cairo: Patch for CVE-2017-7475 and CVE-2016-9082

Patches added: - cairo-xlib-endianness.patch -- Fix crash when client and server have different endianness - cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff -- Fix segfault in get_bitmap_surface - cairo-fix-off-by-one-check.patch -- Fix off by one check in cairo-image-info.c - 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch CVE-2016-9082 -- Fix segfault when using >4GB images
author: Predrag Ivanovic <predivan@mts.rs> 2017-07-17 14:04:08 +0200
committer: Fredrik Rinnestam <fredrik@crux.nu> 2017-07-17 19:53:29 +0200
commit: 7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5 (patch)
tree: 7119d2d4d89782236d1a17f0e95ee1e524295364 /cairo
parent: 2d674c6e6f3fd73e389ae514c19a0ccd171a2a94 (diff)
download: opt-7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5.tar.gz
opt-7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5.tar.xz
7 files changed, 188 insertions, 7 deletions
diff --git a/cairo/.md5sum b/cairo/.md5sum
index c25aaabe2..6e904d877 100644
--- a/cairo/.md5sum
+++ b/cairo/.md5sum
@@ -1 +1,5 @@
+a3d7abd8e20b780f76300a76a4a4d963  0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
 3f7fad1ce2f2564f1726cda7ae7fad18  cairo-1.15.6.tar.xz
+ef74467172b3a8703c5d7da943f5bbfb  cairo-fix-off-by-one-check.patch
+bff33916d8b44e9c3f0f3e6644e61bfc  cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff
+d602f595c5800bf470c33cd1af7541d1  cairo-xlib-endianness.patch
diff --git a/cairo/.signature b/cairo/.signature
deleted file mode 100644
index c17ae0297..000000000
--- a/cairo/.signature
+++ /dev/null
@@ -1,5 +0,0 @@
-untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/YHzIhr25coV05nUVVO4ZON/VL4eiU8PDaUTQqZ28fE+/Y9jI+mYnng96d/vptfb4QZKdNsNXPeC/A27h79j9QY=
-SHA256 (Pkgfile) = e8895b28db65e1ced75aa8f187d7ce65102ae38660b602479885118dfd27f688
-SHA256 (.footprint) = 01f56a1c4513bb142b94d81c220f5838103a12f0101cadf878525f486d03ef72
-SHA256 (cairo-1.15.6.tar.xz) = 5228e0a1f8fd14317f30f08f3dd72971bca432f8cdd2281d421fdcc2279de58c
diff --git a/cairo/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch b/cairo/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
new file mode 100644
index 000000000..b456f04fd
--- /dev/null
+++ b/cairo/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
@@ -0,0 +1,122 @@
+From c812d1c1935cccf096a60ad904e640fdc83bd41c Mon Sep 17 00:00:00 2001
+From: Adrian Johnson <ajohnson@redneon.com>
+Date: Thu, 20 Oct 2016 21:12:30 +1030
+Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
+
+Image data is often accessed using:
+
+  image->data + y * image->stride
+
+On 64-bit achitectures if the image data is > 4GB, this computation
+will overflow since both y and stride are 32-bit types.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98165
+---
+ boilerplate/cairo-boilerplate.c     | 4 +++-
+ src/cairo-image-compositor.c        | 4 ++--
+ src/cairo-image-surface-private.h   | 2 +-
+ src/cairo-mesh-pattern-rasterizer.c | 2 +-
+ src/cairo-png.c                     | 2 +-
+ src/cairo-script-surface.c          | 3 ++-
+ 6 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c
+index 7fdbf79..4804dea 100644
+--- a/boilerplate/cairo-boilerplate.c
++++ b/boilerplate/cairo-boilerplate.c
+@@ -42,6 +42,7 @@
+ #undef CAIRO_VERSION_H
+ #include "../cairo-version.h"
+ 
++#include <stddef.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+ #include <assert.h>
+@@ -976,7 +977,8 @@ cairo_surface_t *
+ cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
+ {
+     char format;
+-    int width, height, stride;
++    int width, height;
++    ptrdiff_t stride;
+     int x, y;
+     unsigned char *data;
+     cairo_surface_t *image = NULL;
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 48072f8..3ca0006 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
+     pixman_image_t *src, *mask;
+     union {
+ 	struct fill {
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	    uint32_t pixel;
+ 	} fill;
+@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
+ 	struct finish {
+ 	    cairo_rectangle_int_t extents;
+ 	    int src_x, src_y;
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	} mask;
+     } u;
+diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h
+index 8ca694c..7e78d61 100644
+--- a/src/cairo-image-surface-private.h
++++ b/src/cairo-image-surface-private.h
+@@ -71,7 +71,7 @@ struct _cairo_image_surface {
+ 
+     int width;
+     int height;
+-    int stride;
++    ptrdiff_t stride;
+     int depth;
+ 
+     unsigned owns_data : 1;
+diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
+index 1b63ca8..e7f0db6 100644
+--- a/src/cairo-mesh-pattern-rasterizer.c
++++ b/src/cairo-mesh-pattern-rasterizer.c
+@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
+ 	tg += tg >> 16;
+ 	tb += tb >> 16;
+ 
+-	*((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
++	*((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
+ 	    ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
+     }
+ }
+diff --git a/src/cairo-png.c b/src/cairo-png.c
+index 562b743..aa8c227 100644
+--- a/src/cairo-png.c
++++ b/src/cairo-png.c
+@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
+     }
+ 
+     for (i = 0; i < png_height; i++)
+-        row_pointers[i] = &data[i * stride];
++        row_pointers[i] = &data[i * (ptrdiff_t)stride];
+ 
+     png_read_image (png, row_pointers);
+     png_read_end (png, info);
+diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
+index ea0117d..91e4baa 100644
+--- a/src/cairo-script-surface.c
++++ b/src/cairo-script-surface.c
+@@ -1202,7 +1202,8 @@ static cairo_status_t
+ _write_image_surface (cairo_output_stream_t *output,
+ 		      const cairo_image_surface_t *image)
+ {
+-    int stride, row, width;
++    int row, width;
++    ptrdiff_t stride;
+     uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
+     uint8_t *rowdata;
+     uint8_t *data;
+-- 
+2.1.4
+
diff --git a/cairo/Pkgfile b/cairo/Pkgfile
index 430cbcad9..52f3480c3 100644
--- a/cairo/Pkgfile
+++ b/cairo/Pkgfile
@@ -5,11 +5,20 @@
 
