020-35538-2.patch \ | ||
19 | file://CVE-2023-2804-1.patch \ | ||
20 | file://CVE-2023-2804-2.patch \ | ||
16 | " | 21 | " |
17 | 22 | ||
18 | SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" | 23 | SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" |
diff --git a/meta/recipes-graphics/kmscube/kmscube_git.bb b/meta/recipes-graphics/kmscube/kmscube_git.bb index a1a295f660..0aae6df357 100644 --- a/meta/recipes-graphics/kmscube/kmscube_git.bb +++ b/meta/recipes-graphics/kmscube/kmscube_git.bb | |||
@@ -1,4 +1,8 @@ | |||
1 | DESCRIPTION = "Demo application to showcase 3D graphics using kms and gbm" | 1 | SUMMARY = "Demo application to showcase 3D graphics using kms and gbm" |
2 | DESCRIPTION = "kmscube is a little demonstration program for how to drive bare metal graphics \ | ||
3 | without a compositor like X11, wayland or similar, using DRM/KMS (kernel mode \ | ||
4 | setting), GBM (graphics buffer manager) and EGL for rendering content using \ | ||
5 | OpenGL or OpenGL ES." | ||
2 | HOMEPAGE = "https://cgit.freedesktop.org/mesa/kmscube/" | 6 | HOMEPAGE = "https://cgit.freedesktop.org/mesa/kmscube/" |
3 | LICENSE = "MIT" | 7 | LICENSE = "MIT" |
4 | SECTION = "graphics" | 8 | SECTION = "graphics" |
diff --git a/meta/recipes-graphics/libfakekey/libfakekey_git.bb b/meta/recipes-graphics/libfakekey/libfakekey_git.bb index ab6f5ac9ed..33ea6fe5a9 100644 --- a/meta/recipes-graphics/libfakekey/libfakekey_git.bb +++ b/meta/recipes-graphics/libfakekey/libfakekey_git.bb | |||
@@ -13,7 +13,7 @@ SECTION = "x11/wm" | |||
13 | SRCREV = "7ad885912efb2131e80914e964d5e635b0d07b40" | 13 | SRCREV = "7ad885912efb2131e80914e964d5e635b0d07b40" |
14 | PV = "0.3+git${SRCPV}" | 14 | PV = "0.3+git${SRCPV}" |
15 | 15 | ||
16 | SRC_URI = "git://git.yoctoproject.org/${BPN}" | 16 | SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master" |
17 | 17 | ||
18 | S = "${WORKDIR}/git" | 18 | S = "${WORKDIR}/git" |
19 | 19 | ||
diff --git a/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb b/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb index 1a31677978..06bd682823 100644 --- a/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb +++ b/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb | |||
@@ -17,7 +17,7 @@ DEPENDS = "virtual/libx11 libxext" | |||
17 | 17 | ||
18 | #SRCREV for 1.12 | 18 | #SRCREV for 1.12 |
19 | SRCREV = "e846ee434f8e23d9db38af13c523f791495e0e87" | 19 | SRCREV = "e846ee434f8e23d9db38af13c523f791495e0e87" |
20 | SRC_URI = "git://git.yoctoproject.org/${BPN}" | 20 | SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master" |
21 | 21 | ||
22 | S = "${WORKDIR}/git" | 22 | S = "${WORKDIR}/git" |
23 | 23 | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch new file mode 100644 index 0000000000..d8fa24bc65 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sam Lantinga <slouken@libsdl.org> | ||
3 | Date: Wed, 17 Jun 2020 08:44:45 -0700 | ||
4 | Subject: [PATCH] Fixed overflow in surface pitch calculation | ||
5 | |||
6 | |||
7 | Upstream-Status: Backport | ||
8 | [https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294] | ||
9 | CVE: CVE-2020-14409 CVE-2020-14410 | ||
10 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
11 | |||
12 | --- | ||
13 | src/video/SDL_surface.c | 23 +++++++++++++++-------- | ||
14 | 1 file changed, 15 insertions(+), 8 deletions(-) | ||
15 | |||
16 | diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c | ||
17 | index 085d9ff1e..bff826f7c 100644 | ||
18 | --- a/src/video/SDL_surface.c | ||
19 | +++ b/src/video/SDL_surface.c | ||
20 | @@ -28,24 +28,23 @@ | ||
21 | #include "SDL_yuv_c.h" | ||
22 | |||
23 | |||
24 | -/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ | ||
25 | -SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, | ||
26 | - sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); | ||
27 | +/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ | ||
28 | +SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); | ||
29 | |||
30 | /* Public routines */ | ||
31 | |||
32 | /* | ||
33 | * Calculate the pad-aligned scanline width of a surface | ||
34 | */ | ||
35 | -static int | ||
36 | +static Sint64 | ||
37 | SDL_CalculatePitch(Uint32 format, int width) | ||
38 | { | ||
39 | - int pitch; | ||
40 | + Sint64 pitch; | ||
41 | |||
42 | if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) { | ||
43 | - pitch = (width * SDL_BYTESPERPIXEL(format)); | ||
44 | + pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format)); | ||
45 | } else { | ||
46 | - pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8; | ||
47 | + pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8; | ||
48 | } | ||
49 | pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */ | ||
50 | return pitch; | ||
51 | @@ -59,11 +58,19 @@ SDL_Surface * | ||
52 | SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, | ||
53 | Uint32 format) | ||
54 | { | ||
55 | + Sint64 pitch; | ||
56 | SDL_Surface *surface; | ||
57 | |||
58 | /* The flags are no longer used, make the compiler happy */ | ||
59 | (void)flags; | ||
60 | |||
61 | + pitch = SDL_CalculatePitch(format, width); | ||
62 | + if (pitch < 0 || pitch > SDL_MAX_SINT32) { | ||
63 | + /* Overflow... */ | ||
64 | + SDL_OutOfMemory(); | ||
65 | + return NULL; | ||
66 | + } | ||
67 | + | ||
68 | /* Allocate the surface */ | ||
69 | surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface)); | ||
70 | if (surface == NULL) { | ||
71 | @@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, | ||
72 | } | ||
73 | surface->w = width; | ||
74 | surface->h = height; | ||
75 | - surface->pitch = SDL_CalculatePitch(format, width); | ||
76 | + surface->pitch = (int)pitch; | ||
77 | SDL_SetClipRect(surface, NULL); | ||
78 | |||
79 | if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch new file mode 100644 index 0000000000..a4ed7ab8e6 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sam Lantinga <slouken@libsdl.org> | ||
3 | Date: Tue, 30 Nov 2021 12:36:46 -0800 | ||
4 | Subject: [PATCH] Always create a full 256-entry map in case color values are | ||
5 | out of range | ||
6 | |||
7 | Fixes https://github.com/libsdl-org/SDL/issues/5042 | ||
8 | |||
9 | CVE: CVE-2021-33657 | ||
10 | Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9.patch] | ||
11 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
12 | |||
13 | --- | ||
14 | src/video/SDL_pixels.c | 4 ++-- | ||
15 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
16 | |||
17 | diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c | ||
18 | index ac04533c5d5..9bb02f771d0 100644 | ||
19 | --- a/src/video/SDL_pixels.c | ||
20 | +++ b/src/video/SDL_pixels.c | ||
21 | @@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical) | ||
22 | } | ||
23 | *identical = 0; | ||
24 | } | ||
25 | - map = (Uint8 *) SDL_malloc(src->ncolors); | ||
26 | + map = (Uint8 *) SDL_calloc(256, sizeof(Uint8)); | ||
27 | if (map == NULL) { | ||
28 | SDL_OutOfMemory(); | ||
29 | return (NULL); | ||
30 | @@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod, | ||
31 | SDL_Palette *pal = src->palette; | ||
32 | |||
33 | bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel); | ||
34 | - map = (Uint8 *) SDL_malloc(pal->ncolors * bpp); | ||
35 | + map = (Uint8 *) SDL_calloc(256, bpp); | ||
36 | if (map == NULL) { | ||
37 | SDL_OutOfMemory(); | ||
38 | return (NULL); | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch new file mode 100644 index 0000000000..b02a2169a6 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001 | ||
2 | From: zhailiangliang <zhailiangliang@loongson.cn> | ||
3 | Date: Wed, 21 Sep 2022 10:30:38 +0800 | ||
4 | Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture | ||
5 | |||
6 | |||
7 | CVE: CVE-2022-4743 | ||
8 | Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b.patch] | ||
9 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
10 | |||
11 | --- | ||
12 | src/render/opengles/SDL_render_gles.c | 6 ++++++ | ||
13 | 1 file changed, 6 insertions(+) | ||
14 | |||
15 | diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c | ||
16 | index a5fbab309eda..ba08a46e2805 100644 | ||
17 | --- a/src/render/opengles/SDL_render_gles.c | ||
18 | +++ b/src/render/opengles/SDL_render_gles.c | ||
19 | @@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) | ||
20 | renderdata->glGenTextures(1, &data->texture); | ||
21 | result = renderdata->glGetError(); | ||
22 | if (result != GL_NO_ERROR) { | ||
23 | + if (texture->access == SDL_TEXTUREACCESS_STREAMING) { | ||
24 | + SDL_free(data->pixels); | ||
25 | + } | ||
26 | SDL_free(data); | ||
27 | return GLES_SetError("glGenTextures()", result); | ||
28 | } | ||
29 | @@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) | ||
30 | |||
31 | result = renderdata->glGetError(); | ||
32 | if (result != GL_NO_ERROR) { | ||
33 | + if (texture->access == SDL_TEXTUREACCESS_STREAMING) { | ||
34 | + SDL_free(data->pixels); | ||
35 | + } | ||
36 | SDL_free(data); | ||
37 | return GLES_SetError("glTexImage2D()", result); | ||
38 | } | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb index fa7acc4c50..fa29bc99ac 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb | |||
@@ -20,6 +20,9 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \ | |||
20 | file://more-gen-depends.patch \ | 20 | file://more-gen-depends.patch \ |
21 | file://directfb-spurious-curly-brace-missing-e.patch \ | 21 | file://directfb-spurious-curly-brace-missing-e.patch \ |
22 | file://directfb-renderfillrect-fix.patch \ | 22 | file://directfb-renderfillrect-fix.patch \ |
23 | file://CVE-2020-14409-14410.patch \ | ||
24 | file://CVE-2021-33657.patch \ | ||
25 | file://CVE-2022-4743.patch \ | ||
23 | " | 26 | " |
24 | 27 | ||
25 | S = "${WORKDIR}/SDL2-${PV}" | 28 | S = "${WORKDIR}/SDL2-${PV}" |
diff --git a/meta/recipes-graphics/libva/libva-utils_2.6.0.bb b/meta/recipes-graphics/libva/libva-utils_2.6.0.bb index 03b38027a1..f14ed0f52b 100644 --- a/meta/recipes-graphics/libva/libva-utils_2.6.0.bb +++ b/meta/recipes-graphics/libva/libva-utils_2.6.0.bb | |||
@@ -14,7 +14,7 @@ SECTION = "x11" | |||
14 | LICENSE = "MIT" | 14 | LICENSE = "MIT" |
15 | LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e" | 15 | LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e" |
16 | 16 | ||
17 | SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.6-branch" | 17 | SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.6-branch;protocol=https" |
18 | SRCREV = "8ea1eba433dcbceb0e5dcb54b8e3f984987f7a17" | 18 | SRCREV = "8ea1eba433dcbceb0e5dcb54b8e3f984987f7a17" |
19 | S = "${WORKDIR}/git" | 19 | S = "${WORKDIR}/git" |
20 | 20 | ||
diff --git a/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb b/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb index a08eb252ce..3ea67d09d6 100644 --- a/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb +++ b/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb | |||
@@ -12,7 +12,7 @@ DEPENDS = "libmatchbox virtual/libx11 libxext libxrender startup-notification ex | |||
12 | 12 | ||
13 | # SRCREV tagged 1.2.2 | 13 | # SRCREV tagged 1.2.2 |
14 | SRCREV = "27da947e7fbdf9659f7e5bd1e92af92af6c03970" | 14 | SRCREV = "27da947e7fbdf9659f7e5bd1e92af92af6c03970" |
15 | SRC_URI = "git://git.yoctoproject.org/matchbox-window-manager \ | 15 | SRC_URI = "git://git.yoctoproject.org/matchbox-window-manager;branch=master \ |
16 | file://0001-Fix-build-with-gcc-10.patch \ | 16 | file://0001-Fix-build-with-gcc-10.patch \ |
17 | file://kbdconfig" | 17 | file://kbdconfig" |
18 | 18 | ||
diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc index a1bf878b1a..bfab19e773 100644 --- a/meta/recipes-graphics/mesa/mesa.inc +++ b/meta/recipes-graphics/mesa/mesa.inc | |||
@@ -231,7 +231,7 @@ python mesa_populate_packages() { | |||
231 | import re | 231 | import re |
232 | dri_drivers_root = oe.path.join(d.getVar('PKGD'), d.getVar('libdir'), "dri") | 232 | dri_drivers_root = oe.path.join(d.getVar('PKGD'), d.getVar('libdir'), "dri") |
233 | if os.path.isdir(dri_drivers_root): | 233 | if os.path.isdir(dri_drivers_root): |
234 | dri_pkgs = os.listdir(dri_drivers_root) | 234 | dri_pkgs = sorted(os.listdir(dri_drivers_root)) |
235 | lib_name = d.expand("${MLPREFIX}mesa-megadriver") | 235 | lib_name = d.expand("${MLPREFIX}mesa-megadriver") |
236 | for p in dri_pkgs: | 236 | for p in dri_pkgs: |
237 | m = re.match(r'^(.*)_dri\.so$', p) | 237 | m = re.match(r'^(.*)_dri\.so$', p) |
diff --git a/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb b/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb index 4e89d631c3..549b0cbdf7 100644 --- a/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb +++ b/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "Very simple session manager for X" | 1 | SUMMARY = "Very simple session manager for X" |
2 | DESCRIPTION = "Simple session manager for X, that provides just the right boilerplate to create a session and launch the browser " | ||
2 | HOMEPAGE = "http://www.yoctoproject.org" | 3 | HOMEPAGE = "http://www.yoctoproject.org" |
3 | BUGTRACKER = "http://bugzilla.pokylinux.org" | 4 | BUGTRACKER = "http://bugzilla.pokylinux.org" |
4 | 5 | ||
diff --git a/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb b/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb index 58a6997ffe..88101b5dcc 100644 --- a/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb +++ b/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb | |||
@@ -7,7 +7,7 @@ PV = "1.4.7+git${SRCPV}" | |||
7 | # Exclude x.99.x versions from upstream checks | 7 | # Exclude x.99.x versions from upstream checks |
8 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>^\d+(\.(?!99)\d+)+)" | 8 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>^\d+(\.(?!99)\d+)+)" |
9 | 9 | ||
10 | SRC_URI = "git://github.com/clutter-project/mx.git;branch=mx-1.4 \ | 10 | SRC_URI = "git://github.com/clutter-project/mx.git;branch=mx-1.4;protocol=https \ |
11 | file://fix-test-includes.patch \ | 11 | file://fix-test-includes.patch \ |
12 | " | 12 | " |
13 | S = "${WORKDIR}/git" | 13 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-graphics/mx/mx.inc b/meta/recipes-graphics/mx/mx.inc index 714a06f0af..c977849c96 100644 --- a/meta/recipes-graphics/mx/mx.inc +++ b/meta/recipes-graphics/mx/mx.inc | |||
@@ -1,4 +1,10 @@ | |||
1 | SUMMARY = "Clutter based UI widget library" | 1 | SUMMARY = "Clutter based UI widget library" |
2 | DESCRIPTION = "Mx is a widget toolkit using Clutter that provides a set of standard interface \ | ||
3 | elements, including buttons, progress bars, scroll bars and others. It also \ | ||
4 | implements some standard managers. One other interesting feature is the \ | ||
5 | possibility setting style properties from a CSS format file." | ||
6 | HOMEPAGE = "https://github.com/clutter-project/mx" | ||
7 | BUGTRACKER = "https://github.com/clutter-project/mx/issues" | ||
2 | LICENSE = "LGPLv2.1" | 8 | LICENSE = "LGPLv2.1" |
3 | 9 | ||
4 | inherit clutter autotools features_check gobject-introspection gtk-doc | 10 | inherit clutter autotools features_check gobject-introspection gtk-doc |
diff --git a/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch b/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch new file mode 100644 index 0000000000..caa48e088d --- /dev/null +++ b/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From d623e9797b7ee9b3739a8a4afe1a01f7e03754aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Sun, 1 Nov 2020 20:08:49 +0000 | ||
4 | Subject: [PATCH] Add a missing include for htobe32 definition | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
8 | --- | ||
9 | tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c | 2 ++ | ||
10 | 1 file changed, 2 insertions(+) | ||
11 | |||
12 | diff --git a/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c b/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c | ||
13 | index 5f45e0c23..c755ee29a 100644 | ||
14 | --- a/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c | ||
15 | +++ b/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c | ||
16 | @@ -34,6 +34,8 @@ | ||
17 | |||
18 | #include "piglit-util-gl.h" | ||
19 | |||
20 | +#include <endian.h> | ||
21 | + | ||
22 | #define IMAGE_WIDTH 60 | ||
23 | #define IMAGE_HEIGHT 60 | ||
24 | |||
25 | -- | ||
26 | 2.17.1 | ||
27 | |||
diff --git a/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch b/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch new file mode 100644 index 0000000000..cc9482c047 --- /dev/null +++ b/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 9086d42df1f3134bafcfe33ff16db7bbb9d9a0fd Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Mon, 30 Nov 2020 23:08:22 +0000 | ||
4 | Subject: [PATCH] framework/profile.py: make test lists reproducible | ||
5 | |||
6 | These are created with os.walk, which yields different | ||
7 | order depending on where it's run. | ||
8 | |||
9 | Upstream-Status: Pending | ||
10 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
11 | --- | ||
12 | framework/profile.py | 6 +++++- | ||
13 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/framework/profile.py b/framework/profile.py | ||
16 | index c210e535e..9b5d51d68 100644 | ||
17 | --- a/framework/profile.py | ||
18 | +++ b/framework/profile.py | ||
19 | @@ -528,7 +528,11 @@ class TestProfile(object): | ||
20 | else: | ||
21 | opts[n] = self.test_list[n] | ||
22 | else: | ||
23 | - opts = self.test_list # pylint: disable=redefined-variable-type | ||
24 | + opts = collections.OrderedDict() | ||
25 | + test_keys = list(self.test_list.keys()) | ||
26 | + test_keys.sort() | ||
27 | + for k in test_keys: | ||
28 | + opts[k] = self.test_list[k] | ||
29 | |||
30 | for k, v in self.filters.run(opts.items()): | ||
31 | yield k, v | ||
diff --git a/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch b/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch new file mode 100644 index 0000000000..8704f98500 --- /dev/null +++ b/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 1b23539aece156f6fe0789cb988f22e5915228f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Tue, 10 Nov 2020 17:12:32 +0000 | ||
4 | Subject: [PATCH 1/2] generated_tests/gen_tcs/tes_input_tests.py: do not | ||
5 | hardcode the full binary path | ||
6 | |||
7 | This helps reproducibility. | ||
8 | |||
9 | Upstream-Status: Pending | ||
10 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
11 | --- | ||
12 | generated_tests/gen_tcs_input_tests.py | 2 +- | ||
13 | generated_tests/gen_tes_input_tests.py | 2 +- | ||
14 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
15 | |||
16 | diff --git a/generated_tests/gen_tcs_input_tests.py b/generated_tests/gen_tcs_input_tests.py | ||
17 | index face4f19a..e36671af4 100644 | ||
18 | --- a/generated_tests/gen_tcs_input_tests.py | ||
19 | +++ b/generated_tests/gen_tcs_input_tests.py | ||
20 | @@ -272,7 +272,7 @@ class Test(object): | ||
21 | relative probe rgb (0.75, 0.75) (0.0, 1.0, 0.0) | ||
22 | """) | ||
23 | |||
24 | - test = test.format(self=self, generator_command=" ".join(sys.argv)) | ||
25 | + test = test.format(self=self, generator_command="generated_tests/gen_tcs_input_tests.py") | ||
26 | |||
27 | filename = self.filename() | ||
28 | dirname = os.path.dirname(filename) | ||
29 | diff --git a/generated_tests/gen_tes_input_tests.py b/generated_tests/gen_tes_input_tests.py | ||
30 | index 3d847b5cc..954840b20 100644 | ||
31 | --- a/generated_tests/gen_tes_input_tests.py | ||
32 | +++ b/generated_tests/gen_tes_input_tests.py | ||
33 | @@ -301,7 +301,7 @@ class Test(object): | ||
34 | relative probe rgb (0.75, 0.75) (0.0, 1.0, 0.0) | ||
35 | """) | ||
36 | |||
37 | - test = test.format(self=self, generator_command=" ".join(sys.argv)) | ||
38 | + test = test.format(self=self, generator_command="generated_tests/gen_tes_input_tests.py") | ||
39 | |||
40 | filename = self.filename() | ||
41 | dirname = os.path.dirname(filename) | ||
42 | -- | ||
43 | 2.17.1 | ||
44 | |||
diff --git a/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch b/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch new file mode 100644 index 0000000000..2efba6f866 --- /dev/null +++ b/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 1919bb7f4072d73dcbb64d0e06eff5b04529c3db Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Mon, 16 Nov 2020 18:01:02 +0000 | ||
4 | Subject: [PATCH] serializer.py: make .gz files reproducible | ||
5 | |||
6 | .gz format contains mtime of the compressed data, and | ||
7 | SOURCE_DATE_EPOCH is the standard way to make it reproducuble. | ||
8 | |||
9 | Upstream-Status: Pending | ||
10 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
11 | --- | ||
12 | tests/serializer.py | 5 ++++- | ||
13 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tests/serializer.py b/tests/serializer.py | ||
16 | index bd14bc3db..bc5b45d7f 100644 | ||
17 | --- a/tests/serializer.py | ||
18 | +++ b/tests/serializer.py | ||
19 | @@ -138,7 +138,10 @@ def serializer(name, profile, outfile): | ||
20 | et.SubElement(env, 'env', name=k, value=v) | ||
21 | |||
22 | tree = et.ElementTree(root) | ||
23 | - with gzip.open(outfile, 'wb') as f: | ||
24 | + reproducible_mtime = None | ||
25 | + if 'SOURCE_DATE_EPOCH' in os.environ: | ||
26 | + reproducible_mtime=os.environ['SOURCE_DATE_EPOCH'] | ||
27 | + with gzip.GzipFile(outfile, 'wb', mtime=reproducible_mtime) as f: | ||
28 | tree.write(f, encoding='utf-8', xml_declaration=True) | ||
29 | |||
30 | |||
diff --git a/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch b/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch new file mode 100644 index 0000000000..8321be8490 --- /dev/null +++ b/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 5bf89c6a314952313b2b762fff0d5501fe57ac53 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Wed, 2 Dec 2020 21:21:52 +0000 | ||
4 | Subject: [PATCH] tests/shader.py: sort the file list before working on it | ||
5 | |||
6 | This allows later xml output to be reproducible. | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
10 | --- | ||
11 | tests/shader.py | 4 +++- | ||
12 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/tests/shader.py b/tests/shader.py | ||
15 | index 849273660..e6e65d1ba 100644 | ||
16 | --- a/tests/shader.py | ||
17 | +++ b/tests/shader.py | ||
18 | @@ -52,7 +52,9 @@ for basedir in [TESTS_DIR, GENERATED_TESTS_DIR]: | ||
19 | for group, files in shader_tests.items(): | ||
20 | assert group not in profile.test_list, 'duplicate group: {}'.format(group) | ||
21 | |||
22 | - # We'll end up with a list of tuples, split that into two lists | ||
23 | + # This makes the xml output reproducible, as os.walk() order is random | ||
24 | + files.sort() | ||
25 | + # We'll end up with a list of tuples, split that into two list | ||
26 | files, installedfiles = list(zip(*files)) | ||
27 | files = list(files) | ||
28 | installedfiles = list(installedfiles) | ||
diff --git a/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch b/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch new file mode 100644 index 0000000000..16c7c5c803 --- /dev/null +++ b/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 1c67250308a92d4991ed05d9d240090ab84accae Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Tue, 10 Nov 2020 17:13:50 +0000 | ||
4 | Subject: [PATCH 2/2] tests/util/piglit-shader.c: do not hardcode build path | ||
5 | into target binary | ||
6 | |||
7 | This helps reproducibilty. | ||
8 | |||
9 | Upstream-Status: Inappropriate [oe-core specific] | ||
10 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
11 | --- | ||
12 | tests/util/piglit-shader.c | 2 +- | ||
13 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tests/util/piglit-shader.c b/tests/util/piglit-shader.c | ||
16 | index 4fd68d21e..c9ea8295e 100644 | ||
17 | --- a/tests/util/piglit-shader.c | ||
18 | +++ b/tests/util/piglit-shader.c | ||
19 | @@ -73,7 +73,7 @@ piglit_compile_shader(GLenum target, const char *filename) | ||
20 | |||
21 | source_dir = getenv("PIGLIT_SOURCE_DIR"); | ||
22 | if (source_dir == NULL) { | ||
23 | - source_dir = SOURCE_DIR; | ||
24 | + source_dir = "."; | ||
25 | } | ||
26 | |||
27 | snprintf(filename_with_path, FILENAME_MAX - 1, | ||
28 | -- | ||
29 | 2.17.1 | ||
30 | |||
diff --git a/meta/recipes-graphics/piglit/piglit_git.bb b/meta/recipes-graphics/piglit/piglit_git.bb index 58d10d6b9b..9897ef1575 100644 --- a/meta/recipes-graphics/piglit/piglit_git.bb +++ b/meta/recipes-graphics/piglit/piglit_git.bb | |||
@@ -1,16 +1,24 @@ | |||
1 | SUMMARY = "OpenGL driver testing framework" | 1 | SUMMARY = "OpenGL driver testing framework" |
2 | DESCRIPTION = "Piglit is an open-source test suite for OpenGL and OpenCL \ | 2 | DESCRIPTION = "Piglit is an open-source test suite for OpenGL and OpenCL \ |
3 | implementations." | 3 | implementations." |
4 | HOMEPAGE = "https://gitlab.freedesktop.org/mesa/piglit" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/mesa/piglit/-/issues" | ||
4 | LICENSE = "MIT & LGPLv2+ & GPLv3 & GPLv2+ & BSD-3-Clause" | 6 | LICENSE = "MIT & LGPLv2+ & GPLv3 & GPLv2+ & BSD-3-Clause" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=b2beded7103a3d8a442a2a0391d607b0" | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=b2beded7103a3d8a442a2a0391d607b0" |
6 | 8 | ||
7 | SRC_URI = "git://gitlab.freedesktop.org/mesa/piglit.git;protocol=https \ | 9 | SRC_URI = "git://gitlab.freedesktop.org/mesa/piglit.git;protocol=https;branch=main \ |
8 | file://0001-cmake-install-bash-completions-in-the-right-place.patch \ | 10 | file://0001-cmake-install-bash-completions-in-the-right-place.patch \ |
9 | file://0001-cmake-use-proper-WAYLAND_INCLUDE_DIRS-variable.patch \ | 11 | file://0001-cmake-use-proper-WAYLAND_INCLUDE_DIRS-variable.patch \ |
12 | file://0001-Add-a-missing-include-for-htobe32-definition.patch \ | ||
13 | file://0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch \ | ||
14 | file://0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch \ | ||
15 | file://0001-serializer.py-make-.gz-files-reproducible.patch \ | ||
16 | file://0001-framework-profile.py-make-test-lists-reproducible.patch \ | ||
17 | file://0001-tests-shader.py-sort-the-file-list-before-working-on.patch \ | ||
10 | " | 18 | " |
11 | UPSTREAM_CHECK_COMMITS = "1" | 19 | UPSTREAM_CHECK_COMMITS = "1" |
12 | 20 | ||
13 | SRCREV = "6126c2d4e476c7770d216ffa1932c10e2a5a7813" | 21 | SRCREV = "83bc56abf2686e2cd9024a152e121ca4aa524985" |
14 | # (when PV goes above 1.0 remove the trailing r) | 22 | # (when PV goes above 1.0 remove the trailing r) |
15 | PV = "1.0+gitr${SRCPV}" | 23 | PV = "1.0+gitr${SRCPV}" |
16 | 24 | ||
@@ -35,7 +43,9 @@ do_compile[dirs] =+ "${B}/temp/" | |||
35 | PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" | 43 | PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" |
36 | PACKAGECONFIG[freeglut] = "-DPIGLIT_USE_GLUT=1,-DPIGLIT_USE_GLUT=0,freeglut," | 44 | PACKAGECONFIG[freeglut] = "-DPIGLIT_USE_GLUT=1,-DPIGLIT_USE_GLUT=0,freeglut," |
37 | PACKAGECONFIG[x11] = "-DPIGLIT_BUILD_GL_TESTS=ON,-DPIGLIT_BUILD_GL_TESTS=OFF,${X11_DEPS}, ${X11_RDEPS}" | 45 | PACKAGECONFIG[x11] = "-DPIGLIT_BUILD_GL_TESTS=ON,-DPIGLIT_BUILD_GL_TESTS=OFF,${X11_DEPS}, ${X11_RDEPS}" |
46 | PACKAGECONFIG[vulkan] = "-DPIGLIT_BUILD_VK_TESTS=ON,-DPIGLIT_BUILD_VK_TESTS=OFF,vulkan-loader" | ||
38 | 47 | ||
48 | export PIGLIT_BUILD_DIR = "../../../../git" | ||
39 | 49 | ||
40 | do_configure_prepend() { | 50 | do_configure_prepend() { |
41 | if [ "${@bb.utils.contains('PACKAGECONFIG', 'freeglut', 'yes', 'no', d)}" = "no" ]; then | 51 | if [ "${@bb.utils.contains('PACKAGECONFIG', 'freeglut', 'yes', 'no', d)}" = "no" ]; then |
diff --git a/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb b/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb index d10bddb529..f69e4838f4 100644 --- a/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb +++ b/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb | |||
@@ -1,6 +1,9 @@ | |||
1 | SUMMARY = "Enables monitoring and display of application startup" | 1 | SUMMARY = "Enables monitoring and display of application startup" |
2 | DESCRIPTION = "Contains a reference implementation of the startup notification protocol. \ | ||
3 | The reference implementation is mostly under an X Window System style license, and has \ | ||
4 | no special dependencies. " | ||
2 | HOMEPAGE = "http://www.freedesktop.org/wiki/Software/startup-notification/" | 5 | HOMEPAGE = "http://www.freedesktop.org/wiki/Software/startup-notification/" |
3 | BUGTRACKER = "https://bugs.freedesktop.org/enter_bug.cgi?product=Specifications" | 6 | BUGTRACKER = "https://gitlab.freedesktop.org/xdg/startup-notification/-/issues" |
4 | 7 | ||
5 | # most files are under MIT, but libsn/sn-util.c is under LGPL, the | 8 | # most files are under MIT, but libsn/sn-util.c is under LGPL, the |
6 | # effective license is LGPL | 9 | # effective license is LGPL |
diff --git a/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb b/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb index 3e1ba196b5..b75bd4c51d 100644 --- a/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb +++ b/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "The Bitstream Vera fonts - TTF Edition" | 1 | SUMMARY = "The Bitstream Vera fonts - TTF Edition" |
2 | HOMEPAGE = "https://www.gnome.org/fonts/" | ||
2 | DESCRIPTION = "The Bitstream Vera fonts include four monospace and sans \ | 3 | DESCRIPTION = "The Bitstream Vera fonts include four monospace and sans \ |
3 | faces (normal, oblique, bold, bold oblique) and two serif faces (normal \ | 4 | faces (normal, oblique, bold, bold oblique) and two serif faces (normal \ |
4 | and bold). In addition Fontconfig/Xft2 can artificially oblique the \ | 5 | and bold). In addition Fontconfig/Xft2 can artificially oblique the \ |
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch new file mode 100644 index 0000000000..4a277bd4d0 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Gert Wollny <gert.wollny@collabora.com> | ||
3 | Date: Tue, 30 Nov 2021 10:17:26 +0100 | ||
4 | Subject: [PATCH] vrend: Add test to resource OOB write and fix it | ||
5 | |||
6 | v2: Also check that no depth != 1 has been send when none is due | ||
7 | |||
8 | Closes: #250 | ||
9 | Signed-off-by: Gert Wollny <gert.wollny@collabora.com> | ||
10 | Reviewed-by: Chia-I Wu <olvaffe@gmail.com> | ||
11 | |||
12 | https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec | ||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2022-0135 | ||
15 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
16 | --- | ||
17 | src/vrend_renderer.c | 3 +++ | ||
18 | tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++ | ||
19 | 2 files changed, 46 insertions(+) | ||
20 | |||
21 | diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c | ||
22 | index 28f669727..357b81b20 100644 | ||
23 | --- a/src/vrend_renderer.c | ||
24 | +++ b/src/vrend_renderer.c | ||
25 | @@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx, | ||
26 | info->box->height) * elsize; | ||
27 | if (res->target == GL_TEXTURE_3D || | ||
28 | res->target == GL_TEXTURE_2D_ARRAY || | ||
29 | + res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || | ||
30 | res->target == GL_TEXTURE_CUBE_MAP_ARRAY) | ||
31 | send_size *= info->box->depth; | ||
32 | + else if (need_temp && info->box->depth != 1) | ||
33 | + return EINVAL; | ||
34 | |||
35 | if (need_temp) { | ||
36 | data = malloc(send_size); | ||
37 | diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c | ||
38 | index 59d6fb671..2de9a9a3f 100644 | ||
39 | --- a/tests/test_fuzzer_formats.c | ||
40 | +++ b/tests/test_fuzzer_formats.c | ||
41 | @@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() { | ||
42 | virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); | ||
43 | } | ||
44 | |||
45 | +/* Test adapted from yaojun8558363@gmail.com: | ||
46 | + * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 | ||
47 | +*/ | ||
48 | +static void test_vrend_3d_resource_overflow() { | ||
49 | + | ||
50 | + struct virgl_renderer_resource_create_args resource; | ||
51 | + resource.handle = 0x4c474572; | ||
52 | + resource.target = PIPE_TEXTURE_2D_ARRAY; | ||
53 | + resource.format = VIRGL_FORMAT_Z24X8_UNORM; | ||
54 | + resource.nr_samples = 2; | ||
55 | + resource.last_level = 0; | ||
56 | + resource.array_size = 3; | ||
57 | + resource.bind = VIRGL_BIND_SAMPLER_VIEW; | ||
58 | + resource.depth = 1; | ||
59 | + resource.width = 8; | ||
60 | + resource.height = 4; | ||
61 | + resource.flags = 0; | ||
62 | + | ||
63 | + virgl_renderer_resource_create(&resource, NULL, 0); | ||
64 | + virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); | ||
65 | + | ||
66 | + uint32_t size = 0x400; | ||
67 | + uint32_t cmd[size]; | ||
68 | + int i = 0; | ||
69 | + cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; | ||
70 | + cmd[i++] = resource.handle; | ||
71 | + cmd[i++] = 0; // level | ||
72 | + cmd[i++] = 0; // usage | ||
73 | + cmd[i++] = 0; // stride | ||
74 | + cmd[i++] = 0; // layer_stride | ||
75 | + cmd[i++] = 0; // x | ||
76 | + cmd[i++] = 0; // y | ||
77 | + cmd[i++] = 0; // z | ||
78 | + cmd[i++] = 8; // w | ||
79 | + cmd[i++] = 4; // h | ||
80 | + cmd[i++] = 3; // d | ||
81 | + memset(&cmd[i], 0, size - i); | ||
82 | + | ||
83 | + virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); | ||
84 | +} | ||
85 | + | ||
86 | + | ||
87 | int main() | ||
88 | { | ||
89 | initialize_environment(); | ||
90 | @@ -979,6 +1021,7 @@ int main() | ||
91 | test_cs_nullpointer_deference(); | ||
92 | test_vrend_set_signle_abo_heap_overflow(); | ||
93 | |||
94 | + test_vrend_3d_resource_overflow(); | ||
95 | |||
96 | virgl_renderer_context_destroy(ctx_id); | ||
97 | virgl_renderer_cleanup(&cookie); | ||
98 | -- | ||
99 | GitLab | ||
100 | |||
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb index 1046b8504f..8185d6f7e8 100644 --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb | |||
@@ -10,9 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c81c08eeefd9418fca8f88309a76db10" | |||
10 | 10 | ||
11 | DEPENDS = "libdrm mesa libepoxy" | 11 | DEPENDS = "libdrm mesa libepoxy" |
12 | SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" | 12 | SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" |
13 | SRC_URI = "git://anongit.freedesktop.org/virglrenderer \ | 13 | SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \ |
14 | file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ | 14 | file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ |
15 | file://0001-meson.build-use-python3-directly-for-python.patch \ | 15 | file://0001-meson.build-use-python3-directly-for-python.patch \ |
16 | file://CVE-2022-0135.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | S = "${WORKDIR}/git" | 19 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb index 5a8c62e64d..0774f37e31 100644 --- a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb +++ b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb | |||
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2119edef0916b0bd511cb3c731076271" | |||
8 | 8 | ||
9 | DEPENDS = "zlib" | 9 | DEPENDS = "zlib" |
10 | 10 | ||
11 | SRC_URI = "git://github.com/assimp/assimp.git;branch=assimp_5.0_release \ | 11 | SRC_URI = "git://github.com/assimp/assimp.git;nobranch=1;protocol=https \ |
12 | file://0001-closes-https-github.com-assimp-assimp-issues-2733-up.patch \ | 12 | file://0001-closes-https-github.com-assimp-assimp-issues-2733-up.patch \ |
13 | file://0001-Use-ASSIMP_LIB_INSTALL_DIR-to-search-library.patch \ | 13 | file://0001-Use-ASSIMP_LIB_INSTALL_DIR-to-search-library.patch \ |
14 | " | 14 | " |
diff --git a/meta/recipes-graphics/vulkan/vulkan-demos_git.bb b/meta/recipes-graphics/vulkan/vulkan-demos_git.bb index c94e768b52..b212814759 100644 --- a/meta/recipes-graphics/vulkan/vulkan-demos_git.bb +++ b/meta/recipes-graphics/vulkan/vulkan-demos_git.bb | |||
@@ -8,9 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=dcf473723faabf17baa9b5f2207599d0 \ | |||
8 | SRCREV_glm = "1ad55c5016339b83b7eec98c31007e0aee57d2bf" | 8 | SRCREV_glm = "1ad55c5016339b83b7eec98c31007e0aee57d2bf" |
9 | SRCREV_gli = "7da5f50931225e9819a26d5cb323c5f42da50bcd" | 9 | SRCREV_gli = "7da5f50931225e9819a26d5cb323c5f42da50bcd" |
10 | 10 | ||
11 | SRC_URI = "git://github.com/SaschaWillems/Vulkan.git \ | 11 | SRC_URI = "git://github.com/SaschaWillems/Vulkan.git;branch=master;protocol=https \ |
12 | git://github.com/g-truc/glm;destsuffix=git/external/glm;name=glm \ | 12 | git://github.com/g-truc/glm;destsuffix=git/external/glm;name=glm;branch=master;protocol=https \ |
13 | git://github.com/g-truc/gli;destsuffix=git/external/gli;name=gli \ | 13 | git://github.com/g-truc/gli;destsuffix=git/external/gli;name=gli;branch=master;protocol=https \ |
14 | file://0001-Don-t-build-demos-with-questionably-licensed-data.patch \ | 14 | file://0001-Don-t-build-demos-with-questionably-licensed-data.patch \ |
15 | " | 15 | " |
16 | UPSTREAM_CHECK_COMMITS = "1" | 16 | UPSTREAM_CHECK_COMMITS = "1" |
diff --git a/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb index 72c29a72a2..c58a801e03 100644 --- a/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb +++ b/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb | |||
@@ -1,11 +1,15 @@ | |||
1 | SUMMARY = "Vulkan Header files and API registry" | 1 | SUMMARY = "Vulkan Header files and API registry" |
2 | DESCRIPTION = "Vulkan is a 3D graphics and compute API providing cross-platform access \ | ||
3 | to modern GPUs with low overhead and targeting realtime graphics applications such as \ | ||
4 | games and interactive media. This package contains the development headers \ | ||
5 | for packages wanting to make use of Vulkan." | ||
2 | HOMEPAGE = "https://www.khronos.org/vulkan/" | 6 | HOMEPAGE = "https://www.khronos.org/vulkan/" |
3 | BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Headers" | 7 | BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Headers" |
4 | SECTION = "libs" | 8 | SECTION = "libs" |
5 | 9 | ||
6 | LICENSE = "Apache-2.0" | 10 | LICENSE = "Apache-2.0" |
7 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" | 11 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" |
8 | SRC_URI = "git://github.com/KhronosGroup/Vulkan-Headers.git;branch=sdk-1.1.126" | 12 | SRC_URI = "git://github.com/KhronosGroup/Vulkan-Headers.git;branch=sdk-1.1.126;protocol=https" |
9 | 13 | ||
10 | SRCREV = "5bc459e2921304c32568b73edaac8d6df5f98b84" | 14 | SRCREV = "5bc459e2921304c32568b73edaac8d6df5f98b84" |
11 | 15 | ||
diff --git a/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb index 504cf85a2b..c8352bf31d 100644 --- a/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb +++ b/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb | |||
@@ -9,7 +9,7 @@ SECTION = "libs" | |||
9 | 9 | ||
10 | LICENSE = "Apache-2.0" | 10 | LICENSE = "Apache-2.0" |
11 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=7dbefed23242760aa3475ee42801c5ac" | 11 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=7dbefed23242760aa3475ee42801c5ac" |
12 | SRC_URI = "git://github.com/KhronosGroup/Vulkan-Loader.git;branch=sdk-1.1.126" | 12 | SRC_URI = "git://github.com/KhronosGroup/Vulkan-Loader.git;branch=sdk-1.1.126;protocol=https" |
13 | SRCREV = "4adad4ff705fa76f9edb2d37cb57e593decb60ed" | 13 | SRCREV = "4adad4ff705fa76f9edb2d37cb57e593decb60ed" |
14 | 14 | ||
15 | S = "${WORKDIR}/git" | 15 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb index 2fd61c989a..ec65f11952 100644 --- a/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb +++ b/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb | |||
@@ -1,11 +1,12 @@ | |||
1 | SUMMARY = "Vulkan Utilities and Tools" | 1 | SUMMARY = "Vulkan Utilities and Tools" |
2 | DESCRIPTION = "Assist development by enabling developers to verify their applications correct use of the Vulkan API." | ||
2 | HOMEPAGE = "https://www.khronos.org/vulkan/" | 3 | HOMEPAGE = "https://www.khronos.org/vulkan/" |
3 | BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Tools" | 4 | BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Tools" |
4 | SECTION = "libs" | 5 | SECTION = "libs" |
5 | 6 | ||
6 | LICENSE = "Apache-2.0" | 7 | LICENSE = "Apache-2.0" |
7 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" | 8 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" |
8 | SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.1.126" | 9 | SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.1.126;protocol=https" |
9 | SRCREV = "09695dfc5dbe54f869aeaff8db93bb7bb6a220e0" | 10 | SRCREV = "09695dfc5dbe54f869aeaff8db93bb7bb6a220e0" |
10 | 11 | ||
11 | S = "${WORKDIR}/git" | 12 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-graphics/waffle/waffle_1.6.0.bb b/meta/recipes-graphics/waffle/waffle_1.6.0.bb index a620295978..f0dc780ca1 100644 --- a/meta/recipes-graphics/waffle/waffle_1.6.0.bb +++ b/meta/recipes-graphics/waffle/waffle_1.6.0.bb | |||
@@ -1,13 +1,21 @@ | |||
1 | SUMMARY = "cross-platform C library to defer selection of GL API and of window system" | 1 | SUMMARY = "A C library for selecting an OpenGL API and window system at runtime" |
2 | DESCRIPTION = "A cross-platform C library that allows one to defer selection \ | ||
3 | of an OpenGL API and window system until runtime. For example, on Linux, Waffle \ | ||
4 | enables an application to select X11/EGL with an OpenGL 3.3 core profile, \ | ||
5 | Wayland with OpenGL ES2, and other window system / API combinations." | ||
6 | HOMEPAGE = "https://gitlab.freedesktop.org/mesa/waffle" | ||
7 | BUGTRACKER = "https://gitlab.freedesktop.org/mesa/waffle" | ||
2 | LICENSE = "BSD-2-Clause" | 8 | LICENSE = "BSD-2-Clause" |
3 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=4c5154407c2490750dd461c50ad94797 \ | 9 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=4c5154407c2490750dd461c50ad94797 \ |
4 | file://include/waffle/waffle.h;endline=24;md5=61dbf8697f61c78645e75a93c585b1bf" | 10 | file://include/waffle/waffle.h;endline=24;md5=61dbf8697f61c78645e75a93c585b1bf" |
5 | 11 | ||
6 | SRC_URI = "http://waffle-gl.org/files/release/${BPN}-${PV}/${BPN}-${PV}.tar.xz" | 12 | SRC_URI = "https://gitlab.freedesktop.org/mesa/waffle/-/archive/v${PV}/${BPN}-v${PV}.tar.bz2" |
7 | SRC_URI[md5sum] = "61bfc1a478e840825f33ddb4057115e7" | 13 | SRC_URI[md5sum] = "9eaef03c8220dc8d64e2e42ae1b8c942" |
8 | SRC_URI[sha256sum] = "d9c899f710c50cfdd00f5f4cdfeaef0687d8497362239bdde93bed6c909c81d7" | 14 | SRC_URI[sha256sum] = "38ef38fefbda605ba905ce00435a63fe45e9bf17a5eff096c3a47b5006a619cb" |
9 | 15 | ||
10 | UPSTREAM_CHECK_URI = "http://www.waffle-gl.org/releases.html" | 16 | S = "${WORKDIR}/${BPN}-v${PV}" |
17 | |||
18 | UPSTREAM_CHECK_URI = "https://gitlab.freedesktop.org/mesa/waffle/-/releases" | ||
11 | 19 | ||
12 | inherit meson features_check lib_package bash-completion | 20 | inherit meson features_check lib_package bash-completion |
13 | 21 | ||
diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch new file mode 100644 index 0000000000..313c0c5eb2 --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch | |||
@@ -0,0 +1,360 @@ | |||
1 | From 2a8b8fde90d63d48ce09ddae44142674bbca1c28 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Wed, 30 Mar 2022 09:25:22 +1000 | ||
4 | Subject: [PATCH] evdev: strip the device name of format directives | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This fixes a format string vulnerabilty. | ||
10 | |||
11 | evdev_log_message() composes a format string consisting of a fixed | ||
12 | prefix (including the rendered device name) and the passed-in format | ||
13 | buffer. This format string is then passed with the arguments to the | ||
14 | actual log handler, which usually and eventually ends up being printf. | ||
15 | |||
16 | If the device name contains a printf-style format directive, these ended | ||
17 | up in the format string and thus get interpreted correctly, e.g. for a | ||
18 | device "Foo%sBar" the log message vs printf invocation ends up being: | ||
19 | evdev_log_message(device, "some message %s", "some argument"); | ||
20 | printf("event9 - Foo%sBar: some message %s", "some argument"); | ||
21 | |||
22 | This can enable an attacker to execute malicious code with the | ||
23 | privileges of the process using libinput. | ||
24 | |||
25 | To exploit this, an attacker needs to be able to create a kernel device | ||
26 | with a malicious name, e.g. through /dev/uinput or a Bluetooth device. | ||
27 | |||
28 | To fix this, convert any potential format directives in the device name | ||
29 | by duplicating percentages. | ||
30 | |||
31 | Pre-rendering the device to avoid the issue altogether would be nicer | ||
32 | but the current log level hooks do not easily allow for this. The device | ||
33 | name is the only user-controlled part of the format string. | ||
34 | |||
35 | A second potential issue is the sysname of the device which is also | ||
36 | sanitized. | ||
37 | |||
38 | This issue was found by Albin Eldstål-Ahrens and Benjamin Svensson from | ||
39 | Assured AB, and independently by Lukas Lamster. | ||
40 | |||
41 | Fixes #752 | ||
42 | |||
43 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
44 | (cherry picked from commit a423d7d3269dc32a87384f79e29bb5ac021c83d1) | ||
45 | |||
46 | CVE: CVE-2022-1215 | ||
47 | Upstream Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28] | ||
48 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
49 | |||
50 | --- | ||
51 | meson.build | 1 + | ||
52 | src/evdev.c | 31 +++++++++++------ | ||
53 | src/evdev.h | 6 ++-- | ||
54 | src/util-strings.h | 30 ++++++++++++++++ | ||
55 | test/litest-device-format-string.c | 56 ++++++++++++++++++++++++++++++ | ||
56 | test/litest.h | 1 + | ||
57 | test/test-utils.c | 26 ++++++++++++++ | ||
58 | 7 files changed, 139 insertions(+), 12 deletions(-) | ||
59 | create mode 100644 test/litest-device-format-string.c | ||
60 | |||
61 | diff --git a/meson.build b/meson.build | ||
62 | index 90f528e6..1f6159e7 100644 | ||
63 | --- a/meson.build | ||
64 | +++ b/meson.build | ||
65 | @@ -787,6 +787,7 @@ | ||
66 | 'test/litest-device-dell-canvas-totem-touch.c', | ||
67 | 'test/litest-device-elantech-touchpad.c', | ||
68 | 'test/litest-device-elan-tablet.c', | ||
69 | + 'test/litest-device-format-string.c', | ||
70 | 'test/litest-device-generic-singletouch.c', | ||
71 | 'test/litest-device-gpio-keys.c', | ||
72 | 'test/litest-device-huion-pentablet.c', | ||
73 | diff --git a/src/evdev.c b/src/evdev.c | ||
74 | index 6d81f58f..d1c35c07 100644 | ||
75 | --- a/src/evdev.c | ||
76 | +++ b/src/evdev.c | ||
77 | @@ -2356,19 +2356,19 @@ evdev_device_create(struct libinput_seat *seat, | ||
78 | struct libinput *libinput = seat->libinput; | ||
79 | struct evdev_device *device = NULL; | ||
80 | int rc; | ||
81 | - int fd; | ||
82 | + int fd = -1; | ||
83 | int unhandled_device = 0; | ||
84 | const char *devnode = udev_device_get_devnode(udev_device); | ||
85 | - const char *sysname = udev_device_get_sysname(udev_device); | ||
86 | + char *sysname = str_sanitize(udev_device_get_sysname(udev_device)); | ||
87 | |||
88 | if (!devnode) { | ||
89 | log_info(libinput, "%s: no device node associated\n", sysname); | ||
90 | - return NULL; | ||
91 | + goto err; | ||
92 | } | ||
93 | |||
94 | if (udev_device_should_be_ignored(udev_device)) { | ||
95 | log_debug(libinput, "%s: device is ignored\n", sysname); | ||
96 | - return NULL; | ||
97 | + goto err; | ||
98 | } | ||
99 | |||
100 | /* Use non-blocking mode so that we can loop on read on | ||
101 | @@ -2382,13 +2382,15 @@ evdev_device_create(struct libinput_seat *seat, | ||
102 | sysname, | ||
103 | devnode, | ||
104 | strerror(-fd)); | ||
105 | - return NULL; | ||
106 | + goto err; | ||
107 | } | ||
108 | |||
109 | if (!evdev_device_have_same_syspath(udev_device, fd)) | ||
110 | goto err; | ||
111 | |||
112 | device = zalloc(sizeof *device); | ||
113 | + device->sysname = sysname; | ||
114 | + sysname = NULL; | ||
115 | |||
116 | libinput_device_init(&device->base, seat); | ||
117 | libinput_seat_ref(seat); | ||
118 | @@ -2411,6 +2413,9 @@ evdev_device_create(struct libinput_seat *seat, | ||
119 | device->dispatch = NULL; | ||
120 | device->fd = fd; | ||
121 | device->devname = libevdev_get_name(device->evdev); | ||
122 | + /* the log_prefix_name is used as part of a printf format string and | ||
123 | + * must not contain % directives, see evdev_log_msg */ | ||
124 | + device->log_prefix_name = str_sanitize(device->devname); | ||
125 | device->scroll.threshold = 5.0; /* Default may be overridden */ | ||
126 | device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */ | ||
127 | device->scroll.direction = 0; | ||
128 | @@ -2238,9 +2238,14 @@ | ||
129 | return device; | ||
130 | |||
131 | err: | ||
132 | - close_restricted(libinput, fd); | ||
133 | - if (device) | ||
134 | - evdev_device_destroy(device); | ||
135 | + if (fd >= 0) { | ||
136 | + close_restricted(libinput, fd); | ||
137 | + if (device) { | ||
138 | + unhandled_device = device->seat_caps == 0; | ||
139 | + evdev_device_destroy(device); | ||
140 | + } | ||
141 | + } | ||
142 | + free(sysname); | ||
143 | |||
144 | return unhandled_device ? EVDEV_UNHANDLED_DEVICE : NULL; | ||
145 | } | ||
146 | @@ -2469,7 +2478,7 @@ evdev_device_get_output(struct evdev_device *device) | ||
147 | const char * | ||
148 | evdev_device_get_sysname(struct evdev_device *device) | ||
149 | { | ||
150 | - return udev_device_get_sysname(device->udev_device); | ||
151 | + return device->sysname; | ||
152 | } | ||
153 | |||
154 | const char * | ||
155 | @@ -3066,6 +3075,8 @@ evdev_device_destroy(struct evdev_device *device) | ||
156 | if (device->base.group) | ||
157 | libinput_device_group_unref(device->base.group); | ||
158 | |||
159 | + free(device->log_prefix_name); | ||
160 | + free(device->sysname); | ||
161 | free(device->output_name); | ||
162 | filter_destroy(device->pointer.filter); | ||
163 | libinput_timer_destroy(&device->scroll.timer); | ||
164 | diff --git a/src/evdev.h b/src/evdev.h | ||
165 | index c7d130f8..980c5943 100644 | ||
166 | --- a/src/evdev.h | ||
167 | +++ b/src/evdev.h | ||
168 | @@ -169,6 +169,8 @@ struct evdev_device { | ||
169 | struct udev_device *udev_device; | ||
170 | char *output_name; | ||
171 | const char *devname; | ||
172 | + char *log_prefix_name; | ||
173 | + char *sysname; | ||
174 | bool was_removed; | ||
175 | int fd; | ||
176 | enum evdev_device_seat_capability seat_caps; | ||
177 | @@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device, | ||
178 | sizeof(buf), | ||
179 | "%-7s - %s%s%s", | ||
180 | evdev_device_get_sysname(device), | ||