 name=cairo
 version=1.15.6
-release=1
-source=(https://cairographics.org/snapshots/cairo-$version.tar.xz)
+release=2
+source=(https://cairographics.org/snapshots/cairo-$version.tar.xz
+    cairo-xlib-endianness.patch
+    cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff
+    cairo-fix-off-by-one-check.patch
+    0001-image-prevent-invalid-ptr-access-for-4GB-images.patch)
 
 build() {
         cd $name-$version
+        patch -p1 -i $SRC/cairo-xlib-endianness.patch
+        patch -p1 -i $SRC/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff
+        patch -p1 -i $SRC/cairo-fix-off-by-one-check.patch
+        patch -p1 -i $SRC/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
+
         ./configure --prefix=/usr \
                 --enable-xcb=yes \
                 --enable-ps \
diff --git a/cairo/cairo-fix-off-by-one-check.patch b/cairo/cairo-fix-off-by-one-check.patch
new file mode 100644
index 000000000..c9c2adddf
--- /dev/null
+++ b/cairo/cairo-fix-off-by-one-check.patch
@@ -0,0 +1,23 @@
+From 57b40507dda3f58dfc8635548d606b86dc7bcf51 Mon Sep 17 00:00:00 2001
+From: Adrian Johnson <ajohnson@redneon.com>
+Date: Thu, 15 Jun 2017 20:53:29 +0930
+Subject: Fix off by one check in cairo-image-info.c
+
+https://bugs.freedesktop.org/show_bug.cgi?id=101427
+
+diff --git a/src/cairo-image-info.c b/src/cairo-image-info.c
+index 2ecce95..3b4cf6e 100644
+--- a/src/cairo-image-info.c
++++ b/src/cairo-image-info.c
+@@ -154,7 +154,7 @@ _cairo_image_info_get_jpeg_info (cairo_image_info_t	*info,
+ 		break;
+ 	    }
+ 
+-	    if (p + 2 > data + length)
++	    if (p + 3 > data + length)
+ 		return CAIRO_INT_STATUS_UNSUPPORTED;
+ 
+ 	    p = _jpeg_skip_segment (p);
+-- 
+cgit v0.10.2
+
diff --git a/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff b/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff
new file mode 100644
index 000000000..29e2b5ee4
--- /dev/null
+++ b/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff
@@ -0,0 +1,13 @@
+Index: cairo-1.15.4/src/cairo-ft-font.c
+===================================================================
+--- cairo-1.15.4.orig/src/cairo-ft-font.c
++++ cairo-1.15.4/src/cairo-ft-font.c
+@@ -1149,7 +1149,7 @@ _get_bitmap_surface (FT_Bitmap		     *bi
+     width = bitmap->width;
+     height = bitmap->rows;
+ 
+-    if (width == 0 || height == 0) {
++    if (width == 0 || height == 0 || bitmap->buffer == NULL) {
+ 	*surface = (cairo_image_surface_t *)
+ 	    cairo_image_surface_create_for_data (NULL, format, 0, 0, 0);
+ 	return (*surface)->base.status;
diff --git a/cairo/cairo-xlib-endianness.patch b/cairo/cairo-xlib-endianness.patch
new file mode 100644
index 000000000..68086d1ff
--- /dev/null
+++ b/cairo/cairo-xlib-endianness.patch
@@ -0,0 +1,15 @@
+--- cairo/src/cairo-xlib-render-compositor.c	2013-04-12 11:22:48.010384018 +0200
++++ cairo/src/cairo-xlib-render-compositor.c.new	2013-04-12 11:23:54.362925287 +0200
+@@ -1318,10 +1318,10 @@
+ 	    }
+ 	    n = new;
+ 	    d = (uint32_t *) data;
+-	    do {
++	    while (c--) {
+ 		*n++ = bswap_32 (*d);
+ 		d++;
+-	    } while (--c);
++	    }
+ 	    data = (uint8_t *) new;
+ 	}
+ 	break;
author	Predrag Ivanovic <predivan@mts.rs>	2017-07-17 14:04:08 +0200
committer	Fredrik Rinnestam <fredrik@crux.nu>	2017-07-17 19:53:29 +0200
commit	7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5 (patch)
tree	7119d2d4d89782236d1a17f0e95ee1e524295364 /cairo
parent	2d674c6e6f3fd73e389ae514c19a0ccd171a2a94 (diff)
download	opt-7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5.tar.gz opt-7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5.tar.xz