181 | - (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", | ||
182 | + (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", | ||
183 | (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", | ||
184 | format); | ||
185 | |||
186 | @@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device, | ||
187 | sizeof(buf), | ||
188 | "%-7s - %s%s%s", | ||
189 | evdev_device_get_sysname(device), | ||
190 | - (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", | ||
191 | + (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", | ||
192 | (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", | ||
193 | format); | ||
194 | |||
195 | diff --git a/src/util-strings.h b/src/util-strings.h | ||
196 | index 2a15fab3..d5a84146 100644 | ||
197 | --- a/src/util-strings.h | ||
198 | +++ b/src/util-strings.h | ||
199 | @@ -42,6 +42,7 @@ | ||
200 | #ifdef HAVE_XLOCALE_H | ||
201 | #include <xlocale.h> | ||
202 | #endif | ||
203 | +#include "util-macros.h" | ||
204 | |||
205 | #define streq(s1, s2) (strcmp((s1), (s2)) == 0) | ||
206 | #define strneq(s1, s2, n) (strncmp((s1), (s2), (n)) == 0) | ||
207 | @@ -312,3 +313,31 @@ | ||
208 | free(result); | ||
209 | return -1; | ||
210 | } | ||
211 | + | ||
212 | +/** | ||
213 | + * Return a copy of str with all % converted to %% to make the string | ||
214 | + * acceptable as printf format. | ||
215 | + */ | ||
216 | +static inline char * | ||
217 | +str_sanitize(const char *str) | ||
218 | +{ | ||
219 | + if (!str) | ||
220 | + return NULL; | ||
221 | + | ||
222 | + if (!strchr(str, '%')) | ||
223 | + return strdup(str); | ||
224 | + | ||
225 | + size_t slen = min(strlen(str), 512); | ||
226 | + char *sanitized = zalloc(2 * slen + 1); | ||
227 | + const char *src = str; | ||
228 | + char *dst = sanitized; | ||
229 | + | ||
230 | + for (size_t i = 0; i < slen; i++) { | ||
231 | + if (*src == '%') | ||
232 | + *dst++ = '%'; | ||
233 | + *dst++ = *src++; | ||
234 | + } | ||
235 | + *dst = '\0'; | ||
236 | + | ||
237 | + return sanitized; | ||
238 | +} | ||
239 | diff --git a/test/litest-device-format-string.c b/test/litest-device-format-string.c | ||
240 | new file mode 100644 | ||
241 | index 00000000..aed15db4 | ||
242 | --- /dev/null | ||
243 | +++ b/test/litest-device-format-string.c | ||
244 | @@ -0,0 +1,56 @@ | ||
245 | + | ||
246 | +/* | ||
247 | + * Copyright © 2013 Red Hat, Inc. | ||
248 | + * | ||
249 | + * Permission is hereby granted, free of charge, to any person obtaining a | ||
250 | + * copy of this software and associated documentation files (the "Software"), | ||
251 | + * to deal in the Software without restriction, including without limitation | ||
252 | + * the rights to use, copy, modify, merge, publish, distribute, sublicense, | ||
253 | + * and/or sell copies of the Software, and to permit persons to whom the | ||
254 | + * Software is furnished to do so, subject to the following conditions: | ||
255 | + * | ||
256 | + * The above copyright notice and this permission notice (including the next | ||
257 | + * paragraph) shall be included in all copies or substantial portions of the | ||
258 | + * Software. | ||
259 | + * | ||
260 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
261 | + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
262 | + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL | ||
263 | + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
264 | + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING | ||
265 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER | ||
266 | + * DEALINGS IN THE SOFTWARE. | ||
267 | + */ | ||
268 | + | ||
269 | +#include "config.h" | ||
270 | + | ||
271 | +#include "litest.h" | ||
272 | +#include "litest-int.h" | ||
273 | + | ||
274 | +static struct input_id input_id = { | ||
275 | + .bustype = 0x3, | ||
276 | + .vendor = 0x0123, | ||
277 | + .product = 0x0456, | ||
278 | +}; | ||
279 | + | ||
280 | +static int events[] = { | ||
281 | + EV_KEY, BTN_LEFT, | ||
282 | + EV_KEY, BTN_RIGHT, | ||
283 | + EV_KEY, BTN_MIDDLE, | ||
284 | + EV_REL, REL_X, | ||
285 | + EV_REL, REL_Y, | ||
286 | + EV_REL, REL_WHEEL, | ||
287 | + EV_REL, REL_WHEEL_HI_RES, | ||
288 | + -1 , -1, | ||
289 | +}; | ||
290 | + | ||
291 | +TEST_DEVICE("mouse-format-string", | ||
292 | + .type = LITEST_MOUSE_FORMAT_STRING, | ||
293 | + .features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL, | ||
294 | + .interface = NULL, | ||
295 | + | ||
296 | + .name = "Evil %s %d %x Mouse %p %", | ||
297 | + .id = &input_id, | ||
298 | + .absinfo = NULL, | ||
299 | + .events = events, | ||
300 | +) | ||
301 | diff --git a/test/litest.h b/test/litest.h | ||
302 | index 4982e516..1b1daa90 100644 | ||
303 | --- a/test/litest.h | ||
304 | +++ b/test/litest.h | ||
305 | @@ -303,6 +303,7 @@ | ||
306 | LITEST_ALPS_3FG, | ||
307 | LITEST_ELAN_TABLET, | ||
308 | LITEST_ABSINFO_OVERRIDE, | ||
309 | + LITEST_MOUSE_FORMAT_STRING, | ||
310 | }; | ||
311 | |||
312 | #define LITEST_DEVICELESS -2 | ||
313 | diff --git a/test/test-utils.c b/test/test-utils.c | ||
314 | index 989adecd..e80754be 100644 | ||
315 | --- a/test/test-utils.c | ||
316 | +++ b/test/test-utils.c | ||
317 | @@ -1267,6 +1267,31 @@ START_TEST(strstartswith_test) | ||
318 | } | ||
319 | END_TEST | ||
320 | |||
321 | +START_TEST(strsanitize_test) | ||
322 | +{ | ||
323 | + struct strsanitize_test { | ||
324 | + const char *string; | ||
325 | + const char *expected; | ||
326 | + } tests[] = { | ||
327 | + { "foobar", "foobar" }, | ||
328 | + { "", "" }, | ||
329 | + { "%", "%%" }, | ||
330 | + { "%%%%", "%%%%%%%%" }, | ||
331 | + { "x %s", "x %%s" }, | ||
332 | + { "x %", "x %%" }, | ||
333 | + { "%sx", "%%sx" }, | ||
334 | + { "%s%s", "%%s%%s" }, | ||
335 | + { NULL, NULL }, | ||
336 | + }; | ||
337 | + | ||
338 | + for (struct strsanitize_test *t = tests; t->string; t++) { | ||
339 | + char *sanitized = str_sanitize(t->string); | ||
340 | + ck_assert_str_eq(sanitized, t->expected); | ||
341 | + free(sanitized); | ||
342 | + } | ||
343 | +} | ||
344 | +END_TEST | ||
345 | + | ||
346 | START_TEST(list_test_insert) | ||
347 | { | ||
348 | struct list_test { | ||
349 | @@ -1138,6 +1138,7 @@ | ||
350 | tcase_add_test(tc, strsplit_test); | ||
351 | tcase_add_test(tc, kvsplit_double_test); | ||
352 | tcase_add_test(tc, strjoin_test); | ||
353 | + tcase_add_test(tc, strsanitize_test); | ||
354 | tcase_add_test(tc, time_conversion); | ||
355 | |||
356 | tcase_add_test(tc, list_test_insert); | ||
357 | |||
358 | -- | ||
359 | GitLab | ||
360 | |||
diff --git a/meta/recipes-graphics/wayland/libinput_1.15.2.bb b/meta/recipes-graphics/wayland/libinput_1.15.2.bb index 810532774e..d7927d132a 100644 --- a/meta/recipes-graphics/wayland/libinput_1.15.2.bb +++ b/meta/recipes-graphics/wayland/libinput_1.15.2.bb | |||
@@ -14,6 +14,7 @@ DEPENDS = "libevdev udev mtdev" | |||
14 | 14 | ||
15 | SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \ | 15 | SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \ |
16 | file://determinism.patch \ | 16 | file://determinism.patch \ |
17 | file://CVE-2022-1215.patch \ | ||
17 | " | 18 | " |
18 | SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643" | 19 | SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643" |
19 | SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747" | 20 | SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747" |
diff --git a/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch new file mode 100644 index 0000000000..df204508e9 --- /dev/null +++ b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch | |||
@@ -0,0 +1,111 @@ | |||
1 | From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001 | ||
2 | From: Derek Foreman <derek.foreman@collabora.com> | ||
3 | Date: Fri, 28 Jan 2022 13:18:37 -0600 | ||
4 | Subject: [PATCH] util: Limit size of wl_map | ||
5 | |||
6 | Since server IDs are basically indistinguishable from really big client | ||
7 | IDs at many points in the source, it's theoretically possible to overflow | ||
8 | a map and either overflow server IDs into the client ID space, or grow | ||
9 | client IDs into the server ID space. This would currently take a massive | ||
10 | amount of RAM, but the definition of massive changes yearly. | ||
11 | |||
12 | Prevent this by placing a ridiculous but arbitrary upper bound on the | ||
13 | number of items we can put in a map: 0xF00000, somewhere over 15 million. | ||
14 | This should satisfy pathological clients without restriction, but stays | ||
15 | well clear of the 0xFF000000 transition point between server and client | ||
16 | IDs. It will still take an improbable amount of RAM to hit this, and a | ||
17 | client could still exhaust all RAM in this way, but our goal is to prevent | ||
18 | overflow and undefined behaviour. | ||
19 | |||
20 | Fixes #224 | ||
21 | |||
22 | Signed-off-by: Derek Foreman <derek.foreman@collabora.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | CVE: CVE-2021-3782 | ||
26 | |||
27 | Reference to upstream patch: | ||
28 | https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2 | ||
29 | |||
30 | [DP: adjust context for wayland version 1.20.0] | ||
31 | Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com> | ||
32 | --- | ||
33 | src/wayland-private.h | 1 + | ||
34 | src/wayland-util.c | 25 +++++++++++++++++++++++-- | ||
35 | 2 files changed, 24 insertions(+), 2 deletions(-) | ||
36 | |||
37 | diff --git a/src/wayland-private.h b/src/wayland-private.h | ||
38 | index 9bf8cb7..35dc40e 100644 | ||
39 | --- a/src/wayland-private.h | ||
40 | +++ b/src/wayland-private.h | ||
41 | @@ -45,6 +45,7 @@ | ||
42 | #define WL_MAP_SERVER_SIDE 0 | ||
43 | #define WL_MAP_CLIENT_SIDE 1 | ||
44 | #define WL_SERVER_ID_START 0xff000000 | ||
45 | +#define WL_MAP_MAX_OBJECTS 0x00f00000 | ||
46 | #define WL_CLOSURE_MAX_ARGS 20 | ||
47 | |||
48 | struct wl_object { | ||
49 | diff --git a/src/wayland-util.c b/src/wayland-util.c | ||
50 | index d5973bf..3e45d19 100644 | ||
51 | --- a/src/wayland-util.c | ||
52 | +++ b/src/wayland-util.c | ||
53 | @@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) | ||
54 | union map_entry *start, *entry; | ||
55 | struct wl_array *entries; | ||
56 | uint32_t base; | ||
57 | + uint32_t count; | ||
58 | |||
59 | if (map->side == WL_MAP_CLIENT_SIDE) { | ||
60 | entries = &map->client_entries; | ||
61 | @@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) | ||
62 | start = entries->data; | ||
63 | } | ||
64 | |||
65 | + /* wl_array only grows, so if we have too many objects at | ||
66 | + * this point there's no way to clean up. We could be more | ||
67 | + * pro-active about trying to avoid this allocation, but | ||
68 | + * it doesn't really matter because at this point there is | ||
69 | + * nothing to be done but disconnect the client and delete | ||
70 | + * the whole array either way. | ||
71 | + */ | ||
72 | + count = entry - start; | ||
73 | + if (count > WL_MAP_MAX_OBJECTS) { | ||
74 | + /* entry->data is freshly malloced garbage, so we'd | ||
75 | + * better make it a NULL so wl_map_for_each doesn't | ||
76 | + * dereference it later. */ | ||
77 | + entry->data = NULL; | ||
78 | + return 0; | ||
79 | + } | ||
80 | entry->data = data; | ||
81 | entry->next |= (flags & 0x1) << 1; | ||
82 | |||
83 | - return (entry - start) + base; | ||
84 | + return count + base; | ||
85 | } | ||
86 | |||
87 | int | ||
88 | @@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data) | ||
89 | i -= WL_SERVER_ID_START; | ||
90 | } | ||
91 | |||
92 | + if (i > WL_MAP_MAX_OBJECTS) | ||
93 | + return -1; | ||
94 | + | ||
95 | count = entries->size / sizeof *start; | ||
96 | if (count < i) | ||
97 | return -1; | ||
98 | @@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i) | ||
99 | i -= WL_SERVER_ID_START; | ||
100 | } | ||
101 | |||
102 | - count = entries->size / sizeof *start; | ||
103 | + if (i > WL_MAP_MAX_OBJECTS) | ||
104 | + return -1; | ||
105 | |||
106 | + count = entries->size / sizeof *start; | ||
107 | if (count < i) | ||
108 | return -1; | ||
109 | |||
110 | -- | ||
111 | 2.37.3 | ||
diff --git a/meta/recipes-graphics/wayland/wayland_1.18.0.bb b/meta/recipes-graphics/wayland/wayland_1.18.0.bb index 00be3aac27..e621abddbf 100644 --- a/meta/recipes-graphics/wayland/wayland_1.18.0.bb +++ b/meta/recipes-graphics/wayland/wayland_1.18.0.bb | |||
@@ -18,6 +18,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ | |||
18 | file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ | 18 | file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ |
19 | file://0001-build-Fix-strndup-detection-on-MinGW.patch \ | 19 | file://0001-build-Fix-strndup-detection-on-MinGW.patch \ |
20 | file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \ | 20 | file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \ |
21 | file://CVE-2021-3782.patch \ | ||
21 | " | 22 | " |
22 | SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65" | 23 | SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65" |
23 | SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d" | 24 | SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d" |
diff --git a/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch new file mode 100644 index 0000000000..fb36d3817a --- /dev/null +++ b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 5c74a0640e873694bf60a88eceb21f664cb4b8f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marius Vlad <marius.vlad@collabora.com> | ||
3 | Date: Fri, 5 Mar 2021 20:03:49 +0200 | ||
4 | Subject: [PATCH 2/5] desktop-shell: Remove no-op de-activation of the xdg | ||
5 | top-level surface | ||
6 | |||
7 | The shsurf is calloc'ed so the surface count is always 0. Not only | ||
8 | that but the surface is not set as active by default, so there's no | ||
9 | need to de-activate it. | ||
10 | |||
11 | Upstream-Status: Backport [05bef4c18a3e82376a46a4a28d978389c4c0fd0f] | ||
12 | Signed-off-by: Marius Vlad <marius.vlad@collabora.com> | ||
13 | --- | ||
14 | desktop-shell/shell.c | 2 -- | ||
15 | 1 file changed, 2 deletions(-) | ||
16 | |||
17 | diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c | ||
18 | index 442a625f..3791be25 100644 | ||
19 | --- a/desktop-shell/shell.c | ||
20 | +++ b/desktop-shell/shell.c | ||
21 | @@ -2427,8 +2427,6 @@ desktop_surface_added(struct weston_desktop_surface *desktop_surface, | ||
22 | wl_list_init(&shsurf->children_link); | ||
23 | |||
24 | weston_desktop_surface_set_user_data(desktop_surface, shsurf); | ||
25 | - weston_desktop_surface_set_activated(desktop_surface, | ||
26 | - shsurf->focus_count > 0); | ||
27 | } | ||
28 | |||
29 | static void | ||
30 | -- | ||
31 | 2.34.1 | ||
32 | |||
diff --git a/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch new file mode 100644 index 0000000000..dcd0700fca --- /dev/null +++ b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From edb31c456ae3da7ffffefb668a37ab88075c4b67 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marius Vlad <marius.vlad@collabora.com> | ||
3 | Date: Fri, 5 Mar 2021 21:40:22 +0200 | ||
4 | Subject: [PATCH 3/5] desktop-shell: Rename gain/lose keyboard focus to | ||
5 | activate/de-activate | ||
6 | |||
7 | This way it better reflects that it handles activation rather that input | ||
8 | focus. | ||
9 | |||
10 | Upstream-Status: Backport [ab39e1d76d4f6715cb300bc37f5c2a0e2d426208] | ||
11 | Signed-off-by: Marius Vlad <marius.vlad@collabora.com> | ||
12 | --- | ||
13 | desktop-shell/shell.c | 8 ++++---- | ||
14 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
15 | |||
16 | diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c | ||
17 | index 3791be25..c4669f11 100644 | ||
18 | --- a/desktop-shell/shell.c | ||
19 | +++ b/desktop-shell/shell.c | ||
20 | @@ -1869,14 +1869,14 @@ handle_pointer_focus(struct wl_listener *listener, void *data) | ||
21 | } | ||
22 | |||
23 | static void | ||
24 | -shell_surface_lose_keyboard_focus(struct shell_surface *shsurf) | ||
25 | +shell_surface_deactivate(struct shell_surface *shsurf) | ||
26 | { | ||
27 | if (--shsurf->focus_count == 0) | ||
28 | weston_desktop_surface_set_activated(shsurf->desktop_surface, false); | ||
29 | } | ||
30 | |||
31 | static void | ||
32 | -shell_surface_gain_keyboard_focus(struct shell_surface *shsurf) | ||
33 | +shell_surface_activate(struct shell_surface *shsurf) | ||
34 | { | ||
35 | if (shsurf->focus_count++ == 0) | ||
36 | weston_desktop_surface_set_activated(shsurf->desktop_surface, true); | ||
37 | @@ -1891,7 +1891,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data) | ||
38 | if (seat->focused_surface) { | ||
39 | struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
40 | if (shsurf) | ||
41 | - shell_surface_lose_keyboard_focus(shsurf); | ||
42 | + shell_surface_deactivate(shsurf); | ||
43 | } | ||
44 | |||
45 | seat->focused_surface = weston_surface_get_main_surface(keyboard->focus); | ||
46 | @@ -1899,7 +1899,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data) | ||
47 | if (seat->focused_surface) { | ||
48 | struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
49 | if (shsurf) | ||
50 | - shell_surface_gain_keyboard_focus(shsurf); | ||
51 | + shell_surface_activate(shsurf); | ||
52 | } | ||
53 | } | ||
54 | |||
55 | -- | ||
56 | 2.34.1 | ||
57 | |||
diff --git a/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch new file mode 100644 index 0000000000..7ca72f8494 --- /dev/null +++ b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From 899ad5a6a8a92f2c10e0694a45c982b7d878aed6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marius Vlad <marius.vlad@collabora.com> | ||
3 | Date: Fri, 5 Mar 2021 21:44:26 +0200 | ||
4 | Subject: [PATCH 4/5] desktop-shell: Embed keyboard focus handle code when | ||
5 | activating | ||
6 | |||
7 | We shouldn't be constrained by having a keyboard plugged-in, so avoid | ||
8 | activating/de-activating the window/surface in the keyboard focus | ||
9 | handler and embed it straight into the window activation part. | ||
10 | |||
11 | Upstream-Status: Backport [f12697bb3e4c6eb85437ed905e7de44ae2a0ba69] | ||
12 | Signed-off-by: Marius Vlad <marius.vlad@collabora.com> | ||
13 | --- | ||
14 | desktop-shell/shell.c | 41 +++++++++++++++++++++++++---------------- | ||
15 | 1 file changed, 25 insertions(+), 16 deletions(-) | ||
16 | |||
17 | diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c | ||
18 | index c4669f11..c6a4fe91 100644 | ||
19 | --- a/desktop-shell/shell.c | ||
20 | +++ b/desktop-shell/shell.c | ||
21 | @@ -1885,22 +1885,7 @@ shell_surface_activate(struct shell_surface *shsurf) | ||
22 | static void | ||
23 | handle_keyboard_focus(struct wl_listener *listener, void *data) | ||
24 | { | ||
25 | - struct weston_keyboard *keyboard = data; | ||
26 | - struct shell_seat *seat = get_shell_seat(keyboard->seat); | ||
27 | - | ||
28 | - if (seat->focused_surface) { | ||
29 | - struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
30 | - if (shsurf) | ||
31 | - shell_surface_deactivate(shsurf); | ||
32 | - } | ||
33 | - | ||
34 | - seat->focused_surface = weston_surface_get_main_surface(keyboard->focus); | ||
35 | - | ||
36 | - if (seat->focused_surface) { | ||
37 | - struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
38 | - if (shsurf) | ||
39 | - shell_surface_activate(shsurf); | ||
40 | - } | ||
41 | + /* FIXME: To be removed later. */ | ||
42 | } | ||
43 | |||
44 | /* The surface will be inserted into the list immediately after the link | ||
45 | @@ -2438,6 +2423,7 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface, | ||
46 | struct shell_surface *shsurf_child, *tmp; | ||
47 | struct weston_surface *surface = | ||
48 | weston_desktop_surface_get_surface(desktop_surface); | ||
49 | + struct weston_seat *seat; | ||
50 | |||
51 | if (!shsurf) | ||
52 | return; | ||
53 | @@ -2448,6 +2434,18 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface, | ||
54 | } | ||
55 | wl_list_remove(&shsurf->children_link); | ||
56 | |||
57 | + wl_list_for_each(seat, &shsurf->shell->compositor->seat_list, link) { | ||
58 | + struct shell_seat *shseat = get_shell_seat(seat); | ||
59 | + /* activate() controls the focused surface activation and | ||
60 | + * removal of a surface requires invalidating the | ||
61 | + * focused_surface to avoid activate() use a stale (and just | ||
62 | + * removed) surface when attempting to de-activate it. It will | ||
63 | + * also update the focused_surface once it has a chance to run. | ||
64 | + */ | ||
65 | + if (surface == shseat->focused_surface) | ||
66 | + shseat->focused_surface = NULL; | ||
67 | + } | ||
68 | + | ||
69 | wl_signal_emit(&shsurf->destroy_signal, shsurf); | ||
70 | |||
71 | if (shsurf->fullscreen.black_view) | ||
72 | @@ -3836,6 +3834,7 @@ activate(struct desktop_shell *shell, struct weston_view *view, | ||
73 | struct workspace *ws; | ||
74 | struct weston_surface *old_es; | ||
75 | struct shell_surface *shsurf, *shsurf_child; | ||
76 | + struct shell_seat *shseat = get_shell_seat(seat); | ||
77 | |||
78 | main_surface = weston_surface_get_main_surface(es); | ||
79 | shsurf = get_shell_surface(main_surface); | ||
80 | @@ -3855,6 +3854,16 @@ activate(struct desktop_shell *shell, struct weston_view *view, | ||
81 | |||
82 | weston_view_activate(view, seat, flags); | ||
83 | |||
84 | + if (shseat->focused_surface) { | ||
85 | + struct shell_surface *current_focus = | ||
86 | + get_shell_surface(shseat->focused_surface); | ||
87 | + assert(current_focus); | ||
88 | + shell_surface_deactivate(current_focus); | ||
89 | + } | ||
90 | + | ||
91 | + shseat->focused_surface = main_surface; | ||
92 | + shell_surface_activate(shsurf); | ||
93 | + | ||
94 | state = ensure_focus_state(shell, seat); | ||
95 | if (state == NULL) | ||
96 | return; | ||
97 | -- | ||
98 | 2.34.1 | ||
99 | |||
diff --git a/meta/recipes-graphics/wayland/weston_8.0.0.bb b/meta/recipes-graphics/wayland/weston_8.0.0.bb index 0b383f25f3..5e4e2032c9 100644 --- a/meta/recipes-graphics/wayland/weston_8.0.0.bb +++ b/meta/recipes-graphics/wayland/weston_8.0.0.bb | |||
@@ -10,6 +10,9 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ | |||
10 | file://weston.desktop \ | 10 | file://weston.desktop \ |
11 | file://xwayland.weston-start \ | 11 | file://xwayland.weston-start \ |
12 | file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \ | 12 | file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \ |
13 | file://0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch \ | ||
14 | file://0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch \ | ||
15 | file://0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch \ | ||
13 | " | 16 | " |
14 | SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3" | 17 | SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3" |
15 | SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848" | 18 | SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848" |
diff --git a/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb b/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb index 65348c3762..baaf8fa9ad 100644 --- a/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb +++ b/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "Touchscreen calibration data from xinput-calibrator" | 1 | SUMMARY = "Touchscreen calibration data from xinput-calibrator" |
2 | DESCRIPTION = "A generic touchscreen calibration program for X.Org" | ||
3 | HOMEPAGE = "https://www.freedesktop.org/wiki/Software/xinput_calibrator/" | ||
4 | BUGTRACKER = "https://github.com/tias/xinput_calibrator/issues" | ||
2 | LICENSE = "MIT" | 5 | LICENSE = "MIT" |
3 | LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" | 6 | LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" |
4 | 7 | ||
diff --git a/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb b/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb index d2a16643fe..e524b82dd6 100644 --- a/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb +++ b/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb | |||
@@ -12,7 +12,7 @@ inherit autotools pkgconfig features_check | |||
12 | REQUIRED_DISTRO_FEATURES = "x11" | 12 | REQUIRED_DISTRO_FEATURES = "x11" |
13 | 13 | ||
14 | SRCREV = "18ec53f1cada39f905614ebfaffed5c7754ecf46" | 14 | SRCREV = "18ec53f1cada39f905614ebfaffed5c7754ecf46" |
15 | SRC_URI = "git://github.com/kreijack/xinput_calibrator.git;branch=libinput \ | 15 | SRC_URI = "git://github.com/kreijack/xinput_calibrator.git;branch=libinput;protocol=https \ |
16 | file://30xinput_calibrate.sh \ | 16 | file://30xinput_calibrate.sh \ |
17 | file://Allow-xinput_calibrator_pointercal.sh-to-be-run-as-n.patch \ | 17 | file://Allow-xinput_calibrator_pointercal.sh-to-be-run-as-n.patch \ |
18 | file://0001-calibrator.hh-Include-string-to-get-std-string.patch \ | 18 | file://0001-calibrator.hh-Include-string-to-get-std-string.patch \ |
diff --git a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb index 553840ddb8..685362ef15 100644 --- a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb +++ b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb | |||
@@ -13,7 +13,7 @@ SRCREV = "f66d39544bb8339130c96d282a80f87ca1606caf" | |||
13 | PV = "2.99.917+git${SRCPV}" | 13 | PV = "2.99.917+git${SRCPV}" |
14 | S = "${WORKDIR}/git" | 14 | S = "${WORKDIR}/git" |
15 | 15 | ||
16 | SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-intel" | 16 | SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-intel;branch=master" |
17 | 17 | ||
18 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" | 18 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" |
19 | 19 | ||
diff --git a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb index bf8385fe6d..6a91582068 100644 --- a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb +++ b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb | |||
@@ -14,8 +14,6 @@ SOURCE_DATE_EPOCH = "1613559011" | |||
14 | 14 | ||
15 | PE = "1" | 15 | PE = "1" |
16 | PR = "r3" | 16 | PR = "r3" |
17 | HASHEQUIV_HASH_VERSION .= ".1" | ||
18 | |||
19 | 17 | ||
20 | inherit allarch features_check | 18 | inherit allarch features_check |
21 | 19 | ||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch new file mode 100644 index 0000000000..97c4c17a8a --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch | |||
@@ -0,0 +1,333 @@ | |||
1 | From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Fri, 19 Feb 2021 15:30:39 +0100 | ||
4 | Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on | ||
5 | the wire | ||
6 | |||
7 | The X protocol uses CARD16 values to represent the length so | ||
8 | this would overflow. | ||
9 | |||
10 | CVE-2021-31535 | ||
11 | |||
12 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
13 | |||
14 | https://lists.x.org/archives/xorg-announce/2021-May/003088.html | ||
15 | |||
16 | XLookupColor() and other X libraries function lack proper validation | ||
17 | of the length of their string parameters. If those parameters can be | ||
18 | controlled by an external application (for instance a color name that | ||
19 | can be emitted via a terminal control sequence) it can lead to the | ||
20 | emission of extra X protocol requests to the X server. | ||
21 | |||
22 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605] | ||
23 | CVE: CVE-2021-31535 | ||
24 | Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> | ||
25 | --- | ||
26 | src/Font.c | 6 ++++-- | ||
27 | src/FontInfo.c | 3 +++ | ||
28 | src/FontNames.c | 3 +++ | ||
29 | src/GetColor.c | 4 ++++ | ||
30 | src/LoadFont.c | 4 ++++ | ||
31 | src/LookupCol.c | 6 ++++-- | ||
32 | src/ParseCol.c | 5 ++++- | ||
33 | src/QuExt.c | 5 +++++ | ||
34 | src/SetFPath.c | 8 +++++++- | ||
35 | src/SetHints.c | 7 +++++++ | ||
36 | src/StNColor.c | 3 +++ | ||
37 | src/StName.c | 7 ++++++- | ||
38 | 12 files changed, 54 insertions(+), 7 deletions(-) | ||
39 | |||
40 | diff --git a/src/Font.c b/src/Font.c | ||
41 | index 09d2ae91..3f468e4b 100644 | ||
42 | --- a/src/Font.c | ||
43 | +++ b/src/Font.c | ||
44 | @@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont( | ||
45 | XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); | ||
46 | #endif | ||
47 | |||
48 | + if (strlen(name) >= USHRT_MAX) | ||
49 | + return NULL; | ||
50 | if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) | ||
51 | return font_result; | ||
52 | LockDisplay(dpy); | ||
53 | @@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont( | ||
54 | |||
55 | if (!name) | ||
56 | return 0; | ||
57 | - l = strlen(name); | ||
58 | - if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') | ||
59 | + l = (int) strlen(name); | ||
60 | + if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) | ||
61 | return 0; | ||
62 | charset = NULL; | ||
63 | /* next three lines stolen from _XkbGetCharset() */ | ||
64 | diff --git a/src/FontInfo.c b/src/FontInfo.c | ||
65 | index f870e431..51b48e29 100644 | ||
66 | --- a/src/FontInfo.c | ||
67 | +++ b/src/FontInfo.c | ||
68 | @@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */ | ||
69 | register xListFontsReq *req; | ||
70 | int j; | ||
71 | |||
72 | + if (strlen(pattern) >= USHRT_MAX) | ||
73 | + return NULL; | ||
74 | + | ||
75 | LockDisplay(dpy); | ||
76 | GetReq(ListFontsWithInfo, req); | ||
77 | req->maxNames = maxNames; | ||
78 | diff --git a/src/FontNames.c b/src/FontNames.c | ||
79 | index b78792d6..4dac4916 100644 | ||
80 | --- a/src/FontNames.c | ||
81 | +++ b/src/FontNames.c | ||
82 | @@ -51,6 +51,9 @@ int *actualCount) /* RETURN */ | ||
83 | register xListFontsReq *req; | ||
84 | unsigned long rlen = 0; | ||
85 | |||
86 | + if (strlen(pattern) >= USHRT_MAX) | ||
87 | + return NULL; | ||
88 | + | ||
89 | LockDisplay(dpy); | ||
90 | GetReq(ListFonts, req); | ||
91 | req->maxNames = maxNames; | ||
92 | diff --git a/src/GetColor.c b/src/GetColor.c | ||
93 | index cd0eb9f6..512ac308 100644 | ||
94 | --- a/src/GetColor.c | ||
95 | +++ b/src/GetColor.c | ||
96 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
97 | #ifdef HAVE_CONFIG_H | ||
98 | #include <config.h> | ||
99 | #endif | ||
100 | +#include <limits.h> | ||
101 | #include <stdio.h> | ||
102 | #include "Xlibint.h" | ||
103 | #include "Xcmsint.h" | ||
104 | @@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ | ||
105 | XcmsColor cmsColor_exact; | ||
106 | Status ret; | ||
107 | |||
108 | + if (strlen(colorname) >= USHRT_MAX) | ||
109 | + return (0); | ||
110 | + | ||
111 | #ifdef XCMS | ||
112 | /* | ||
113 | * Let's Attempt to use Xcms and i18n approach to Parse Color | ||
114 | diff --git a/src/LoadFont.c b/src/LoadFont.c | ||
115 | index f547976b..85735249 100644 | ||
116 | --- a/src/LoadFont.c | ||
117 | +++ b/src/LoadFont.c | ||
118 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
119 | #ifdef HAVE_CONFIG_H | ||
120 | #include <config.h> | ||
121 | #endif | ||
122 | +#include <limits.h> | ||
123 | #include "Xlibint.h" | ||
124 | |||
125 | Font | ||
126 | @@ -38,6 +39,9 @@ XLoadFont ( | ||
127 | Font fid; | ||
128 | register xOpenFontReq *req; | ||
129 | |||
130 | + if (strlen(name) >= USHRT_MAX) | ||
131 | + return (0); | ||
132 | + | ||
133 | if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) | ||
134 | return fid; | ||
135 | |||
136 | diff --git a/src/LookupCol.c b/src/LookupCol.c | ||
137 | index f7f969f5..cd9b1368 100644 | ||
138 | --- a/src/LookupCol.c | ||
139 | +++ b/src/LookupCol.c | ||
140 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
141 | #ifdef HAVE_CONFIG_H | ||
142 | #include <config.h> | ||
143 | #endif | ||
144 | +#include <limits.h> | ||
145 | #include <stdio.h> | ||
146 | #include "Xlibint.h" | ||
147 | #include "Xcmsint.h" | ||
148 | @@ -46,6 +47,9 @@ XLookupColor ( | ||
149 | XcmsCCC ccc; | ||
150 | XcmsColor cmsColor_exact; | ||
151 | |||
152 | + n = (int) strlen (spec); | ||
153 | + if (n >= USHRT_MAX) | ||
154 | + return 0; | ||
155 | #ifdef XCMS | ||
156 | /* | ||
157 | * Let's Attempt to use Xcms and i18n approach to Parse Color | ||
158 | @@ -77,8 +81,6 @@ XLookupColor ( | ||
159 | * Xcms and i18n methods failed, so lets pass it to the server | ||
160 | * for parsing. | ||
161 | */ | ||
162 | - | ||
163 | - n = strlen (spec); | ||
164 | LockDisplay(dpy); | ||
165 | GetReq (LookupColor, req); | ||
166 | req->cmap = cmap; | ||
167 | diff --git a/src/ParseCol.c b/src/ParseCol.c | ||
168 | index e997b1b8..180132dd 100644 | ||
169 | --- a/src/ParseCol.c | ||
170 | +++ b/src/ParseCol.c | ||
171 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
172 | #ifdef HAVE_CONFIG_H | ||
173 | #include <config.h> | ||
174 | #endif | ||
175 | +#include <limits.h> | ||
176 | #include <stdio.h> | ||
177 | #include "Xlibint.h" | ||
178 | #include "Xcmsint.h" | ||
179 | @@ -46,7 +47,9 @@ XParseColor ( | ||
180 | XcmsColor cmsColor; | ||
181 | |||
182 | if (!spec) return(0); | ||
183 | - n = strlen (spec); | ||
184 | + n = (int) strlen (spec); | ||
185 | + if (n >= USHRT_MAX) | ||
186 | + return(0); | ||
187 | if (*spec == '#') { | ||
188 | /* | ||
189 | * RGB | ||
190 | diff --git a/src/QuExt.c b/src/QuExt.c | ||
191 | index 4e230e77..d38a1572 100644 | ||
192 | --- a/src/QuExt.c | ||
193 | +++ b/src/QuExt.c | ||
194 | @@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. | ||
195 | #ifdef HAVE_CONFIG_H | ||
196 | #include <config.h> | ||
197 | #endif | ||
198 | +#include <limits.h> | ||
199 | +#include <stdbool.h> | ||
200 | #include "Xlibint.h" | ||
201 | |||
202 | Bool | ||
203 | @@ -40,6 +42,9 @@ XQueryExtension( | ||
204 | xQueryExtensionReply rep; | ||
205 | register xQueryExtensionReq *req; | ||
206 | |||
207 | + if (strlen(name) >= USHRT_MAX) | ||
208 | + return false; | ||
209 | + | ||
210 | LockDisplay(dpy); | ||
211 | GetReq(QueryExtension, req); | ||
212 | req->nbytes = name ? strlen(name) : 0; | ||
213 | diff --git a/src/SetFPath.c b/src/SetFPath.c | ||
214 | index 60aaef01..3d8c50cb 100644 | ||
215 | --- a/src/SetFPath.c | ||
216 | +++ b/src/SetFPath.c | ||
217 | @@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. | ||
218 | |||
219 | #ifdef HAVE_CONFIG_H | ||
220 | #include <config.h> | ||
221 | +#include <limits.h> | ||
222 | #endif | ||
223 | #include "Xlibint.h" | ||
224 | |||
225 | @@ -48,7 +49,12 @@ XSetFontPath ( | ||
226 | GetReq (SetFontPath, req); | ||
227 | req->nFonts = ndirs; | ||
228 | for (i = 0; i < ndirs; i++) { | ||
229 | - n += safestrlen (directories[i]) + 1; | ||
230 | + n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); | ||
231 | + if (n >= USHRT_MAX) { | ||
232 | + UnlockDisplay(dpy); | ||
233 | + SyncHandle(); | ||
234 | + return 0; | ||
235 | + } | ||
236 | } | ||
237 | nbytes = (n + 3) & ~3; | ||
238 | req->length += nbytes >> 2; | ||
239 | diff --git a/src/SetHints.c b/src/SetHints.c | ||
240 | index bc46498a..f3d727ec 100644 | ||
241 | --- a/src/SetHints.c | ||
242 | +++ b/src/SetHints.c | ||
243 | @@ -49,6 +49,7 @@ SOFTWARE. | ||
244 | #ifdef HAVE_CONFIG_H | ||
245 | #include <config.h> | ||
246 | #endif | ||
247 | +#include <limits.h> | ||
248 | #include <X11/Xlibint.h> | ||
249 | #include <X11/Xutil.h> | ||
250 | #include "Xatomtype.h" | ||
251 | @@ -214,6 +215,8 @@ XSetCommand ( | ||
252 | register char *buf, *bp; | ||
253 | for (i = 0, nbytes = 0; i < argc; i++) { | ||
254 | nbytes += safestrlen(argv[i]) + 1; | ||
255 | + if (nbytes >= USHRT_MAX) | ||
256 | + return 1; | ||
257 | } | ||
258 | if ((bp = buf = Xmalloc(nbytes))) { | ||
259 | /* copy arguments into single buffer */ | ||
260 | @@ -256,6 +259,8 @@ XSetStandardProperties ( | ||
261 | |||
262 | if (name != NULL) XStoreName (dpy, w, name); | ||
263 | |||
264 | + if (safestrlen(icon_string) >= USHRT_MAX) | ||
265 | + return 1; | ||
266 | if (icon_string != NULL) { | ||
267 | XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, | ||
268 | PropModeReplace, | ||
269 | @@ -298,6 +303,8 @@ XSetClassHint( | ||
270 | |||
271 | len_nm = safestrlen(classhint->res_name); | ||
272 | len_cl = safestrlen(classhint->res_class); | ||
273 | + if (len_nm + len_cl >= USHRT_MAX) | ||
274 | + return 1; | ||
275 | if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { | ||
276 | if (len_nm) { | ||
277 | strcpy(s, classhint->res_name); | ||
278 | diff --git a/src/StNColor.c b/src/StNColor.c | ||
279 | index 8b821c3e..ba021958 100644 | ||
280 | --- a/src/StNColor.c | ||
281 | +++ b/src/StNColor.c | ||
282 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
283 | #ifdef HAVE_CONFIG_H | ||
284 | #include <config.h> | ||
285 | #endif | ||
286 | +#include <limits.h> | ||
287 | #include <stdio.h> | ||
288 | #include "Xlibint.h" | ||
289 | #include "Xcmsint.h" | ||
290 | @@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ | ||
291 | XcmsColor cmsColor_exact; | ||
292 | XColor scr_def; | ||
293 | |||
294 | + if (strlen(name) >= USHRT_MAX) | ||
295 | + return 0; | ||
296 | #ifdef XCMS | ||
297 | /* | ||
298 | * Let's Attempt to use Xcms approach to Parse Color | ||
299 | diff --git a/src/StName.c b/src/StName.c | ||
300 | index b4048bff..5a632d0c 100644 | ||
301 | --- a/src/StName.c | ||
302 | +++ b/src/StName.c | ||
303 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
304 | #ifdef HAVE_CONFIG_H | ||
305 | #include <config.h> | ||
306 | #endif | ||
307 | +#include <limits.h> | ||
308 | #include <X11/Xlibint.h> | ||
309 | #include <X11/Xatom.h> | ||
310 | |||
311 | @@ -36,7 +37,9 @@ XStoreName ( | ||
312 | Window w, | ||
313 | _Xconst char *name) | ||
314 | { | ||
315 | - return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, | ||
316 | + if (strlen(name) >= USHRT_MAX) | ||
317 | + return 0; | ||
318 | + return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ | ||
319 | 8, PropModeReplace, (_Xconst unsigned char *)name, | ||
320 | name ? strlen(name) : 0); | ||
321 | } | ||
322 | @@ -47,6 +50,8 @@ XSetIconName ( | ||
323 | Window w, | ||
324 | _Xconst char *icon_name) | ||
325 | { | ||
326 | + if (strlen(icon_name) >= USHRT_MAX) | ||
327 | + return 0; | ||
328 | return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, | ||
329 | PropModeReplace, (_Xconst unsigned char *)icon_name, | ||
330 | icon_name ? strlen(icon_name) : 0); | ||
331 | -- | ||
332 | 2.32.0 | ||
333 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch new file mode 100644 index 0000000000..fb61195225 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 2 Nov 2022 17:04:15 +0530 | ||
4 | Subject: [PATCH] CVE-2022-3554 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef] | ||
7 | CVE: CVE-2022-3554 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | fix a memory leak in XRegisterIMInstantiateCallback | ||
11 | |||
12 | Analysis: | ||
13 | |||
14 | _XimRegisterIMInstantiateCallback() opens an XIM and closes it using | ||
15 | the internal function pointers, but the internal close function does | ||
16 | not free the pointer to the XIM (this would be done in XCloseIM()). | ||
17 | |||
18 | Report/patch: | ||
19 | |||
20 | Date: Mon, 03 Oct 2022 18:47:32 +0800 | ||
21 | From: Po Lu <luangruo@yahoo.com> | ||
22 | To: xorg-devel@lists.x.org | ||
23 | Subject: Re: Yet another leak in Xlib | ||
24 | |||
25 | For reference, here's how I'm calling XRegisterIMInstantiateCallback: | ||
26 | |||
27 | XSetLocaleModifiers (""); | ||
28 | XRegisterIMInstantiateCallback (compositor.display, | ||
29 | XrmGetDatabase (compositor.display), | ||
30 | (char *) compositor.resource_name, | ||
31 | (char *) compositor.app_name, | ||
32 | IMInstantiateCallback, NULL); | ||
33 | and XMODIFIERS is: | ||
34 | |||
35 | @im=ibus | ||
36 | |||
37 | Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net> | ||
38 | --- | ||
39 | modules/im/ximcp/imInsClbk.c | 3 +++ | ||
40 | 1 file changed, 3 insertions(+) | ||
41 | |||
42 | diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c | ||
43 | index 961aaba..0a8a874 100644 | ||
44 | --- a/modules/im/ximcp/imInsClbk.c | ||
45 | +++ b/modules/im/ximcp/imInsClbk.c | ||
46 | @@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback( | ||
47 | if( xim ) { | ||
48 | lock = True; | ||
49 | xim->methods->close( (XIM)xim ); | ||
50 | + /* XIMs must be freed manually after being opened; close just | ||
51 | + does the protocol to deinitialize the IM. */ | ||
52 | + XFree( xim ); | ||
53 | lock = False; | ||
54 | icb->call = True; | ||
55 | callback( display, client_data, NULL ); | ||
56 | -- | ||
57 | 2.25.1 | ||
58 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch new file mode 100644 index 0000000000..855ce80e77 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001 | ||
2 | From: Hodong <hodong@yozmos.com> | ||
3 | Date: Thu, 20 Jan 2022 00:57:41 +0900 | ||
4 | Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure() | ||
5 | |||
6 | Even when XCloseDisplay() was called, some memory was leaked. | ||
7 | |||
8 | XCloseDisplay() calls _XFreeDisplayStructure(), which calls | ||
9 | _XFreeX11XCBStructure(). | ||
10 | |||
11 | However, _XFreeX11XCBStructure() did not destroy the condition variables, | ||
12 | resulting in the leaking of some 40 bytes. | ||
13 | |||
14 | Signed-off-by: Hodong <hodong@yozmos.com> | ||
15 | |||
16 | Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af] | ||
17 | CVE:CVE-2022-3555 | ||
18 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
19 | --- | ||
20 | src/xcb_disp.c | 2 ++ | ||
21 | 1 file changed, 2 insertions(+) | ||
22 | |||
23 | diff --git a/src/xcb_disp.c b/src/xcb_disp.c | ||
24 | index 70a602f4..e9becee3 100644 | ||
25 | --- a/src/xcb_disp.c | ||
26 | +++ b/src/xcb_disp.c | ||
27 | @@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy) | ||
28 | dpy->xcb->pending_requests = tmp->next; | ||
29 | free(tmp); | ||
30 | } | ||
31 | + xcondition_clear(dpy->xcb->event_notify); | ||
32 | + xcondition_clear(dpy->xcb->reply_notify); | ||
33 | xcondition_free(dpy->xcb->event_notify); | ||
34 | xcondition_free(dpy->xcb->reply_notify); | ||
35 | Xfree(dpy->xcb); | ||
36 | -- | ||
37 | 2.18.2 | ||
38 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch new file mode 100644 index 0000000000..c724cf8fdd --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch | |||
@@ -0,0 +1,111 @@ | |||
1 | From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sat, 10 Jun 2023 16:30:07 -0700 | ||
4 | Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & | ||
5 | error codes | ||
6 | |||
7 | Fixes CVE-2023-3138: X servers could return values from XQueryExtension | ||
8 | that would cause Xlib to write entries out-of-bounds of the arrays to | ||
9 | store them, though this would only overwrite other parts of the Display | ||
10 | struct, not outside the bounds allocated for that structure. | ||
11 | |||
12 | Reported-by: Gregory James DUCK <gjduck@gmail.com> | ||
13 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
14 | |||
15 | CVE: CVE-2023-3138 | ||
16 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch] | ||
17 | Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> | ||
18 | --- | ||
19 | src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ | ||
20 | 1 file changed, 42 insertions(+) | ||
21 | |||
22 | diff --git a/src/InitExt.c b/src/InitExt.c | ||
23 | index 4de46f15..afc00a6b 100644 | ||
24 | --- a/src/InitExt.c | ||
25 | +++ b/src/InitExt.c | ||
26 | @@ -33,6 +33,18 @@ from The Open Group. | ||
27 | #include <X11/Xos.h> | ||
28 | #include <stdio.h> | ||
29 | |||
30 | +/* The X11 protocol spec reserves events 64 through 127 for extensions */ | ||
31 | +#ifndef LastExtensionEvent | ||
32 | +#define LastExtensionEvent 127 | ||
33 | +#endif | ||
34 | + | ||
35 | +/* The X11 protocol spec reserves requests 128 through 255 for extensions */ | ||
36 | +#ifndef LastExtensionRequest | ||
37 | +#define FirstExtensionRequest 128 | ||
38 | +#define LastExtensionRequest 255 | ||
39 | +#endif | ||
40 | + | ||
41 | + | ||
42 | /* | ||
43 | * This routine is used to link a extension in so it will be called | ||
44 | * at appropriate times. | ||
45 | @@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( | ||
46 | WireToEventType proc) /* routine to call when converting event */ | ||
47 | { | ||
48 | register WireToEventType oldproc; | ||
49 | + if (event_number < 0 || | ||
50 | + event_number > LastExtensionEvent) { | ||
51 | + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", | ||
52 | + event_number); | ||
53 | + return (WireToEventType)_XUnknownWireEvent; | ||
54 | + } | ||
55 | if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; | ||
56 | LockDisplay (dpy); | ||
57 | oldproc = dpy->event_vec[event_number]; | ||
58 | @@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( | ||
59 | ) | ||
60 | { | ||
61 | WireToEventCookieType oldproc; | ||
62 | + if (extension < FirstExtensionRequest || | ||
63 | + extension > LastExtensionRequest) { | ||
64 | + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", | ||
65 | + extension); | ||
66 | + return (WireToEventCookieType)_XUnknownWireEventCookie; | ||
67 | + } | ||
68 | if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; | ||
69 | LockDisplay (dpy); | ||
70 | oldproc = dpy->generic_event_vec[extension & 0x7F]; | ||
71 | @@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( | ||
72 | ) | ||
73 | { | ||
74 | CopyEventCookieType oldproc; | ||
75 | + if (extension < FirstExtensionRequest || | ||
76 | + extension > LastExtensionRequest) { | ||
77 | + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", | ||
78 | + extension); | ||
79 | + return (CopyEventCookieType)_XUnknownCopyEventCookie; | ||
80 | + } | ||
81 | if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; | ||
82 | LockDisplay (dpy); | ||
83 | oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; | ||
84 | @@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( | ||
85 | EventToWireType proc) /* routine to call when converting event */ | ||
86 | { | ||
87 | register EventToWireType oldproc; | ||
88 | + if (event_number < 0 || | ||
89 | + event_number > LastExtensionEvent) { | ||
90 | + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", | ||
91 | + event_number); | ||
92 | + return (EventToWireType)_XUnknownNativeEvent; | ||
93 | + } | ||
94 | if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; | ||
95 | LockDisplay (dpy); | ||
96 | oldproc = dpy->wire_vec[event_number]; | ||
97 | @@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( | ||
98 | WireToErrorType proc) /* routine to call when converting error */ | ||
99 | { | ||
100 | register WireToErrorType oldproc = NULL; | ||
101 | + if (error_number < 0 || | ||
102 | + error_number > LastExtensionError) { | ||
103 | + fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", | ||
104 | + error_number); | ||
105 | + return (WireToErrorType)_XDefaultWireError; | ||
106 | + } | ||
107 | if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; | ||
108 | LockDisplay (dpy); | ||
109 | if (!dpy->error_vec) { | ||
110 | -- | ||
111 | GitLab | ||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sun, 17 Sep 2023 14:19:40 -0700 | ||
4 | Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in | ||
5 | _XkbReadKeySyms() | ||
6 | |||
7 | Make sure we allocate enough memory in the first place, and | ||
8 | also handle error returns from _XkbReadBufferCopyKeySyms() when | ||
9 | it detects out-of-bounds issues. | ||
10 | |||
11 | Reported-by: Gregory James DUCK <gjduck@gmail.com> | ||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] | ||
16 | CVE: CVE-2023-43785 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/xkb/XKBGetMap.c | 14 +++++++++----- | ||
20 | 1 file changed, 9 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c | ||
23 | index 2891d21e..31199e4a 100644 | ||
24 | --- a/src/xkb/XKBGetMap.c | ||
25 | +++ b/src/xkb/XKBGetMap.c | ||
26 | @@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
27 | if (offset + newMap->nSyms >= map->size_syms) { | ||
28 | register int sz; | ||
29 | |||
30 | - sz = map->size_syms + 128; | ||
31 | + sz = offset + newMap->nSyms; | ||
32 | + sz = ((sz + (unsigned) 128) / 128) * 128; | ||
33 | _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); | ||
34 | if (map->syms == NULL) { | ||
35 | map->size_syms = 0; | ||
36 | @@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
37 | map->size_syms = sz; | ||
38 | } | ||
39 | if (newMap->nSyms > 0) { | ||
40 | - _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
41 | - newMap->nSyms); | ||
42 | + if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
43 | + newMap->nSyms) == 0) | ||
44 | + return BadLength; | ||
45 | offset += newMap->nSyms; | ||
46 | } | ||
47 | else { | ||
48 | @@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
49 | newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); | ||
50 | if (newSyms == NULL) | ||
51 | return BadAlloc; | ||
52 | - if (newMap->nSyms > 0) | ||
53 | - _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); | ||
54 | + if (newMap->nSyms > 0) { | ||
55 | + if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) | ||
56 | + return BadLength; | ||
57 | + } | ||
58 | else | ||
59 | newSyms[0] = NoSymbol; | ||
60 | oldMap->kt_index[0] = newMap->ktIndex[0]; | ||
61 | -- | ||
62 | 2.39.3 | ||
63 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch new file mode 100644 index 0000000000..31a99eb4ac --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 15:54:30 -0700 | ||
4 | Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite | ||
5 | recursion in PutSubImage() | ||
6 | |||
7 | When splitting a single line of pixels into chunks to send to the | ||
8 | X server, be sure to take into account the number of bits per pixel, | ||
9 | so we don't just loop forever trying to send more pixels than fit in | ||
10 | the given request size and not breaking them down into a small enough | ||
11 | chunk to fix. | ||
12 | |||
13 | Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 | ||
14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security | ||
17 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] | ||
18 | CVE: CVE-2023-43786 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | src/PutImage.c | 5 +++-- | ||
22 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/src/PutImage.c b/src/PutImage.c | ||
25 | index 857ee916..a6db7b42 100644 | ||
26 | --- a/src/PutImage.c | ||
27 | +++ b/src/PutImage.c | ||
28 | @@ -914,8 +914,9 @@ PutSubImage ( | ||
29 | req_width, req_height - SubImageHeight, | ||
30 | dest_bits_per_pixel, dest_scanline_pad); | ||
31 | } else { | ||
32 | - int SubImageWidth = (((Available << 3) / dest_scanline_pad) | ||
33 | - * dest_scanline_pad) - left_pad; | ||
34 | + int SubImageWidth = ((((Available << 3) / dest_scanline_pad) | ||
35 | + * dest_scanline_pad) - left_pad) | ||
36 | + / dest_bits_per_pixel; | ||
37 | |||
38 | PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, | ||
39 | (unsigned int) SubImageWidth, 1, | ||
40 | -- | ||
41 | 2.39.3 | ||
42 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch new file mode 100644 index 0000000000..4800bedf41 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 15:55:04 -0700 | ||
4 | Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width | ||
5 | allowed by protocol | ||
6 | |||
7 | The PutImage request specifies height & width of the image as CARD16 | ||
8 | (unsigned 16-bit integer), same as the maximum dimensions of an X11 | ||
9 | Drawable, which the image is being copied to. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a] | ||
15 | CVE: CVE-2023-43786 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | src/PutImage.c | 5 +++++ | ||
19 | 1 file changed, 5 insertions(+) | ||
20 | |||
21 | diff --git a/src/PutImage.c b/src/PutImage.c | ||
22 | index a6db7b42..ba411e36 100644 | ||
23 | --- a/src/PutImage.c | ||
24 | +++ b/src/PutImage.c | ||
25 | @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. | ||
26 | #include "Xlibint.h" | ||
27 | #include "Xutil.h" | ||
28 | #include <stdio.h> | ||
29 | +#include <limits.h> | ||
30 | #include "Cr.h" | ||
31 | #include "ImUtil.h" | ||
32 | #include "reallocarray.h" | ||
33 | @@ -962,6 +963,10 @@ XPutImage ( | ||
34 | height = image->height - req_yoffset; | ||
35 | if ((width <= 0) || (height <= 0)) | ||
36 | return 0; | ||
37 | + if (width > USHRT_MAX) | ||
38 | + width = USHRT_MAX; | ||
39 | + if (height > USHRT_MAX) | ||
40 | + height = USHRT_MAX; | ||
41 | |||
42 | if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { | ||
43 | dest_bits_per_pixel = 1; | ||
44 | -- | ||
45 | 2.39.3 | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 16:12:27 -0700 | ||
4 | Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for | ||
5 | out-of-range dimensions | ||
6 | |||
7 | The CreatePixmap request specifies height & width of the image as CARD16 | ||
8 | (unsigned 16-bit integer), so if either is larger than that, set it to 0 | ||
9 | so the X server returns a BadValue error as the protocol requires. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b] | ||
15 | CVE: CVE-2023-43787 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | src/CrPixmap.c | 11 +++++++++++ | ||
19 | 1 file changed, 11 insertions(+) | ||
20 | |||
21 | diff --git a/src/CrPixmap.c b/src/CrPixmap.c | ||
22 | index cdf31207..3cb2ca6d 100644 | ||
23 | --- a/src/CrPixmap.c | ||
24 | +++ b/src/CrPixmap.c | ||
25 | @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. | ||
26 | #include <config.h> | ||
27 | #endif | ||
28 | #include "Xlibint.h" | ||
29 | +#include <limits.h> | ||
30 | |||
31 | #ifdef USE_DYNAMIC_XCURSOR | ||
32 | void | ||
33 | @@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( | ||
34 | Pixmap pid; | ||
35 | register xCreatePixmapReq *req; | ||
36 | |||
37 | + /* | ||
38 | + * Force a BadValue X Error if the requested dimensions are larger | ||
39 | + * than the X11 protocol has room for, since that's how callers expect | ||
40 | + * to get notified of errors. | ||
41 | + */ | ||
42 | + if (width > USHRT_MAX) | ||
43 | + width = 0; | ||
44 | + if (height > USHRT_MAX) | ||
45 | + height = 0; | ||
46 | + | ||
47 | LockDisplay(dpy); | ||
48 | GetReq(CreatePixmap, req); | ||
49 | req->drawable = d; | ||
50 | -- | ||
51 | 2.39.3 | ||
52 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yair Mizrahi <yairm@jfrog.com> | ||
3 | Date: Thu, 7 Sep 2023 16:15:32 -0700 | ||
4 | Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage() | ||
5 | leading to a heap overflow | ||
6 | |||
7 | When the format is `Pixmap` it calculates the size of the image data as: | ||
8 | ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
9 | There is no validation on the `width` of the image, and so this | ||
10 | calculation exceeds the capacity of a 4-byte integer, causing an overflow. | ||
11 | |||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] | ||
16 | CVE: CVE-2023-43787 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/ImUtil.c | 20 +++++++++++++++----- | ||
20 | 1 file changed, 15 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/ImUtil.c b/src/ImUtil.c | ||
23 | index 36f08a03..fbfad33e 100644 | ||
24 | --- a/src/ImUtil.c | ||
25 | +++ b/src/ImUtil.c | ||
26 | @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. | ||
27 | #include <X11/Xlibint.h> | ||
28 | #include <X11/Xutil.h> | ||
29 | #include <stdio.h> | ||
30 | +#include <limits.h> | ||
31 | #include "ImUtil.h" | ||
32 | |||
33 | static int _XDestroyImage(XImage *); | ||
34 | @@ -361,13 +362,22 @@ XImage *XCreateImage ( | ||
35 | /* | ||
36 | * compute per line accelerator. | ||
37 | */ | ||
38 | - { | ||
39 | - if (format == ZPixmap) | ||
40 | + if (format == ZPixmap) { | ||
41 | + if ((INT_MAX / bits_per_pixel) < width) { | ||
42 | + Xfree(image); | ||
43 | + return NULL; | ||
44 | + } | ||
45 | + | ||
46 | min_bytes_per_line = | ||
47 | - ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
48 | - else | ||
49 | + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
50 | + } else { | ||
51 | + if ((INT_MAX - offset) < width) { | ||
52 | + Xfree(image); | ||
53 | + return NULL; | ||
54 | + } | ||
55 | + | ||
56 | min_bytes_per_line = | ||
57 | - ROUNDUP((width + offset), image->bitmap_pad); | ||
58 | + ROUNDUP((width + offset), image->bitmap_pad); | ||
59 | } | ||
60 | if (image_bytes_per_line == 0) { | ||
61 | image->bytes_per_line = min_bytes_per_line; | ||
62 | -- | ||
63 | 2.39.3 | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index ebd2640743..248889a1d4 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb | |||
@@ -15,6 +15,15 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ | |||
15 | file://libx11-whitespace.patch \ | 15 | file://libx11-whitespace.patch \ |
16 | file://CVE-2020-14344.patch \ | 16 | file://CVE-2020-14344.patch \ |
17 | file://CVE-2020-14363.patch \ | 17 | file://CVE-2020-14363.patch \ |
18 | file://CVE-2021-31535.patch \ | ||
19 | file://CVE-2022-3554.patch \ | ||
20 | file://CVE-2022-3555.patch \ | ||
21 | file://CVE-2023-3138.patch \ | ||
22 | file://CVE-2023-43785.patch \ | ||
23 | file://CVE-2023-43786-1.patch \ | ||
24 | file://CVE-2023-43786-2.patch \ | ||
25 | file://CVE-2023-43787-1.patch \ | ||
26 | file://CVE-2023-43787-2.patch \ | ||
18 | " | 27 | " |
19 | 28 | ||
20 | SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" | 29 | SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" |
diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index fda8e32d2c..4694f911be 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb | |||
@@ -11,17 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \ | |||
11 | protocol." | 11 | protocol." |
12 | 12 | ||
13 | LICENSE = "MIT" | 13 | LICENSE = "MIT" |
14 | LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7" | 14 | LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff" |
15 | DEPENDS += "libxext libsm libxt gettext-native" | 15 | DEPENDS += "libxext libsm libxt gettext-native" |
16 | PE = "1" | 16 | PE = "1" |
17 | 17 | ||
18 | XORG_PN = "libXpm" | 18 | XORG_PN = "libXpm" |
19 | XORG_EXT = "tar.xz" | ||
20 | EXTRA_OECONF += "--disable-open-zfile" | ||
19 | 21 | ||
20 | PACKAGES =+ "sxpm cxpm" | 22 | PACKAGES =+ "sxpm cxpm" |
21 | FILES_cxpm = "${bindir}/cxpm" | 23 | FILES_cxpm = "${bindir}/cxpm" |
22 | FILES_sxpm = "${bindir}/sxpm" | 24 | FILES_sxpm = "${bindir}/sxpm" |
23 | 25 | ||
24 | SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" | 26 | SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" |
25 | SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" | ||
26 | 27 | ||
27 | BBCLASSEXTEND = "native" | 28 | BBCLASSEXTEND = "native" |
diff --git a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb index cc45696530..38cab99bbe 100644 --- a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb +++ b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb | |||
@@ -6,7 +6,7 @@ using file descriptor passing." | |||
6 | 6 | ||
7 | require xorg-lib-common.inc | 7 | require xorg-lib-common.inc |
8 | 8 | ||
9 | LICENSE = "MIT-style" | 9 | LICENSE = "HPND" |
10 | LIC_FILES_CHKSUM = "file://COPYING;md5=47e508ca280fde97906eacb77892c3ac" | 10 | LIC_FILES_CHKSUM = "file://COPYING;md5=47e508ca280fde97906eacb77892c3ac" |
11 | 11 | ||
12 | DEPENDS += "virtual/libx11" | 12 | DEPENDS += "virtual/libx11" |
diff --git a/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch new file mode 100644 index 0000000000..d54ae16b33 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | CVE: CVE-2022-44638 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | Signed-off-by:Bhabu Bindu <bhabu.bindu@kpit.com> | ||
5 | |||
6 | From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001 | ||
7 | From: Matt Turner <mattst88@gmail.com> | ||
8 | Date: Wed, 2 Nov 2022 12:07:32 -0400 | ||
9 | Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write | ||
10 | |||
11 | Thanks to Maddie Stone and Google's Project Zero for discovering this | ||
12 | issue, providing a proof-of-concept, and a great analysis. | ||
13 | |||
14 | Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 | ||
15 | --- | ||
16 | pixman/pixman-trap.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c | ||
20 | index 91766fd..7560405 100644 | ||
21 | --- a/pixman/pixman-trap.c | ||
22 | +++ b/pixman/pixman-trap.c | ||
23 | @@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y, | ||
24 | |||
25 | if (f < Y_FRAC_FIRST (n)) | ||
26 | { | ||
27 | - if (pixman_fixed_to_int (i) == 0x8000) | ||
28 | + if (pixman_fixed_to_int (i) == 0xffff8000) | ||
29 | { | ||
30 | f = 0; /* saturate */ | ||
31 | } | ||
32 | -- | ||
33 | GitLab | ||
34 | |||
diff --git a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb index 22e19ba069..5873c19bab 100644 --- a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb +++ b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb | |||
@@ -10,6 +10,7 @@ DEPENDS = "zlib" | |||
10 | SRC_URI = "https://www.cairographics.org/releases/${BP}.tar.gz \ | 10 | SRC_URI = "https://www.cairographics.org/releases/${BP}.tar.gz \ |
11 | file://0001-ARM-qemu-related-workarounds-in-cpu-features-detecti.patch \ | 11 | file://0001-ARM-qemu-related-workarounds-in-cpu-features-detecti.patch \ |
12 | file://0001-test-utils-Check-for-FE_INVALID-definition-before-us.patch \ | 12 | file://0001-test-utils-Check-for-FE_INVALID-definition-before-us.patch \ |
13 | file://CVE-2022-44638.patch \ | ||
13 | " | 14 | " |
14 | SRC_URI[md5sum] = "267a7af290f93f643a1bc74490d9fdd1" | 15 | SRC_URI[md5sum] = "267a7af290f93f643a1bc74490d9fdd1" |
15 | SRC_URI[sha256sum] = "da66d6fd6e40aee70f7bd02e4f8f76fc3f006ec879d346bae6a723025cfbdde7" | 16 | SRC_URI[sha256sum] = "da66d6fd6e40aee70f7bd02e4f8f76fc3f006ec879d346bae6a723025cfbdde7" |
diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc index a566eaa45e..1e8525d874 100644 --- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc +++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc | |||
@@ -6,8 +6,9 @@ LICENSE = "MIT-X" | |||
6 | DEPENDS = "util-macros" | 6 | DEPENDS = "util-macros" |
7 | 7 | ||
8 | XORG_PN = "${BPN}" | 8 | XORG_PN = "${BPN}" |
9 | XORG_EXT ?= "tar.bz2" | ||
9 | 10 | ||
10 | SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.bz2" | 11 | SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.${XORG_EXT}" |
11 | 12 | ||
12 | S = "${WORKDIR}/${XORG_PN}-${PV}" | 13 | S = "${WORKDIR}/${XORG_PN}-${PV}" |
13 | 14 | ||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index b4f0760176..ce57982a7d 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | |||
@@ -16,9 +16,17 @@ PE = "2" | |||
16 | INC_PR = "r8" | 16 | INC_PR = "r8" |
17 | 17 | ||
18 | XORG_PN = "xorg-server" | 18 | XORG_PN = "xorg-server" |
19 | SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2" | 19 | SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.gz" |
20 | 20 | ||
21 | CVE_PRODUCT = "xorg-server" | 21 | CVE_PRODUCT = "xorg-server x_server" |
22 | # This is specific to Debian's xserver-wrapper.c | ||
23 | CVE_CHECK_WHITELIST += "CVE-2011-4613" | ||
24 | # As per upstream, exploiting this flaw is non-trivial and it requires exact | ||
25 | # timing on the behalf of the attacker. Many graphical applications exit if their | ||
26 | # connection to the X server is lost, so a typical desktop session is either | ||
27 | # impossible or difficult to exploit. There is currently no upstream patch | ||
28 | # available for this flaw. | ||
29 | CVE_CHECK_WHITELIST += "CVE-2020-25697" | ||
22 | 30 | ||
23 | S = "${WORKDIR}/${XORG_PN}-${PV}" | 31 | S = "${WORKDIR}/${XORG_PN}-${PV}" |
24 | 32 | ||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch deleted file mode 100644 index fb3a37c474..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch +++ /dev/null | |||
@@ -1,182 +0,0 @@ | |||
1 | From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:46:32 +0200 | ||
4 | Subject: [PATCH] Correct bounds checking in XkbSetNames() | ||
5 | |||
6 | CVE-2020-14345 / ZDI 11428 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2020-14345 | ||
15 | Affects < 1.20.9 | ||
16 | |||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ | ||
21 | 1 file changed, 48 insertions(+) | ||
22 | |||
23 | Index: xorg-server-1.20.8/xkb/xkb.c | ||
24 | =================================================================== | ||
25 | --- xorg-server-1.20.8.orig/xkb/xkb.c | ||
26 | +++ xorg-server-1.20.8/xkb/xkb.c | ||
27 | @@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; | ||
28 | #define CHK_REQ_KEY_RANGE(err,first,num,r) \ | ||
29 | CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) | ||
30 | |||
31 | +static Bool | ||
32 | +_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { | ||
33 | + char *cstuff = (char *)stuff; | ||
34 | + char *cfrom = (char *)from; | ||
35 | + char *cto = (char *)to; | ||
36 | + | ||
37 | + return cfrom < cto && | ||
38 | + cfrom >= cstuff && | ||
39 | + cfrom < cstuff + ((size_t)client->req_len << 2) && | ||
40 | + cto >= cstuff && | ||
41 | + cto <= cstuff + ((size_t)client->req_len << 2); | ||
42 | +} | ||
43 | + | ||
44 | /***====================================================================***/ | ||
45 | |||
46 | int | ||
47 | @@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
48 | client->errorValue = _XkbErrCode2(0x04, stuff->firstType); | ||
49 | return BadAccess; | ||
50 | } | ||
51 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) | ||
52 | + return BadLength; | ||
53 | old = tmp; | ||
54 | tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); | ||
55 | if (!tmp) { | ||
56 | @@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
57 | } | ||
58 | width = (CARD8 *) tmp; | ||
59 | tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); | ||
60 | + if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) | ||
61 | + return BadLength; | ||
62 | type = &xkb->map->types[stuff->firstKTLevel]; | ||
63 | for (i = 0; i < stuff->nKTLevels; i++, type++) { | ||
64 | if (width[i] == 0) | ||
65 | @@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
66 | type->num_levels, width[i]); | ||
67 | return BadMatch; | ||
68 | } | ||
69 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) | ||
70 | + return BadLength; | ||
71 | tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); | ||
72 | if (!tmp) { | ||
73 | client->errorValue = bad; | ||
74 | @@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
75 | client->errorValue = 0x08; | ||
76 | return BadMatch; | ||
77 | } | ||
78 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
79 | + tmp + Ones(stuff->indicators))) | ||
80 | + return BadLength; | ||
81 | tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, | ||
82 | client->swapped, &bad); | ||
83 | if (!tmp) { | ||
84 | @@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
85 | client->errorValue = 0x09; | ||
86 | return BadMatch; | ||
87 | } | ||
88 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
89 | + tmp + Ones(stuff->virtualMods))) | ||
90 | + return BadLength; | ||
91 | tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, | ||
92 | (CARD32) stuff->virtualMods, | ||
93 | client->swapped, &bad); | ||
94 | @@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
95 | client->errorValue = 0x0a; | ||
96 | return BadMatch; | ||
97 | } | ||
98 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
99 | + tmp + Ones(stuff->groupNames))) | ||
100 | + return BadLength; | ||
101 | tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, | ||
102 | (CARD32) stuff->groupNames, | ||
103 | client->swapped, &bad); | ||
104 | @@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
105 | stuff->nKeys); | ||
106 | return BadValue; | ||
107 | } | ||
108 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) | ||
109 | + return BadLength; | ||
110 | tmp += stuff->nKeys; | ||
111 | } | ||
112 | if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { | ||
113 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
114 | + tmp + (stuff->nKeyAliases * 2))) | ||
115 | + return BadLength; | ||
116 | tmp += stuff->nKeyAliases * 2; | ||
117 | } | ||
118 | if (stuff->which & XkbRGNamesMask) { | ||
119 | @@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
120 | client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); | ||
121 | return BadValue; | ||
122 | } | ||
123 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
124 | + tmp + stuff->nRadioGroups)) | ||
125 | + return BadLength; | ||
126 | tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); | ||
127 | if (!tmp) { | ||
128 | client->errorValue = bad; | ||
129 | @@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client) | ||
130 | /* check device-independent stuff */ | ||
131 | tmp = (CARD32 *) &stuff[1]; | ||
132 | |||
133 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
134 | + return BadLength; | ||
135 | if (stuff->which & XkbKeycodesNameMask) { | ||
136 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
137 | if (!tmp) { | ||
138 | @@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client) | ||
139 | return BadAtom; | ||
140 | } | ||
141 | } | ||
142 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
143 | + return BadLength; | ||
144 | if (stuff->which & XkbGeometryNameMask) { | ||
145 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
146 | if (!tmp) { | ||
147 | @@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client) | ||
148 | return BadAtom; | ||
149 | } | ||
150 | } | ||
151 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
152 | + return BadLength; | ||
153 | if (stuff->which & XkbSymbolsNameMask) { | ||
154 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
155 | if (!tmp) { | ||
156 | @@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client) | ||
157 | return BadAtom; | ||
158 | } | ||
159 | } | ||
160 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
161 | + return BadLength; | ||
162 | if (stuff->which & XkbPhysSymbolsNameMask) { | ||
163 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
164 | if (!tmp) { | ||
165 | @@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client) | ||
166 | return BadAtom; | ||
167 | } | ||
168 | } | ||
169 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
170 | + return BadLength; | ||
171 | if (stuff->which & XkbTypesNameMask) { | ||
172 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
173 | if (!tmp) { | ||
174 | @@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client) | ||
175 | return BadAtom; | ||
176 | } | ||
177 | } | ||
178 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
179 | + return BadLength; | ||
180 | if (stuff->which & XkbCompatNameMask) { | ||
181 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
182 | if (!tmp) { | ||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch deleted file mode 100644 index 4994a21d33..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:49:04 +0200 | ||
4 | Subject: [PATCH] Fix XIChangeHierarchy() integer underflow | ||
5 | |||
6 | CVE-2020-14346 / ZDI-CAN-11429 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff] | ||
15 | CVE: CVE-2020-14346 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | Xi/xichangehierarchy.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
22 | index cbdd91258..504defe56 100644 | ||
23 | --- a/Xi/xichangehierarchy.c | ||
24 | +++ b/Xi/xichangehierarchy.c | ||
25 | @@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
26 | if (!stuff->num_changes) | ||
27 | return rc; | ||
28 | |||
29 | - len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); | ||
30 | + len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); | ||
31 | |||
32 | any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; | ||
33 | while (stuff->num_changes--) { | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch deleted file mode 100644 index cf3f5f9417..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Sat, 25 Jul 2020 19:33:50 +0200 | ||
4 | Subject: [PATCH] fix for ZDI-11426 | ||
5 | |||
6 | Avoid leaking un-initalized memory to clients by zeroing the | ||
7 | whole pixmap on initial allocation. | ||
8 | |||
9 | This vulnerability was discovered by: | ||
10 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
11 | |||
12 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
13 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
14 | |||
15 | |||
16 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816] | ||
17 | CVE: CVE-2020-14347 | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | dix/pixmap.c | 2 +- | ||
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/dix/pixmap.c b/dix/pixmap.c | ||
24 | index 1186d7dbbf..5a0146bbb6 100644 | ||
25 | --- a/dix/pixmap.c | ||
26 | +++ b/dix/pixmap.c | ||
27 | @@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) | ||
28 | if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) | ||
29 | return NullPixmap; | ||
30 | |||
31 | - pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); | ||
32 | + pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); | ||
33 | if (!pPixmap) | ||
34 | return NullPixmap; | ||
35 | |||
36 | -- | ||
37 | GitLab | ||
38 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch deleted file mode 100644 index 710cc3873c..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:52:29 +0200 | ||
4 | Subject: [PATCH] Fix XkbSelectEvents() integer underflow | ||
5 | |||
6 | CVE-2020-14361 ZDI-CAN 11573 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787] | ||
15 | CVE: CVE-2020-14361 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | xkb/xkbSwap.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c | ||
22 | index 1c1ed5ff4..50cabb90e 100644 | ||
23 | --- a/xkb/xkbSwap.c | ||
24 | +++ b/xkb/xkbSwap.c | ||
25 | @@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) | ||
26 | register unsigned bit, ndx, maskLeft, dataLeft, size; | ||
27 | |||
28 | from.c8 = (CARD8 *) &stuff[1]; | ||
29 | - dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); | ||
30 | + dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); | ||
31 | maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); | ||
32 | for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { | ||
33 | if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch deleted file mode 100644 index 2103e9c198..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch +++ /dev/null | |||
@@ -1,70 +0,0 @@ | |||
1 | From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:55:01 +0200 | ||
4 | Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow | ||
5 | |||
6 | CVE-2020-14362 ZDI-CAN-11574 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc] | ||
15 | CVE: CVE-2020-14362 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | record/record.c | 10 +++++----- | ||
19 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
20 | |||
21 | diff --git a/record/record.c b/record/record.c | ||
22 | index f2d38c877..be154525d 100644 | ||
23 | --- a/record/record.c | ||
24 | +++ b/record/record.c | ||
25 | @@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client) | ||
26 | } /* SProcRecordQueryVersion */ | ||
27 | |||
28 | static int _X_COLD | ||
29 | -SwapCreateRegister(xRecordRegisterClientsReq * stuff) | ||
30 | +SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) | ||
31 | { | ||
32 | int i; | ||
33 | XID *pClientID; | ||
34 | @@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) | ||
35 | swapl(&stuff->nRanges); | ||
36 | pClientID = (XID *) &stuff[1]; | ||
37 | if (stuff->nClients > | ||
38 | - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) | ||
39 | + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) | ||
40 | return BadLength; | ||
41 | for (i = 0; i < stuff->nClients; i++, pClientID++) { | ||
42 | swapl(pClientID); | ||
43 | } | ||
44 | if (stuff->nRanges > | ||
45 | - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
46 | + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
47 | - stuff->nClients) | ||
48 | return BadLength; | ||
49 | RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); | ||
50 | @@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client) | ||
51 | |||
52 | swaps(&stuff->length); | ||
53 | REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); | ||
54 | - if ((status = SwapCreateRegister((void *) stuff)) != Success) | ||
55 | + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) | ||
56 | return status; | ||
57 | return ProcRecordCreateContext(client); | ||
58 | } /* SProcRecordCreateContext */ | ||
59 | @@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client) | ||
60 | |||
61 | swaps(&stuff->length); | ||
62 | REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); | ||
63 | - if ((status = SwapCreateRegister((void *) stuff)) != Success) | ||
64 | + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) | ||
65 | return status; | ||
66 | return ProcRecordRegisterClients(client); | ||
67 | } /* SProcRecordRegisterClients */ | ||
68 | -- | ||
69 | 2.17.1 | ||
70 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch new file mode 100644 index 0000000000..efec7b6b4e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Sun, 4 Dec 2022 17:40:21 +0000 | ||
4 | Subject: [PATCH 1/3] xkb: proof GetCountedString against request length | ||
5 | attacks | ||
6 | |||
7 | GetCountedString did a check for the whole string to be within the | ||
8 | request buffer but not for the initial 2 bytes that contain the length | ||
9 | field. A swapped client could send a malformed request to trigger a | ||
10 | swaps() on those bytes, writing into random memory. | ||
11 | |||
12 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
13 | |||
14 | Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] | ||
15 | CVE: CVE-2022-3550 | ||
16 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
17 | |||
18 | --- | ||
19 | xkb/xkb.c | 5 +++++ | ||
20 | 1 file changed, 5 insertions(+) | ||
21 | |||
22 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
23 | index 68c59df..bf8aaa3 100644 | ||
24 | --- a/xkb/xkb.c | ||
25 | +++ b/xkb/xkb.c | ||
26 | @@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) | ||
27 | CARD16 len; | ||
28 | |||
29 | wire = *wire_inout; | ||
30 | + | ||
31 | + if (client->req_len < | ||
32 | + bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) | ||
33 | + return BadValue; | ||
34 | + | ||
35 | len = *(CARD16 *) wire; | ||
36 | if (client->swapped) { | ||
37 | swaps(&len); | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch new file mode 100644 index 0000000000..a3b977aac9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Sun, 4 Dec 2022 17:44:00 +0000 | ||
4 | Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName | ||
5 | |||
6 | GetComponentByName returns an allocated string, so let's free that if we | ||
7 | fail somewhere. | ||
8 | |||
9 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
10 | |||
11 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2] | ||
12 | CVE: CVE-2022-3551 | ||
13 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
14 | |||
15 | --- | ||
16 | xkb/xkb.c | 26 +++++++++++++++++++------- | ||
17 | 1 file changed, 19 insertions(+), 7 deletions(-) | ||
18 | |||
19 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
20 | index bf8aaa3..f79d306 100644 | ||
21 | --- a/xkb/xkb.c | ||
22 | +++ b/xkb/xkb.c | ||
23 | @@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client) | ||
24 | xkb = dev->key->xkbInfo->desc; | ||
25 | status = Success; | ||
26 | str = (unsigned char *) &stuff[1]; | ||
27 | - if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ | ||
28 | - return BadMatch; | ||
29 | + { | ||
30 | + char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ | ||
31 | + if (keymap) { | ||
32 | + free(keymap); | ||
33 | + return BadMatch; | ||
34 | + } | ||
35 | + } | ||
36 | names.keycodes = GetComponentSpec(&str, TRUE, &status); | ||
37 | names.types = GetComponentSpec(&str, TRUE, &status); | ||
38 | names.compat = GetComponentSpec(&str, TRUE, &status); | ||
39 | names.symbols = GetComponentSpec(&str, TRUE, &status); | ||
40 | names.geometry = GetComponentSpec(&str, TRUE, &status); | ||
41 | - if (status != Success) | ||
42 | - return status; | ||
43 | - len = str - ((unsigned char *) stuff); | ||
44 | - if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
45 | - return BadLength; | ||
46 | + if (status == Success) { | ||
47 | + len = str - ((unsigned char *) stuff); | ||
48 | + if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
49 | + status = BadLength; | ||
50 | + } | ||
51 | |||
52 | + if (status != Success) { | ||
53 | + free(names.keycodes); | ||
54 | + free(names.types); | ||
55 | + free(names.compat); | ||
56 | + free(names.symbols); | ||
57 | + free(names.geometry); | ||
58 | + } | ||
59 | CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); | ||
60 | CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); | ||
61 | |||
62 | -- | ||
63 | 2.17.1 | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch new file mode 100644 index 0000000000..94cea77edc --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeremy Huddleston Sequoia <jeremyhu@apple.com> | ||
3 | Date: Sun, 4 Dec 2022 17:46:18 +0000 | ||
4 | Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the | ||
5 | Application menu due to mutaing immutable arrays | ||
6 | |||
7 | Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object | ||
8 | |||
9 | Application Specific Backtrace 0: | ||
10 | 0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 | ||
11 | 1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 | ||
12 | 2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 | ||
13 | 3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0 | ||
14 | 4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119 | ||
15 | 5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169 | ||
16 | |||
17 | Fixes: https://github.com/XQuartz/XQuartz/issues/267 | ||
18 | Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3] | ||
21 | CVE: CVE-2022-3553 | ||
22 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
23 | |||
24 | --- | ||
25 | hw/xquartz/X11Controller.m | 8 ++++++-- | ||
26 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m | ||
29 | index 3efda50..9870ff2 100644 | ||
30 | --- a/hw/xquartz/X11Controller.m | ||
31 | +++ b/hw/xquartz/X11Controller.m | ||
32 | @@ -467,8 +467,12 @@ extern char *bundle_id_prefix; | ||
33 | self.table_apps = table_apps; | ||
34 | |||
35 | NSArray * const apps = self.apps; | ||
36 | - if (apps != nil) | ||
37 | - [table_apps addObjectsFromArray:apps]; | ||
38 | + | ||
39 | + if (apps != nil) { | ||
40 | + for (NSArray <NSString *> * row in apps) { | ||
41 | + [table_apps addObject:row.mutableCopy]; | ||
42 | + } | ||
43 | + } | ||
44 | |||
45 | columns = [apps_table tableColumns]; | ||
46 | [[columns objectAtIndex:0] setIdentifier:@"0"]; | ||
47 | -- | ||
48 | 2.17.1 | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch new file mode 100644 index 0000000000..3f6b68fea8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 5 Dec 2022 15:55:54 +1000 | ||
4 | Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it | ||
5 | |||
6 | Unlike other elements of the keymap, this pointer was freed but not | ||
7 | reset. On a subsequent XkbGetKbdByName request, the server may access | ||
8 | already freed memory. | ||
9 | |||
10 | CVE-2022-4283, ZDI-CAN-19530 | ||
11 | |||
12 | This vulnerability was discovered by: | ||
13 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
14 | |||
15 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
16 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c] | ||
19 | CVE: CVE-2022-4283 | ||
20 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
21 | --- | ||
22 | xkb/xkbUtils.c | 1 + | ||
23 | 1 file changed, 1 insertion(+) | ||
24 | |||
25 | diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c | ||
26 | index 8975ade..9bc51fc 100644 | ||
27 | --- a/xkb/xkbUtils.c | ||
28 | +++ b/xkb/xkbUtils.c | ||
29 | @@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) | ||
30 | } | ||
31 | else { | ||
32 | free(dst->names->radio_groups); | ||
33 | + dst->names->radio_groups = NULL; | ||
34 | } | ||
35 | dst->names->num_rg = src->names->num_rg; | ||
36 | |||
37 | -- | ||
38 | 2.25.1 | ||
39 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch new file mode 100644 index 0000000000..a6c97485cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 12:55:45 +1000 | ||
4 | Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput | ||
5 | |||
6 | XTestSwapFakeInput assumes all events in this request are | ||
7 | sizeof(xEvent) and iterates through these in 32-byte increments. | ||
8 | However, a GenericEvent may be of arbitrary length longer than 32 bytes, | ||
9 | so any GenericEvent in this list would result in subsequent events to be | ||
10 | misparsed. | ||
11 | |||
12 | Additional, the swapped event is written into a stack-allocated struct | ||
13 | xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, | ||
14 | swapping the event may thus smash the stack like an avocado on toast. | ||
15 | |||
16 | Catch this case early and return BadValue for any GenericEvent. | ||
17 | Which is what would happen in unswapped setups anyway since XTest | ||
18 | doesn't support GenericEvent. | ||
19 | |||
20 | CVE-2022-46340, ZDI-CAN 19265 | ||
21 | |||
22 | This vulnerability was discovered by: | ||
23 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
24 | |||
25 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
26 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
27 | |||
28 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63] | ||
29 | CVE: CVE-2022-46340 | ||
30 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
31 | --- | ||
32 | Xext/xtest.c | 5 +++-- | ||
33 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/Xext/xtest.c b/Xext/xtest.c | ||
36 | index 38b8012..bf11789 100644 | ||
37 | --- a/Xext/xtest.c | ||
38 | +++ b/Xext/xtest.c | ||
39 | @@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) | ||
40 | |||
41 | nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); | ||
42 | for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { | ||
43 | + int evtype = ev->u.u.type & 0x177; | ||
44 | /* Swap event */ | ||
45 | - proc = EventSwapVector[ev->u.u.type & 0177]; | ||
46 | + proc = EventSwapVector[evtype]; | ||
47 | /* no swapping proc; invalid event type? */ | ||
48 | - if (!proc || proc == NotImplemented) { | ||
49 | + if (!proc || proc == NotImplemented || evtype == GenericEvent) { | ||
50 | client->errorValue = ev->u.u.type; | ||
51 | return BadValue; | ||
52 | } | ||
53 | -- | ||
54 | 2.25.1 | ||
55 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch new file mode 100644 index 0000000000..0ef6e5fc9f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 13:55:32 +1000 | ||
4 | Subject: [PATCH] Xi: disallow passive grabs with a detail > 255 | ||
5 | |||
6 | The XKB protocol effectively prevents us from ever using keycodes above | ||
7 | 255. For buttons it's theoretically possible but realistically too niche | ||
8 | to worry about. For all other passive grabs, the detail must be zero | ||
9 | anyway. | ||
10 | |||
11 | This fixes an OOB write: | ||
12 | |||
13 | ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a | ||
14 | temporary grab struct which contains tempGrab->detail.exact = stuff->detail. | ||
15 | For matching existing grabs, DeleteDetailFromMask is called with the | ||
16 | stuff->detail value. This function creates a new mask with the one bit | ||
17 | representing stuff->detail cleared. | ||
18 | |||
19 | However, the array size for the new mask is 8 * sizeof(CARD32) bits, | ||
20 | thus any detail above 255 results in an OOB array write. | ||
21 | |||
22 | CVE-2022-46341, ZDI-CAN 19381 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
28 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
29 | |||
30 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b] | ||
31 | CVE: CVE-2022-46341 | ||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | Xi/xipassivegrab.c | 22 ++++++++++++++-------- | ||
35 | 1 file changed, 14 insertions(+), 8 deletions(-) | ||
36 | |||
37 | diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c | ||
38 | index d30f51f..89a5910 100644 | ||
39 | --- a/Xi/xipassivegrab.c | ||
40 | +++ b/Xi/xipassivegrab.c | ||
41 | @@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
42 | return BadValue; | ||
43 | } | ||
44 | |||
45 | + /* XI2 allows 32-bit keycodes but thanks to XKB we can never | ||
46 | + * implement this. Just return an error for all keycodes that | ||
47 | + * cannot work anyway, same for buttons > 255. */ | ||
48 | + if (stuff->detail > 255) | ||
49 | + return XIAlreadyGrabbed; | ||
50 | + | ||
51 | if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], | ||
52 | stuff->mask_len * 4) != Success) | ||
53 | return BadValue; | ||
54 | @@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
55 | ¶m, XI2, &mask); | ||
56 | break; | ||
57 | case XIGrabtypeKeycode: | ||
58 | - /* XI2 allows 32-bit keycodes but thanks to XKB we can never | ||
59 | - * implement this. Just return an error for all keycodes that | ||
60 | - * cannot work anyway */ | ||
61 | - if (stuff->detail > 255) | ||
62 | - status = XIAlreadyGrabbed; | ||
63 | - else | ||
64 | - status = GrabKey(client, dev, mod_dev, stuff->detail, | ||
65 | - ¶m, XI2, &mask); | ||
66 | + status = GrabKey(client, dev, mod_dev, stuff->detail, | ||
67 | + ¶m, XI2, &mask); | ||
68 | break; | ||
69 | case XIGrabtypeEnter: | ||
70 | case XIGrabtypeFocusIn: | ||
71 | @@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) | ||
72 | return BadValue; | ||
73 | } | ||
74 | |||
75 | + /* We don't allow passive grabs for details > 255 anyway */ | ||
76 | + if (stuff->detail > 255) { | ||
77 | + client->errorValue = stuff->detail; | ||
78 | + return BadValue; | ||
79 | + } | ||
80 | + | ||
81 | rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); | ||
82 | if (rc != Success) | ||
83 | return rc; | ||
84 | -- | ||
85 | 2.25.1 | ||
86 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch new file mode 100644 index 0000000000..23fef3f321 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Wed, 30 Nov 2022 11:20:40 +1000 | ||
4 | Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same | ||
5 | client | ||
6 | |||
7 | This fixes a use-after-free bug: | ||
8 | |||
9 | When a client first calls XvdiSelectVideoNotify() on a drawable with a | ||
10 | TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct | ||
11 | is added twice to the resources: | ||
12 | - as the drawable's XvRTVideoNotifyList. This happens only once per | ||
13 | drawable, subsequent calls append to this list. | ||
14 | - as the client's XvRTVideoNotify. This happens for every client. | ||
15 | |||
16 | The struct keeps the ClientPtr around once it has been added for a | ||
17 | client. The idea, presumably, is that if the client disconnects we can remove | ||
18 | all structs from the drawable's list that match the client (by resetting | ||
19 | the ClientPtr to NULL), but if the drawable is destroyed we can remove | ||
20 | and free the whole list. | ||
21 | |||
22 | However, if the same client then calls XvdiSelectVideoNotify() on the | ||
23 | same drawable with a FALSE onoff argument, only the ClientPtr on the | ||
24 | existing struct was set to NULL. The struct itself remained in the | ||
25 | client's resources. | ||
26 | |||
27 | If the drawable is now destroyed, the resource system invokes | ||
28 | XvdiDestroyVideoNotifyList which frees the whole list for this drawable | ||
29 | - including our struct. This function however does not free the resource | ||
30 | for the client since our ClientPtr is NULL. | ||
31 | |||
32 | Later, when the client is destroyed and the resource system invokes | ||
33 | XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On | ||
34 | a struct that has been freed previously. This is generally frowned upon. | ||
35 | |||
36 | Fix this by calling FreeResource() on the second call instead of merely | ||
37 | setting the ClientPtr to NULL. This removes the struct from the client | ||
38 | resources (but not from the list), ensuring that it won't be accessed | ||
39 | again when the client quits. | ||
40 | |||
41 | Note that the assignment tpn->client = NULL; is superfluous since the | ||
42 | XvdiDestroyVideoNotify function will do this anyway. But it's left for | ||
43 | clarity and to match a similar invocation in XvdiSelectPortNotify. | ||
44 | |||
45 | CVE-2022-46342, ZDI-CAN 19400 | ||
46 | |||
47 | This vulnerability was discovered by: | ||
48 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
49 | |||
50 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
51 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
52 | |||
53 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b] | ||
54 | CVE: CVE-2022-46342 | ||
55 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
56 | --- | ||
57 | Xext/xvmain.c | 4 +++- | ||
58 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
59 | |||
60 | diff --git a/Xext/xvmain.c b/Xext/xvmain.c | ||
61 | index c520c7d..5f4c174 100644 | ||
62 | --- a/Xext/xvmain.c | ||
63 | +++ b/Xext/xvmain.c | ||
64 | @@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) | ||
65 | tpn = pn; | ||
66 | while (tpn) { | ||
67 | if (tpn->client == client) { | ||
68 | - if (!onoff) | ||
69 | + if (!onoff) { | ||
70 | tpn->client = NULL; | ||
71 | + FreeResource(tpn->id, XvRTVideoNotify); | ||
72 | + } | ||
73 | return Success; | ||
74 | } | ||
75 | if (!tpn->client) | ||
76 | -- | ||
77 | 2.25.1 | ||
78 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch new file mode 100644 index 0000000000..838f7d3726 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 14:53:07 +1000 | ||
4 | Subject: [PATCH] Xext: free the screen saver resource when replacing it | ||
5 | |||
6 | This fixes a use-after-free bug: | ||
7 | |||
8 | When a client first calls ScreenSaverSetAttributes(), a struct | ||
9 | ScreenSaverAttrRec is allocated and added to the client's | ||
10 | resources. | ||
11 | |||
12 | When the same client calls ScreenSaverSetAttributes() again, a new | ||
13 | struct ScreenSaverAttrRec is allocated, replacing the old struct. The | ||
14 | old struct was freed but not removed from the clients resources. | ||
15 | |||
16 | Later, when the client is destroyed the resource system invokes | ||
17 | ScreenSaverFreeAttr and attempts to clean up the already freed struct. | ||
18 | |||
19 | Fix this by letting the resource system free the old attrs instead. | ||
20 | |||
21 | CVE-2022-46343, ZDI-CAN 19404 | ||
22 | |||
23 | This vulnerability was discovered by: | ||
24 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
25 | |||
26 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900] | ||
30 | CVE: CVE-2022-46343 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | Xext/saver.c | 2 +- | ||
34 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/Xext/saver.c b/Xext/saver.c | ||
37 | index c23907d..05b9ca3 100644 | ||
38 | --- a/Xext/saver.c | ||
39 | +++ b/Xext/saver.c | ||
40 | @@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) | ||
41 | pVlist++; | ||
42 | } | ||
43 | if (pPriv->attr) | ||
44 | - FreeScreenAttr(pPriv->attr); | ||
45 | + FreeResource(pPriv->attr->resource, AttrType); | ||
46 | pPriv->attr = pAttr; | ||
47 | pAttr->resource = FakeClientID(client->index); | ||
48 | if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) | ||
49 | -- | ||
50 | 2.25.1 | ||
51 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch new file mode 100644 index 0000000000..e25afa0d16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 13:26:57 +1000 | ||
4 | Subject: [PATCH] Xi: avoid integer truncation in length check of | ||
5 | ProcXIChangeProperty | ||
6 | |||
7 | This fixes an OOB read and the resulting information disclosure. | ||
8 | |||
9 | Length calculation for the request was clipped to a 32-bit integer. With | ||
10 | the correct stuff->num_items value the expected request size was | ||
11 | truncated, passing the REQUEST_FIXED_SIZE check. | ||
12 | |||
13 | The server then proceeded with reading at least stuff->num_items bytes | ||
14 | (depending on stuff->format) from the request and stuffing whatever it | ||
15 | finds into the property. In the process it would also allocate at least | ||
16 | stuff->num_items bytes, i.e. 4GB. | ||
17 | |||
18 | The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, | ||
19 | so let's fix that too. | ||
20 | |||
21 | CVE-2022-46344, ZDI-CAN 19405 | ||
22 | |||
23 | This vulnerability was discovered by: | ||
24 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
25 | |||
26 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8] | ||
30 | CVE: CVE-2022-46344 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | Xi/xiproperty.c | 4 ++-- | ||
34 | dix/property.c | 3 ++- | ||
35 | 2 files changed, 4 insertions(+), 3 deletions(-) | ||
36 | |||
37 | diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c | ||
38 | index 6ec419e..0cfa6e3 100644 | ||
39 | --- a/Xi/xiproperty.c | ||
40 | +++ b/Xi/xiproperty.c | ||
41 | @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) | ||
42 | REQUEST(xChangeDevicePropertyReq); | ||
43 | DeviceIntPtr dev; | ||
44 | unsigned long len; | ||
45 | - int totalSize; | ||
46 | + uint64_t totalSize; | ||
47 | int rc; | ||
48 | |||
49 | REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); | ||
50 | @@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client) | ||
51 | { | ||
52 | int rc; | ||
53 | DeviceIntPtr dev; | ||
54 | - int totalSize; | ||
55 | + uint64_t totalSize; | ||
56 | unsigned long len; | ||
57 | |||
58 | REQUEST(xXIChangePropertyReq); | ||
59 | diff --git a/dix/property.c b/dix/property.c | ||
60 | index ff1d669..6fdb74a 100644 | ||
61 | --- a/dix/property.c | ||
62 | +++ b/dix/property.c | ||
63 | @@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) | ||
64 | WindowPtr pWin; | ||
65 | char format, mode; | ||
66 | unsigned long len; | ||
67 | - int sizeInBytes, totalSize, err; | ||
68 | + int sizeInBytes, err; | ||
69 | + uint64_t totalSize; | ||
70 | |||
71 | REQUEST(xChangePropertyReq); | ||
72 | |||
73 | -- | ||
74 | 2.25.1 | ||
75 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch new file mode 100644 index 0000000000..ef2ee5d55e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Wed, 25 Jan 2023 11:41:40 +1000 | ||
4 | Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses | ||
5 | |||
6 | CVE-2023-0494, ZDI-CAN-19596 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
12 | |||
13 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec] | ||
14 | CVE: CVE-2023-0494 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | Xi/exevents.c | 4 +++- | ||
18 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
21 | index 217baa9561..dcd4efb3bc 100644 | ||
22 | --- a/Xi/exevents.c | ||
23 | +++ b/Xi/exevents.c | ||
24 | @@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
25 | memcpy(to->button->xkb_acts, from->button->xkb_acts, | ||
26 | sizeof(XkbAction)); | ||
27 | } | ||
28 | - else | ||
29 | + else { | ||
30 | free(to->button->xkb_acts); | ||
31 | + to->button->xkb_acts = NULL; | ||
32 | + } | ||
33 | |||
34 | memcpy(to->button->labels, from->button->labels, | ||
35 | from->button->numButtons * sizeof(Atom)); | ||
36 | -- | ||
37 | GitLab | ||
38 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch new file mode 100644 index 0000000000..51d0e0cab6 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Mon, 13 Mar 2023 11:08:47 +0100 | ||
4 | Subject: [PATCH] composite: Fix use-after-free of the COW | ||
5 | |||
6 | ZDI-CAN-19866/CVE-2023-1393 | ||
7 | |||
8 | If a client explicitly destroys the compositor overlay window (aka COW), | ||
9 | we would leave a dangling pointer to that window in the CompScreen | ||
10 | structure, which will trigger a use-after-free later. | ||
11 | |||
12 | Make sure to clear the CompScreen pointer to the COW when the latter gets | ||
13 | destroyed explicitly by the client. | ||
14 | |||
15 | This vulnerability was discovered by: | ||
16 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
17 | |||
18 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
19 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110] | ||
22 | CVE: CVE-2023-1393 | ||
23 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
24 | --- | ||
25 | composite/compwindow.c | 5 +++++ | ||
26 | 1 file changed, 5 insertions(+) | ||
27 | |||
28 | diff --git a/composite/compwindow.c b/composite/compwindow.c | ||
29 | index 4e2494b86b..b30da589e9 100644 | ||
30 | --- a/composite/compwindow.c | ||
31 | +++ b/composite/compwindow.c | ||
32 | @@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) | ||
33 | ret = (*pScreen->DestroyWindow) (pWin); | ||
34 | cs->DestroyWindow = pScreen->DestroyWindow; | ||
35 | pScreen->DestroyWindow = compDestroyWindow; | ||
36 | + | ||
37 | + /* Did we just destroy the overlay window? */ | ||
38 | + if (pWin == cs->pOverlayWin) | ||
39 | + cs->pOverlayWin = NULL; | ||
40 | + | ||
41 | /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ | ||
42 | return ret; | ||
43 | } | ||
44 | -- | ||
45 | GitLab | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch new file mode 100644 index 0000000000..508588481e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 3 Oct 2023 11:53:05 +1000 | ||
4 | Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend | ||
5 | |||
6 | The handling of appending/prepending properties was incorrect, with at | ||
7 | least two bugs: the property length was set to the length of the new | ||
8 | part only, i.e. appending or prepending N elements to a property with P | ||
9 | existing elements always resulted in the property having N elements | ||
10 | instead of N + P. | ||
11 | |||
12 | Second, when pre-pending a value to a property, the offset for the old | ||
13 | values was incorrect, leaving the new property with potentially | ||
14 | uninitalized values and/or resulting in OOB memory writes. | ||
15 | For example, prepending a 3 element value to a 5 element property would | ||
16 | result in this 8 value array: | ||
17 | [N, N, N, ?, ?, P, P, P ] P, P | ||
18 | ^OOB write | ||
19 | |||
20 | The XI2 code is a copy/paste of the RandR code, so the bug exists in | ||
21 | both. | ||
22 | |||
23 | CVE-2023-5367, ZDI-CAN-22153 | ||
24 | |||
25 | This vulnerability was discovered by: | ||
26 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
27 | |||
28 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
29 | |||
30 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a] | ||
31 | CVE: CVE-2023-5367 | ||
32 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
33 | --- | ||
34 | Xi/xiproperty.c | 4 ++-- | ||
35 | randr/rrproperty.c | 4 ++-- | ||
36 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
37 | |||
38 | diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c | ||
39 | index 066ba21fba..d315f04d0e 100644 | ||
40 | --- a/Xi/xiproperty.c | ||
41 | +++ b/Xi/xiproperty.c | ||
42 | @@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
43 | XIDestroyDeviceProperty(prop); | ||
44 | return BadAlloc; | ||
45 | } | ||
46 | - new_value.size = len; | ||
47 | + new_value.size = total_len; | ||
48 | new_value.type = type; | ||
49 | new_value.format = format; | ||
50 | |||
51 | @@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
52 | case PropModePrepend: | ||
53 | new_data = new_value.data; | ||
54 | old_data = (void *) (((char *) new_value.data) + | ||
55 | - (prop_value->size * size_in_bytes)); | ||
56 | + (len * size_in_bytes)); | ||
57 | break; | ||
58 | } | ||
59 | if (new_data) | ||
60 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
61 | index c2fb9585c6..25469f57b2 100644 | ||
62 | --- a/randr/rrproperty.c | ||
63 | +++ b/randr/rrproperty.c | ||
64 | @@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
65 | RRDestroyOutputProperty(prop); | ||
66 | return BadAlloc; | ||
67 | } | ||
68 | - new_value.size = len; | ||
69 | + new_value.size = total_len; | ||
70 | new_value.type = type; | ||
71 | new_value.format = format; | ||
72 | |||
73 | @@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
74 | case PropModePrepend: | ||
75 | new_data = new_value.data; | ||
76 | old_data = (void *) (((char *) new_value.data) + | ||
77 | - (prop_value->size * size_in_bytes)); | ||
78 | + (len * size_in_bytes)); | ||
79 | break; | ||
80 | } | ||
81 | if (new_data) | ||
82 | -- | ||
83 | GitLab | ||
84 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..720340d83b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 5 Oct 2023 12:19:45 +1000 | ||
4 | Subject: [PATCH] mi: reset the PointerWindows reference on screen switch | ||
5 | |||
6 | PointerWindows[] keeps a reference to the last window our sprite | ||
7 | entered - changes are usually handled by CheckMotion(). | ||
8 | |||
9 | If we switch between screens via XWarpPointer our | ||
10 | dev->spriteInfo->sprite->win is set to the new screen's root window. | ||
11 | If there's another window at the cursor location CheckMotion() will | ||
12 | trigger the right enter/leave events later. If there is not, it skips | ||
13 | that process and we never trigger LeaveWindow() - PointerWindows[] for | ||
14 | the device still refers to the previous window. | ||
15 | |||
16 | If that window is destroyed we have a dangling reference that will | ||
17 | eventually cause a use-after-free bug when checking the window hierarchy | ||
18 | later. | ||
19 | |||
20 | To trigger this, we require: | ||
21 | - two protocol screens | ||
22 | - XWarpPointer to the other screen's root window | ||
23 | - XDestroyWindow before entering any other window | ||
24 | |||
25 | This is a niche bug so we hack around it by making sure we reset the | ||
26 | PointerWindows[] entry so we cannot have a dangling pointer. This | ||
27 | doesn't handle Enter/Leave events correctly but the previous code didn't | ||
28 | either. | ||
29 | |||
30 | CVE-2023-5380, ZDI-CAN-21608 | ||
31 | |||
32 | This vulnerability was discovered by: | ||
33 | Sri working with Trend Micro Zero Day Initiative | ||
34 | |||
35 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
36 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
37 | |||
38 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] | ||
39 | CVE: CVE-2023-5380 | ||
40 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
41 | --- | ||
42 | dix/enterleave.h | 2 -- | ||
43 | include/eventstr.h | 3 +++ | ||
44 | mi/mipointer.c | 17 +++++++++++++++-- | ||
45 | 3 files changed, 18 insertions(+), 4 deletions(-) | ||
46 | |||
47 | diff --git a/dix/enterleave.h b/dix/enterleave.h | ||
48 | index 4b833d8..e8af924 100644 | ||
49 | --- a/dix/enterleave.h | ||
50 | +++ b/dix/enterleave.h | ||
51 | @@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, | ||
52 | |||
53 | extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); | ||
54 | |||
55 | -extern void LeaveWindow(DeviceIntPtr dev); | ||
56 | - | ||
57 | extern void CoreFocusEvent(DeviceIntPtr kbd, | ||
58 | int type, int mode, int detail, WindowPtr pWin); | ||
59 | |||
60 | diff --git a/include/eventstr.h b/include/eventstr.h | ||
61 | index bf3b95f..2bae3b0 100644 | ||
62 | --- a/include/eventstr.h | ||
63 | +++ b/include/eventstr.h | ||
64 | @@ -296,4 +296,7 @@ union _InternalEvent { | ||
65 | #endif | ||
66 | }; | ||
67 | |||
68 | +extern void | ||
69 | +LeaveWindow(DeviceIntPtr dev); | ||
70 | + | ||
71 | #endif | ||
72 | diff --git a/mi/mipointer.c b/mi/mipointer.c | ||
73 | index 75be1ae..b12ae9b 100644 | ||
74 | --- a/mi/mipointer.c | ||
75 | +++ b/mi/mipointer.c | ||
76 | @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) | ||
77 | #ifdef PANORAMIX | ||
78 | && noPanoramiXExtension | ||
79 | #endif | ||
80 | - ) | ||
81 | - UpdateSpriteForScreen(pDev, pScreen); | ||
82 | + ) { | ||
83 | + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); | ||
84 | + /* Hack for CVE-2023-5380: if we're moving | ||
85 | + * screens PointerWindows[] keeps referring to the | ||
86 | + * old window. If that gets destroyed we have a UAF | ||
87 | + * bug later. Only happens when jumping from a window | ||
88 | + * to the root window on the other screen. | ||
89 | + * Enter/Leave events are incorrect for that case but | ||
90 | + * too niche to fix. | ||
91 | + */ | ||
92 | + LeaveWindow(pDev); | ||
93 | + if (master) | ||
94 | + LeaveWindow(master); | ||
95 | + UpdateSpriteForScreen(pDev, pScreen); | ||
96 | + } | ||
97 | } | ||
98 | |||
99 | /** | ||
100 | -- | ||
101 | 2.25.1 | ||
102 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch new file mode 100644 index 0000000000..0abd5914fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 28 Nov 2023 15:19:04 +1000 | ||
4 | Subject: [PATCH] Xi: allocate enough XkbActions for our buttons | ||
5 | |||
6 | button->xkb_acts is supposed to be an array sufficiently large for all | ||
7 | our buttons, not just a single XkbActions struct. Allocating | ||
8 | insufficient memory here means when we memcpy() later in | ||
9 | XkbSetDeviceInfo we write into memory that wasn't ours to begin with, | ||
10 | leading to the usual security ooopsiedaisies. | ||
11 | |||
12 | CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 | ||
13 | |||
14 | This vulnerability was discovered by: | ||
15 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd] | ||
18 | CVE: CVE-2023-6377 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | Xi/exevents.c | 12 ++++++------ | ||
22 | dix/devices.c | 10 ++++++++++ | ||
23 | 2 files changed, 16 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
26 | index dcd4efb3bc..54ea11a938 100644 | ||
27 | --- a/Xi/exevents.c | ||
28 | +++ b/Xi/exevents.c | ||
29 | @@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
30 | } | ||
31 | |||
32 | if (from->button->xkb_acts) { | ||
33 | - if (!to->button->xkb_acts) { | ||
34 | - to->button->xkb_acts = calloc(1, sizeof(XkbAction)); | ||
35 | - if (!to->button->xkb_acts) | ||
36 | - FatalError("[Xi] not enough memory for xkb_acts.\n"); | ||
37 | - } | ||
38 | + size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); | ||
39 | + to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, | ||
40 | + maxbuttons, | ||
41 | + sizeof(XkbAction)); | ||
42 | + memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); | ||
43 | memcpy(to->button->xkb_acts, from->button->xkb_acts, | ||
44 | - sizeof(XkbAction)); | ||
45 | + from->button->numButtons * sizeof(XkbAction)); | ||
46 | } | ||
47 | else { | ||
48 | free(to->button->xkb_acts); | ||
49 | diff --git a/dix/devices.c b/dix/devices.c | ||
50 | index b063128df0..3f3224d626 100644 | ||
51 | --- a/dix/devices.c | ||
52 | +++ b/dix/devices.c | ||
53 | @@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
54 | |||
55 | if (master->button && master->button->numButtons != maxbuttons) { | ||
56 | int i; | ||
57 | + int last_num_buttons = master->button->numButtons; | ||
58 | + | ||
59 | DeviceChangedEvent event = { | ||
60 | .header = ET_Internal, | ||
61 | .type = ET_DeviceChanged, | ||
62 | @@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
63 | }; | ||
64 | |||
65 | master->button->numButtons = maxbuttons; | ||
66 | + if (last_num_buttons < maxbuttons) { | ||
67 | + master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, | ||
68 | + maxbuttons, | ||
69 | + sizeof(XkbAction)); | ||
70 | + memset(&master->button->xkb_acts[last_num_buttons], | ||
71 | + 0, | ||
72 | + (maxbuttons - last_num_buttons) * sizeof(XkbAction)); | ||
73 | + } | ||
74 | |||
75 | memcpy(&event.buttons.names, master->button->labels, maxbuttons * | ||
76 | sizeof(Atom)); | ||
77 | -- | ||
78 | GitLab | ||
79 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 27 Nov 2023 16:27:49 +1000 | ||
4 | Subject: [PATCH] randr: avoid integer truncation in length check of | ||
5 | ProcRRChange*Property | ||
6 | |||
7 | Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. | ||
8 | See also xserver@8f454b79 where this same bug was fixed for the core | ||
9 | protocol and XI. | ||
10 | |||
11 | This fixes an OOB read and the resulting information disclosure. | ||
12 | |||
13 | Length calculation for the request was clipped to a 32-bit integer. With | ||
14 | the correct stuff->nUnits value the expected request size was | ||
15 | truncated, passing the REQUEST_FIXED_SIZE check. | ||
16 | |||
17 | The server then proceeded with reading at least stuff->num_items bytes | ||
18 | (depending on stuff->format) from the request and stuffing whatever it | ||
19 | finds into the property. In the process it would also allocate at least | ||
20 | stuff->nUnits bytes, i.e. 4GB. | ||
21 | |||
22 | CVE-2023-6478, ZDI-CAN-22561 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] | ||
28 | CVE: CVE-2023-6478 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | randr/rrproperty.c | 2 +- | ||
32 | randr/rrproviderproperty.c | 2 +- | ||
33 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
36 | index 25469f57b2..c4fef8a1f6 100644 | ||
37 | --- a/randr/rrproperty.c | ||
38 | +++ b/randr/rrproperty.c | ||
39 | @@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) | ||
40 | char format, mode; | ||
41 | unsigned long len; | ||
42 | int sizeInBytes; | ||
43 | - int totalSize; | ||
44 | + uint64_t totalSize; | ||
45 | int err; | ||
46 | |||
47 | REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); | ||
48 | diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c | ||
49 | index b79c17f9bf..90c5a9a933 100644 | ||
50 | --- a/randr/rrproviderproperty.c | ||
51 | +++ b/randr/rrproviderproperty.c | ||
52 | @@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) | ||
53 | char format, mode; | ||
54 | unsigned long len; | ||
55 | int sizeInBytes; | ||
56 | - int totalSize; | ||
57 | + uint64_t totalSize; | ||
58 | int err; | ||
59 | |||
60 | REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); | ||
61 | -- | ||
62 | GitLab | ||
63 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch new file mode 100644 index 0000000000..0bfff268e7 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 14 Dec 2023 11:29:49 +1000 | ||
4 | Subject: [PATCH] dix: allocate enough space for logical button maps | ||
5 | |||
6 | Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for | ||
7 | each logical button currently down. Since buttons can be arbitrarily mapped | ||
8 | to anything up to 255 make sure we have enough bits for the maximum mapping. | ||
9 | |||
10 | CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 | ||
11 | |||
12 | This vulnerability was discovered by: | ||
13 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
14 | |||
15 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3] | ||
16 | CVE: CVE-2023-6816 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | Xi/xiquerypointer.c | 3 +-- | ||
20 | dix/enterleave.c | 5 +++-- | ||
21 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c | ||
24 | index 5b77b1a444..2b05ac5f39 100644 | ||
25 | --- a/Xi/xiquerypointer.c | ||
26 | +++ b/Xi/xiquerypointer.c | ||
27 | @@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) | ||
28 | if (pDev->button) { | ||
29 | int i; | ||
30 | |||
31 | - rep.buttons_len = | ||
32 | - bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); | ||
33 | + rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ | ||
34 | rep.length += rep.buttons_len; | ||
35 | buttons = calloc(rep.buttons_len, 4); | ||
36 | if (!buttons) | ||
37 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
38 | index 867ec74363..ded8679d76 100644 | ||
39 | --- a/dix/enterleave.c | ||
40 | +++ b/dix/enterleave.c | ||
41 | @@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, | ||
42 | |||
43 | mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); | ||
44 | |||
45 | - /* XI 2 event */ | ||
46 | - btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; | ||
47 | + /* XI 2 event contains the logical button map - maps are CARD8 | ||
48 | + * so we need 256 bits for the possibly maximum mapping */ | ||
49 | + btlen = (mouse->button) ? bits_to_bytes(256) : 0; | ||
50 | btlen = bytes_to_int32(btlen); | ||
51 | len = sizeof(xXIFocusInEvent) + btlen * 4; | ||
52 | |||
53 | -- | ||
54 | GitLab | ||
55 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..80ebc64e59 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 18 Dec 2023 14:27:50 +1000 | ||
4 | Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify | ||
5 | |||
6 | If a device has both a button class and a key class and numButtons is | ||
7 | zero, we can get an OOB write due to event under-allocation. | ||
8 | |||
9 | This function seems to assume a device has either keys or buttons, not | ||
10 | both. It has two virtually identical code paths, both of which assume | ||
11 | they're applying to the first event in the sequence. | ||
12 | |||
13 | A device with both a key and button class triggered a logic bug - only | ||
14 | one xEvent was allocated but the deviceStateNotify pointer was pushed on | ||
15 | once per type. So effectively this logic code: | ||
16 | |||
17 | int count = 1; | ||
18 | if (button && nbuttons > 32) count++; | ||
19 | if (key && nbuttons > 0) count++; | ||
20 | if (key && nkeys > 32) count++; // this is basically always true | ||
21 | // count is at 2 for our keys + zero button device | ||
22 | |||
23 | ev = alloc(count * sizeof(xEvent)); | ||
24 | FixDeviceStateNotify(ev); | ||
25 | if (button) | ||
26 | FixDeviceStateNotify(ev++); | ||
27 | if (key) | ||
28 | FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here | ||
29 | |||
30 | If the device has more than 3 valuators, the OOB is pushed back - we're | ||
31 | off by one so it will happen when the last deviceValuator event is | ||
32 | written instead. | ||
33 | |||
34 | Fix this by allocating the maximum number of events we may allocate. | ||
35 | Note that the current behavior is not protocol-correct anyway, this | ||
36 | patch fixes only the allocation issue. | ||
37 | |||
38 | Note that this issue does not trigger if the device has at least one | ||
39 | button. While the server does not prevent a button class with zero | ||
40 | buttons, it is very unlikely. | ||
41 | |||
42 | CVE-2024-0229, ZDI-CAN-22678 | ||
43 | |||
44 | This vulnerability was discovered by: | ||
45 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
46 | |||
47 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5] | ||
48 | CVE: CVE-2024-0229 | ||
49 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
50 | --- | ||
51 | dix/enterleave.c | 6 +++--- | ||
52 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
53 | |||
54 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
55 | index ded8679d76..17964b00a4 100644 | ||
56 | --- a/dix/enterleave.c | ||
57 | +++ b/dix/enterleave.c | ||
58 | @@ -675,7 +675,8 @@ static void | ||
59 | DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
60 | { | ||
61 | int evcount = 1; | ||
62 | - deviceStateNotify *ev, *sev; | ||
63 | + deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; | ||
64 | + deviceStateNotify *ev; | ||
65 | deviceKeyStateNotify *kev; | ||
66 | deviceButtonStateNotify *bev; | ||
67 | |||
68 | @@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
69 | } | ||
70 | } | ||
71 | |||
72 | - sev = ev = xallocarray(evcount, sizeof(xEvent)); | ||
73 | + ev = sev; | ||
74 | FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); | ||
75 | |||
76 | if (b != NULL) { | ||
77 | @@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
78 | |||
79 | DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, | ||
80 | DeviceStateNotifyMask, NullGrab); | ||
81 | - free(sev); | ||
82 | } | ||
83 | |||
84 | void | ||
85 | -- | ||
86 | GitLab | ||
87 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch new file mode 100644 index 0000000000..65df74376b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch | |||
@@ -0,0 +1,221 @@ | |||
1 | From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 18 Dec 2023 12:26:20 +1000 | ||
4 | Subject: [PATCH] dix: fix DeviceStateNotify event calculation | ||
5 | |||
6 | The previous code only made sense if one considers buttons and keys to | ||
7 | be mutually exclusive on a device. That is not necessarily true, causing | ||
8 | a number of issues. | ||
9 | |||
10 | This function allocates and fills in the number of xEvents we need to | ||
11 | send the device state down the wire. This is split across multiple | ||
12 | 32-byte devices including one deviceStateNotify event and optional | ||
13 | deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) | ||
14 | deviceValuator events. | ||
15 | |||
16 | The previous behavior would instead compose a sequence | ||
17 | of [state, buttonstate, state, keystate, valuator...]. This is not | ||
18 | protocol correct, and on top of that made the code extremely convoluted. | ||
19 | |||
20 | Fix this by streamlining: add both button and key into the deviceStateNotify | ||
21 | and then append the key state and button state, followed by the | ||
22 | valuators. Finally, the deviceValuator events contain up to 6 valuators | ||
23 | per event but we only ever sent through 3 at a time. Let's double that | ||
24 | troughput. | ||
25 | |||
26 | CVE-2024-0229, ZDI-CAN-22678 | ||
27 | |||
28 | This vulnerability was discovered by: | ||
29 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
30 | |||
31 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5] | ||
32 | CVE: CVE-2024-0229 | ||
33 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
34 | --- | ||
35 | dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- | ||
36 | 1 file changed, 52 insertions(+), 69 deletions(-) | ||
37 | |||
38 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
39 | index 17964b00a4..7b7ba1098b 100644 | ||
40 | --- a/dix/enterleave.c | ||
41 | +++ b/dix/enterleave.c | ||
42 | @@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, | ||
43 | |||
44 | ev->type = DeviceValuator; | ||
45 | ev->deviceid = dev->id; | ||
46 | - ev->num_valuators = nval < 3 ? nval : 3; | ||
47 | + ev->num_valuators = nval < 6 ? nval : 6; | ||
48 | ev->first_valuator = first; | ||
49 | switch (ev->num_valuators) { | ||
50 | + case 6: | ||
51 | + ev->valuator2 = v->axisVal[first + 5]; | ||
52 | + case 5: | ||
53 | + ev->valuator2 = v->axisVal[first + 4]; | ||
54 | + case 4: | ||
55 | + ev->valuator2 = v->axisVal[first + 3]; | ||
56 | case 3: | ||
57 | ev->valuator2 = v->axisVal[first + 2]; | ||
58 | case 2: | ||
59 | @@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, | ||
60 | ev->valuator0 = v->axisVal[first]; | ||
61 | break; | ||
62 | } | ||
63 | - first += ev->num_valuators; | ||
64 | } | ||
65 | |||
66 | static void | ||
67 | @@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, | ||
68 | ev->num_buttons = b->numButtons; | ||
69 | memcpy((char *) ev->buttons, (char *) b->down, 4); | ||
70 | } | ||
71 | - else if (k) { | ||
72 | + if (k) { | ||
73 | ev->classes_reported |= (1 << KeyClass); | ||
74 | ev->num_keys = k->xkbInfo->desc->max_key_code - | ||
75 | k->xkbInfo->desc->min_key_code; | ||
76 | @@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, | ||
77 | } | ||
78 | } | ||
79 | |||
80 | - | ||
81 | +/** | ||
82 | + * The device state notify event is split across multiple 32-byte events. | ||
83 | + * The first one contains the first 32 button state bits, the first 32 | ||
84 | + * key state bits, and the first 3 valuator values. | ||
85 | + * | ||
86 | + * If a device has more than that, the server sends out: | ||
87 | + * - one deviceButtonStateNotify for buttons 32 and above | ||
88 | + * - one deviceKeyStateNotify for keys 32 and above | ||
89 | + * - one deviceValuator event per 6 valuators above valuator 4 | ||
90 | + * | ||
91 | + * All events but the last one have the deviceid binary ORed with MORE_EVENTS, | ||
92 | + */ | ||
93 | static void | ||
94 | DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
95 | { | ||
96 | + /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify | ||
97 | + * and one deviceValuator for each 6 valuators */ | ||
98 | + deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; | ||
99 | int evcount = 1; | ||
100 | - deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; | ||
101 | - deviceStateNotify *ev; | ||
102 | - deviceKeyStateNotify *kev; | ||
103 | - deviceButtonStateNotify *bev; | ||
104 | + deviceStateNotify *ev = sev; | ||
105 | |||
106 | KeyClassPtr k; | ||
107 | ButtonClassPtr b; | ||
108 | @@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
109 | |||
110 | if ((b = dev->button) != NULL) { | ||
111 | nbuttons = b->numButtons; | ||
112 | - if (nbuttons > 32) | ||
113 | + if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ | ||
114 | evcount++; | ||
115 | } | ||
116 | if ((k = dev->key) != NULL) { | ||
117 | nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; | ||
118 | - if (nkeys > 32) | ||
119 | + if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ | ||
120 | evcount++; | ||
121 | - if (nbuttons > 0) { | ||
122 | - evcount++; | ||
123 | - } | ||
124 | } | ||
125 | if ((v = dev->valuator) != NULL) { | ||
126 | nval = v->numAxes; | ||
127 | - | ||
128 | - if (nval > 3) | ||
129 | - evcount++; | ||
130 | - if (nval > 6) { | ||
131 | - if (!(k && b)) | ||
132 | - evcount++; | ||
133 | - if (nval > 9) | ||
134 | - evcount += ((nval - 7) / 3); | ||
135 | - } | ||
136 | + /* first three are encoded in deviceStateNotify, then | ||
137 | + * it's 6 per deviceValuator event */ | ||
138 | + evcount += ((nval - 3) + 6)/6; | ||
139 | } | ||
140 | |||
141 | - ev = sev; | ||
142 | - FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); | ||
143 | - | ||
144 | - if (b != NULL) { | ||
145 | - FixDeviceStateNotify(dev, ev++, NULL, b, v, first); | ||
146 | - first += 3; | ||
147 | - nval -= 3; | ||
148 | - if (nbuttons > 32) { | ||
149 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
150 | - bev = (deviceButtonStateNotify *) ev++; | ||
151 | - bev->type = DeviceButtonStateNotify; | ||
152 | - bev->deviceid = dev->id; | ||
153 | - memcpy((char *) &bev->buttons[4], (char *) &b->down[4], | ||
154 | - DOWN_LENGTH - 4); | ||
155 | - } | ||
156 | - if (nval > 0) { | ||
157 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
158 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
159 | - first += 3; | ||
160 | - nval -= 3; | ||
161 | - } | ||
162 | + BUG_RETURN(evcount <= ARRAY_SIZE(sev)); | ||
163 | + | ||
164 | + FixDeviceStateNotify(dev, ev, k, b, v, first); | ||
165 | + | ||
166 | + if (b != NULL && nbuttons > 32) { | ||
167 | + deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; | ||
168 | + (ev - 1)->deviceid |= MORE_EVENTS; | ||
169 | + bev->type = DeviceButtonStateNotify; | ||
170 | + bev->deviceid = dev->id; | ||
171 | + memcpy((char *) &bev->buttons[4], (char *) &b->down[4], | ||
172 | + DOWN_LENGTH - 4); | ||
173 | } | ||
174 | |||
175 | - if (k != NULL) { | ||
176 | - FixDeviceStateNotify(dev, ev++, k, NULL, v, first); | ||
177 | - first += 3; | ||
178 | - nval -= 3; | ||
179 | - if (nkeys > 32) { | ||
180 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
181 | - kev = (deviceKeyStateNotify *) ev++; | ||
182 | - kev->type = DeviceKeyStateNotify; | ||
183 | - kev->deviceid = dev->id; | ||
184 | - memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); | ||
185 | - } | ||
186 | - if (nval > 0) { | ||
187 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
188 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
189 | - first += 3; | ||
190 | - nval -= 3; | ||
191 | - } | ||
192 | + if (k != NULL && nkeys > 32) { | ||
193 | + deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; | ||
194 | + (ev - 1)->deviceid |= MORE_EVENTS; | ||
195 | + kev->type = DeviceKeyStateNotify; | ||
196 | + kev->deviceid = dev->id; | ||
197 | + memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); | ||
198 | } | ||
199 | |||
200 | + first = 3; | ||
201 | + nval -= 3; | ||
202 | while (nval > 0) { | ||
203 | - FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); | ||
204 | - first += 3; | ||
205 | - nval -= 3; | ||
206 | - if (nval > 0) { | ||
207 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
208 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
209 | - first += 3; | ||
210 | - nval -= 3; | ||
211 | - } | ||
212 | + ev->deviceid |= MORE_EVENTS; | ||
213 | + FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); | ||
214 | + first += 6; | ||
215 | + nval -= 6; | ||
216 | } | ||
217 | |||
218 | DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, | ||
219 | -- | ||
220 | GitLab | ||
221 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..742c122fa8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 21 Dec 2023 13:48:10 +1000 | ||
4 | Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of | ||
5 | buttons | ||
6 | |||
7 | There's a racy sequence where a master device may copy the button class | ||
8 | from the slave, without ever initializing numButtons. This leads to a | ||
9 | device with zero buttons but a button class which is invalid. | ||
10 | |||
11 | Let's copy the numButtons value from the source - by definition if we | ||
12 | don't have a button class yet we do not have any other slave devices | ||
13 | with more than this number of buttons anyway. | ||
14 | |||
15 | CVE-2024-0229, ZDI-CAN-22678 | ||
16 | |||
17 | This vulnerability was discovered by: | ||
18 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
19 | |||
20 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74] | ||
21 | CVE: CVE-2024-0229 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | Xi/exevents.c | 1 + | ||
25 | 1 file changed, 1 insertion(+) | ||
26 | |||
27 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
28 | index 54ea11a938..e161714682 100644 | ||
29 | --- a/Xi/exevents.c | ||
30 | +++ b/Xi/exevents.c | ||
31 | @@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
32 | to->button = calloc(1, sizeof(ButtonClassRec)); | ||
33 | if (!to->button) | ||
34 | FatalError("[Xi] no memory for class shift.\n"); | ||
35 | + to->button->numButtons = from->button->numButtons; | ||
36 | } | ||
37 | else | ||
38 | classes->button = NULL; | ||
39 | -- | ||
40 | GitLab | ||
41 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch new file mode 100644 index 0000000000..d1a6214793 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 21 Dec 2023 14:10:11 +1000 | ||
4 | Subject: [PATCH] Xi: require a pointer and keyboard device for | ||
5 | XIAttachToMaster | ||
6 | |||
7 | If we remove a master device and specify which other master devices | ||
8 | attached slaves should be returned to, enforce that those two are | ||
9 | indeeed a pointer and a keyboard. | ||
10 | |||
11 | Otherwise we can try to attach the keyboards to pointers and vice versa, | ||
12 | leading to possible crashes later. | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe] | ||
15 | CVE: CVE-2024-0229 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | Xi/xichangehierarchy.c | 4 ++-- | ||
19 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
22 | index 504defe566..d2d985848d 100644 | ||
23 | --- a/Xi/xichangehierarchy.c | ||
24 | +++ b/Xi/xichangehierarchy.c | ||
25 | @@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) | ||
26 | if (rc != Success) | ||
27 | goto unwind; | ||
28 | |||
29 | - if (!IsMaster(newptr)) { | ||
30 | + if (!IsMaster(newptr) || !IsPointerDevice(newptr)) { | ||
31 | client->errorValue = r->return_pointer; | ||
32 | rc = BadDevice; | ||
33 | goto unwind; | ||
34 | @@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) | ||
35 | if (rc != Success) | ||
36 | goto unwind; | ||
37 | |||
38 | - if (!IsMaster(newkeybd)) { | ||
39 | + if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) { | ||
40 | client->errorValue = r->return_keyboard; | ||
41 | rc = BadDevice; | ||
42 | goto unwind; | ||
43 | -- | ||
44 | GitLab | ||
45 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch new file mode 100644 index 0000000000..c8f75d8a7e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Wed, 6 Dec 2023 12:09:41 +0100 | ||
4 | Subject: [PATCH] glx: Call XACE hooks on the GLX buffer | ||
5 | |||
6 | The XSELINUX code will label resources at creation by checking the | ||
7 | access mode. When the access mode is DixCreateAccess, it will call the | ||
8 | function to label the new resource SELinuxLabelResource(). | ||
9 | |||
10 | However, GLX buffers do not go through the XACE hooks when created, | ||
11 | hence leaving the resource actually unlabeled. | ||
12 | |||
13 | When, later, the client tries to create another resource using that | ||
14 | drawable (like a GC for example), the XSELINUX code would try to use | ||
15 | the security ID of that object which has never been labeled, get a NULL | ||
16 | pointer and crash when checking whether the requested permissions are | ||
17 | granted for subject security ID. | ||
18 | |||
19 | To avoid the issue, make sure to call the XACE hooks when creating the | ||
20 | GLX buffers. | ||
21 | |||
22 | Credit goes to Donn Seeley <donn@xmission.com> for providing the patch. | ||
23 | |||
24 | CVE-2024-0408 | ||
25 | |||
26 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
27 | Acked-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3] | ||
30 | CVE: CVE-2024-0408 | ||
31 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
32 | --- | ||
33 | glx/glxcmds.c | 8 ++++++++ | ||
34 | 1 file changed, 8 insertions(+) | ||
35 | |||
36 | diff --git a/glx/glxcmds.c b/glx/glxcmds.c | ||
37 | index fc26a2e345..1e46d0c723 100644 | ||
38 | --- a/glx/glxcmds.c | ||
39 | +++ b/glx/glxcmds.c | ||
40 | @@ -48,6 +48,7 @@ | ||
41 | #include "indirect_util.h" | ||
42 | #include "protocol-versions.h" | ||
43 | #include "glxvndabi.h" | ||
44 | +#include "xace.h" | ||
45 | |||
46 | static char GLXServerVendorName[] = "SGI"; | ||
47 | |||
48 | @@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, | ||
49 | if (!pPixmap) | ||
50 | return BadAlloc; | ||
51 | |||
52 | + err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, | ||
53 | + pPixmap, RT_NONE, NULL, DixCreateAccess); | ||
54 | + if (err != Success) { | ||
55 | + (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); | ||
56 | + return err; | ||
57 | + } | ||
58 | + | ||
59 | /* Assign the pixmap the same id as the pbuffer and add it as a | ||
60 | * resource so it and the DRI2 drawable will be reclaimed when the | ||
61 | * pbuffer is destroyed. */ | ||
62 | -- | ||
63 | GitLab | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch new file mode 100644 index 0000000000..9763e0b562 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Wed, 6 Dec 2023 11:51:56 +0100 | ||
4 | Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor | ||
5 | |||
6 | The cursor in DIX is actually split in two parts, the cursor itself and | ||
7 | the cursor bits, each with their own devPrivates. | ||
8 | |||
9 | The cursor itself includes the cursor bits, meaning that the cursor bits | ||
10 | devPrivates in within structure of the cursor. | ||
11 | |||
12 | Both Xephyr and Xwayland were using the private key for the cursor bits | ||
13 | to store the data for the cursor, and when using XSELINUX which comes | ||
14 | with its own special devPrivates, the data stored in that cursor bits' | ||
15 | devPrivates would interfere with the XSELINUX devPrivates data and the | ||
16 | SELINUX security ID would point to some other unrelated data, causing a | ||
17 | crash in the XSELINUX code when trying to (re)use the security ID. | ||
18 | |||
19 | CVE-2024-0409 | ||
20 | |||
21 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
22 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
23 | |||
24 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7] | ||
25 | CVE: CVE-2024-0409 | ||
26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
27 | --- | ||
28 | hw/kdrive/ephyr/ephyrcursor.c | 2 +- | ||
29 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c | ||
32 | index f991899..3f192d0 100644 | ||
33 | --- a/hw/kdrive/ephyr/ephyrcursor.c | ||
34 | +++ b/hw/kdrive/ephyr/ephyrcursor.c | ||
35 | @@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { | ||
36 | Bool | ||
37 | ephyrCursorInit(ScreenPtr screen) | ||
38 | { | ||
39 | - if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, | ||
40 | + if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, | ||
41 | sizeof(ephyrCursorRec))) | ||
42 | return FALSE; | ||
43 | |||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 4 Jan 2024 10:01:24 +1000 | ||
4 | Subject: [PATCH] Xi: flush hierarchy events after adding/removing master | ||
5 | devices | ||
6 | |||
7 | The `XISendDeviceHierarchyEvent()` function allocates space to store up | ||
8 | to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. | ||
9 | |||
10 | If a device with a given ID was removed and a new device with the same | ||
11 | ID added both in the same operation, the single device ID will lead to | ||
12 | two info structures being written to `info`. | ||
13 | |||
14 | Since this case can occur for every device ID at once, a total of two | ||
15 | times `MAXDEVICES` info structures might be written to the allocation. | ||
16 | |||
17 | To avoid it, once one add/remove master is processed, send out the | ||
18 | device hierarchy event for the current state and continue. That event | ||
19 | thus only ever has exactly one of either added/removed in it (and | ||
20 | optionally slave attached/detached). | ||
21 | |||
22 | CVE-2024-21885, ZDI-CAN-22744 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1] | ||
28 | CVE: CVE-2024-21885 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- | ||
32 | 1 file changed, 22 insertions(+), 5 deletions(-) | ||
33 | |||
34 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
35 | index d2d985848d..72d00451e3 100644 | ||
36 | --- a/Xi/xichangehierarchy.c | ||
37 | +++ b/Xi/xichangehierarchy.c | ||
38 | @@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
39 | size_t len; /* length of data remaining in request */ | ||
40 | int rc = Success; | ||
41 | int flags[MAXDEVICES] = { 0 }; | ||
42 | + enum { | ||
43 | + NO_CHANGE, | ||
44 | + FLUSH, | ||
45 | + CHANGED, | ||
46 | + } changes = NO_CHANGE; | ||
47 | |||
48 | REQUEST(xXIChangeHierarchyReq); | ||
49 | REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); | ||
50 | @@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
51 | rc = add_master(client, c, flags); | ||
52 | if (rc != Success) | ||
53 | goto unwind; | ||
54 | - } | ||
55 | + changes = FLUSH; | ||
56 | break; | ||
57 | + } | ||
58 | case XIRemoveMaster: | ||
59 | { | ||
60 | xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; | ||
61 | @@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
62 | rc = remove_master(client, r, flags); | ||
63 | if (rc != Success) | ||
64 | goto unwind; | ||
65 | - } | ||
66 | + changes = FLUSH; | ||
67 | break; | ||
68 | + } | ||
69 | case XIDetachSlave: | ||
70 | { | ||
71 | xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; | ||
72 | @@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
73 | rc = detach_slave(client, c, flags); | ||
74 | if (rc != Success) | ||
75 | goto unwind; | ||
76 | - } | ||
77 | + changes = CHANGED; | ||
78 | break; | ||
79 | + } | ||
80 | case XIAttachSlave: | ||
81 | { | ||
82 | xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; | ||
83 | @@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
84 | rc = attach_slave(client, c, flags); | ||
85 | if (rc != Success) | ||
86 | goto unwind; | ||
87 | + changes = CHANGED; | ||
88 | + break; | ||
89 | } | ||
90 | + default: | ||
91 | break; | ||
92 | } | ||
93 | |||
94 | + if (changes == FLUSH) { | ||
95 | + XISendDeviceHierarchyEvent(flags); | ||
96 | + memset(flags, 0, sizeof(flags)); | ||
97 | + changes = NO_CHANGE; | ||
98 | + } | ||
99 | + | ||
100 | len -= any->length * 4; | ||
101 | any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); | ||
102 | } | ||
103 | |||
104 | unwind: | ||
105 | - | ||
106 | - XISendDeviceHierarchyEvent(flags); | ||
107 | + if (changes != NO_CHANGE) | ||
108 | + XISendDeviceHierarchyEvent(flags); | ||
109 | return rc; | ||
110 | } | ||
111 | -- | ||
112 | GitLab | ||
113 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com> | ||
3 | Date: Fri, 22 Dec 2023 18:28:31 +0100 | ||
4 | Subject: [PATCH] Xi: do not keep linked list pointer during recursion | ||
5 | |||
6 | The `DisableDevice()` function is called whenever an enabled device | ||
7 | is disabled and it moves the device from the `inputInfo.devices` linked | ||
8 | list to the `inputInfo.off_devices` linked list. | ||
9 | |||
10 | However, its link/unlink operation has an issue during the recursive | ||
11 | call to `DisableDevice()` due to the `prev` pointer pointing to a | ||
12 | removed device. | ||
13 | |||
14 | This issue leads to a length mismatch between the total number of | ||
15 | devices and the number of device in the list, leading to a heap | ||
16 | overflow and, possibly, to local privilege escalation. | ||
17 | |||
18 | Simplify the code that checked whether the device passed to | ||
19 | `DisableDevice()` was in `inputInfo.devices` or not and find the | ||
20 | previous device after the recursion. | ||
21 | |||
22 | CVE-2024-21886, ZDI-CAN-22840 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] | ||
28 | CVE: CVE-2024-21886 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | dix/devices.c | 15 ++++++++++++--- | ||
32 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/dix/devices.c b/dix/devices.c | ||
35 | index dca98c8d1b..389d28a23c 100644 | ||
36 | --- a/dix/devices.c | ||
37 | +++ b/dix/devices.c | ||
38 | @@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
39 | { | ||
40 | DeviceIntPtr *prev, other; | ||
41 | BOOL enabled; | ||
42 | + BOOL dev_in_devices_list = FALSE; | ||
43 | int flags[MAXDEVICES] = { 0 }; | ||
44 | |||
45 | if (!dev->enabled) | ||
46 | return TRUE; | ||
47 | |||
48 | - for (prev = &inputInfo.devices; | ||
49 | - *prev && (*prev != dev); prev = &(*prev)->next); | ||
50 | - if (*prev != dev) | ||
51 | + for (other = inputInfo.devices; other; other = other->next) { | ||
52 | + if (other == dev) { | ||
53 | + dev_in_devices_list = TRUE; | ||
54 | + break; | ||
55 | + } | ||
56 | + } | ||
57 | + | ||
58 | + if (!dev_in_devices_list) | ||
59 | return FALSE; | ||
60 | |||
61 | TouchEndPhysicallyActiveTouches(dev); | ||
62 | @@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
63 | LeaveWindow(dev); | ||
64 | SetFocusOut(dev); | ||
65 | |||
66 | + for (prev = &inputInfo.devices; | ||
67 | + *prev && (*prev != dev); prev = &(*prev)->next); | ||
68 | + | ||
69 | *prev = dev->next; | ||
70 | dev->next = inputInfo.off_devices; | ||
71 | inputInfo.off_devices = dev; | ||
72 | -- | ||
73 | GitLab | ||
74 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Fri, 5 Jan 2024 09:40:27 +1000 | ||
4 | Subject: [PATCH] dix: when disabling a master, float disabled slaved devices | ||
5 | too | ||
6 | |||
7 | Disabling a master device floats all slave devices but we didn't do this | ||
8 | to already-disabled slave devices. As a result those devices kept their | ||
9 | reference to the master device resulting in access to already freed | ||
10 | memory if the master device was removed before the corresponding slave | ||
11 | device. | ||
12 | |||
13 | And to match this behavior, also forcibly reset that pointer during | ||
14 | CloseDownDevices(). | ||
15 | |||
16 | Related to CVE-2024-21886, ZDI-CAN-22840 | ||
17 | |||
18 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] | ||
19 | CVE: CVE-2024-21886 | ||
20 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
21 | --- | ||
22 | dix/devices.c | 12 ++++++++++++ | ||
23 | 1 file changed, 12 insertions(+) | ||
24 | |||
25 | diff --git a/dix/devices.c b/dix/devices.c | ||
26 | index 389d28a23c..84a6406d13 100644 | ||
27 | --- a/dix/devices.c | ||
28 | +++ b/dix/devices.c | ||
29 | @@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
30 | flags[other->id] |= XISlaveDetached; | ||
31 | } | ||
32 | } | ||
33 | + | ||
34 | + for (other = inputInfo.off_devices; other; other = other->next) { | ||
35 | + if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { | ||
36 | + AttachDevice(NULL, other, NULL); | ||
37 | + flags[other->id] |= XISlaveDetached; | ||
38 | + } | ||
39 | + } | ||
40 | } | ||
41 | else { | ||
42 | for (other = inputInfo.devices; other; other = other->next) { | ||
43 | @@ -1088,6 +1095,11 @@ CloseDownDevices(void) | ||
44 | dev->master = NULL; | ||
45 | } | ||
46 | |||
47 | + for (dev = inputInfo.off_devices; dev; dev = dev->next) { | ||
48 | + if (!IsMaster(dev) && !IsFloating(dev)) | ||
49 | + dev->master = NULL; | ||
50 | + } | ||
51 | + | ||
52 | CloseDeviceList(&inputInfo.devices); | ||
53 | CloseDeviceList(&inputInfo.off_devices); | ||
54 | |||
55 | -- | ||
56 | GitLab | ||
57 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..da735efb2b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 22 Mar 2024 18:51:45 -0700 | ||
4 | Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to | ||
5 | send reply | ||
6 | |||
7 | CVE-2024-31080 | ||
8 | |||
9 | Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 | ||
10 | Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") | ||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] | ||
15 | CVE: CVE-2024-31080 | ||
16 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
17 | |||
18 | Xi/xiselectev.c | 5 ++++- | ||
19 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c | ||
22 | index edcb8a0d36..ac14949871 100644 | ||
23 | --- a/Xi/xiselectev.c | ||
24 | +++ b/Xi/xiselectev.c | ||
25 | @@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
26 | InputClientsPtr others = NULL; | ||
27 | xXIEventMask *evmask = NULL; | ||
28 | DeviceIntPtr dev; | ||
29 | + uint32_t length; | ||
30 | |||
31 | REQUEST(xXIGetSelectedEventsReq); | ||
32 | REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); | ||
33 | @@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
34 | } | ||
35 | } | ||
36 | |||
37 | + /* save the value before SRepXIGetSelectedEvents swaps it */ | ||
38 | + length = reply.length; | ||
39 | WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); | ||
40 | |||
41 | if (reply.num_masks) | ||
42 | - WriteToClient(client, reply.length * 4, buffer); | ||
43 | + WriteToClient(client, length * 4, buffer); | ||
44 | |||
45 | free(buffer); | ||
46 | return Success; | ||
47 | -- | ||
48 | GitLab | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch new file mode 100644 index 0000000000..d2c551a0e5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 22 Mar 2024 18:56:27 -0700 | ||
4 | Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to | ||
5 | send reply | ||
6 | |||
7 | CVE-2024-31081 | ||
8 | |||
9 | Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") | ||
10 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
11 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
12 | |||
13 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] | ||
14 | CVE: CVE-2024-31081 | ||
15 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
16 | |||
17 | Xi/xipassivegrab.c | 5 ++++- | ||
18 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c | ||
21 | index c9ac2f8553..896233bec2 100644 | ||
22 | --- a/Xi/xipassivegrab.c | ||
23 | +++ b/Xi/xipassivegrab.c | ||
24 | @@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
25 | GrabParameters param; | ||
26 | void *tmp; | ||
27 | int mask_len; | ||
28 | + uint32_t length; | ||
29 | |||
30 | REQUEST(xXIPassiveGrabDeviceReq); | ||
31 | REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, | ||
32 | @@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
33 | } | ||
34 | } | ||
35 | |||
36 | + /* save the value before SRepXIPassiveGrabDevice swaps it */ | ||
37 | + length = rep.length; | ||
38 | WriteReplyToClient(client, sizeof(rep), &rep); | ||
39 | if (rep.num_modifiers) | ||
40 | - WriteToClient(client, rep.length * 4, modifiers_failed); | ||
41 | + WriteToClient(client, length * 4, modifiers_failed); | ||
42 | |||
43 | out: | ||
44 | free(modifiers_failed); | ||
45 | -- | ||
46 | GitLab | ||
47 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb new file mode 100644 index 0000000000..04a6e734ef --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb | |||
@@ -0,0 +1,61 @@ | |||
1 | require xserver-xorg.inc | ||
2 | |||
3 | SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ | ||
4 | file://pkgconfig.patch \ | ||
5 | file://0001-test-xtest-Initialize-array-with-braces.patch \ | ||
6 | file://sdksyms-no-build-path.patch \ | ||
7 | file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ | ||
8 | file://CVE-2022-3550.patch \ | ||
9 | file://CVE-2022-3551.patch \ | ||
10 | file://CVE-2022-3553.patch \ | ||
11 | file://CVE-2022-4283.patch \ | ||
12 | file://CVE-2022-46340.patch \ | ||
13 | file://CVE-2022-46341.patch \ | ||
14 | file://CVE-2022-46342.patch \ | ||
15 | file://CVE-2022-46343.patch \ | ||
16 | file://CVE-2022-46344.patch \ | ||
17 | file://CVE-2023-0494.patch \ | ||
18 | file://CVE-2023-1393.patch \ | ||
19 | file://CVE-2023-5367.patch \ | ||
20 | file://CVE-2023-5380.patch \ | ||
21 | file://CVE-2023-6377.patch \ | ||
22 | file://CVE-2023-6478.patch \ | ||
23 | file://CVE-2023-6816.patch \ | ||
24 | file://CVE-2024-0229-1.patch \ | ||
25 | file://CVE-2024-0229-2.patch \ | ||
26 | file://CVE-2024-0229-3.patch \ | ||
27 | file://CVE-2024-0229-4.patch \ | ||
28 | file://CVE-2024-21885.patch \ | ||
29 | file://CVE-2024-21886-1.patch \ | ||
30 | file://CVE-2024-21886-2.patch \ | ||
31 | file://CVE-2024-0408.patch \ | ||
32 | file://CVE-2024-0409.patch \ | ||
33 | file://CVE-2024-31081.patch \ | ||
34 | file://CVE-2024-31080.patch \ | ||
35 | " | ||
36 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" | ||
37 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" | ||
38 | |||
39 | CFLAGS += "-fcommon" | ||
40 | |||
41 | # These extensions are now integrated into the server, so declare the migration | ||
42 | # path for in-place upgrades. | ||
43 | |||
44 | RREPLACES_${PN} = "${PN}-extension-dri \ | ||
45 | ${PN}-extension-dri2 \ | ||
46 | ${PN}-extension-record \ | ||
47 | ${PN}-extension-extmod \ | ||
48 | ${PN}-extension-dbe \ | ||
49 | " | ||
50 | RPROVIDES_${PN} = "${PN}-extension-dri \ | ||
51 | ${PN}-extension-dri2 \ | ||
52 | ${PN}-extension-record \ | ||
53 | ${PN}-extension-extmod \ | ||
54 | ${PN}-extension-dbe \ | ||
55 | " | ||
56 | RCONFLICTS_${PN} = "${PN}-extension-dri \ | ||
57 | ${PN}-extension-dri2 \ | ||
58 | ${PN}-extension-record \ | ||
59 | ${PN}-extension-extmod \ | ||
60 | ${PN}-extension-dbe \ | ||
61 | " | ||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb deleted file mode 100644 index 2af1b6f307..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | require xserver-xorg.inc | ||
2 | |||
3 | SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ | ||
4 | file://pkgconfig.patch \ | ||
5 | file://0001-test-xtest-Initialize-array-with-braces.patch \ | ||
6 | file://sdksyms-no-build-path.patch \ | ||
7 | file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ | ||
8 | file://CVE-2020-14347.patch \ | ||
9 | file://CVE-2020-14346.patch \ | ||
10 | file://CVE-2020-14361.patch \ | ||
11 | file://CVE-2020-14362.patch \ | ||
12 | file://CVE-2020-14345.patch \ | ||
13 | " | ||
14 | SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839" | ||
15 | SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146" | ||
16 | |||
17 | CFLAGS += "-fcommon" | ||
18 | |||
19 | # These extensions are now integrated into the server, so declare the migration | ||
20 | # path for in-place upgrades. | ||
21 | |||
22 | RREPLACES_${PN} = "${PN}-extension-dri \ | ||
23 | ${PN}-extension-dri2 \ | ||
24 | ${PN}-extension-record \ | ||
25 | ${PN}-extension-extmod \ | ||
26 | ${PN}-extension-dbe \ | ||
27 | " | ||
28 | RPROVIDES_${PN} = "${PN}-extension-dri \ | ||
29 | ${PN}-extension-dri2 \ | ||
30 | ${PN}-extension-record \ | ||
31 | ${PN}-extension-extmod \ | ||
32 | ${PN}-extension-dbe \ | ||
33 | " | ||
34 | RCONFLICTS_${PN} = "${PN}-extension-dri \ | ||
35 | ${PN}-extension-dri2 \ | ||
36 | ${PN}-extension-record \ | ||
37 | ${PN}-extension-extmod \ | ||
38 | ${PN}-extension-dbe \ | ||
39 | " | ||