diff options
| author | Predrag Ivanovic <predivan@mts.rs> | 2017-07-17 14:04:08 +0200 |
|---|---|---|
| committer | Fredrik Rinnestam <fredrik@crux.nu> | 2017-07-17 19:53:29 +0200 |
| commit | 7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5 (patch) | |
| tree | 7119d2d4d89782236d1a17f0e95ee1e524295364 /cairo | |
| parent | 2d674c6e6f3fd73e389ae514c19a0ccd171a2a94 (diff) | |
| download | opt-7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5.tar.gz opt-7abd542e96ec12b60a72f5a7059f5ef7c4a5d5b5.tar.xz | |
cairo: Patch for CVE-2017-7475 and CVE-2016-9082
Patches added:
- cairo-xlib-endianness.patch -- Fix crash when client and server have different endianness
- cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff -- Fix segfault in get_bitmap_surface
- cairo-fix-off-by-one-check.patch -- Fix off by one check in cairo-image-info.c
- 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch CVE-2016-9082 -- Fix segfault when using >4GB images
Diffstat (limited to 'cairo')
| -rw-r--r-- | cairo/.md5sum | 4 | ||||
| -rw-r--r-- | cairo/.signature | 5 | ||||
| -rw-r--r-- | cairo/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch | 122 | ||||
| -rw-r--r-- | cairo/Pkgfile | 13 | ||||
| -rw-r--r-- | cairo/cairo-fix-off-by-one-check.patch | 23 | ||||
| -rw-r--r-- | cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff | 13 | ||||
| -rw-r--r-- | cairo/cairo-xlib-endianness.patch | 15 |
7 files changed, 188 insertions, 7 deletions
diff --git a/cairo/.md5sum b/cairo/.md5sum index c25aaabe2..6e904d877 100644 --- a/cairo/.md5sum +++ b/cairo/.md5sum @@ -1 +1,5 @@ +a3d7abd8e20b780f76300a76a4a4d963 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch 3f7fad1ce2f2564f1726cda7ae7fad18 cairo-1.15.6.tar.xz +ef74467172b3a8703c5d7da943f5bbfb cairo-fix-off-by-one-check.patch +bff33916d8b44e9c3f0f3e6644e61bfc cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff +d602f595c5800bf470c33cd1af7541d1 cairo-xlib-endianness.patch diff --git a/cairo/.signature b/cairo/.signature deleted file mode 100644 index c17ae0297..000000000 --- a/cairo/.signature +++ /dev/null @@ -1,5 +0,0 @@ -untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/YHzIhr25coV05nUVVO4ZON/VL4eiU8PDaUTQqZ28fE+/Y9jI+mYnng96d/vptfb4QZKdNsNXPeC/A27h79j9QY= -SHA256 (Pkgfile) = e8895b28db65e1ced75aa8f187d7ce65102ae38660b602479885118dfd27f688 -SHA256 (.footprint) = 01f56a1c4513bb142b94d81c220f5838103a12f0101cadf878525f486d03ef72 -SHA256 (cairo-1.15.6.tar.xz) = 5228e0a1f8fd14317f30f08f3dd72971bca432f8cdd2281d421fdcc2279de58c diff --git a/cairo/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch b/cairo/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch new file mode 100644 index 000000000..b456f04fd --- /dev/null +++ b/cairo/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch @@ -0,0 +1,122 @@ +From c812d1c1935cccf096a60ad904e640fdc83bd41c Mon Sep 17 00:00:00 2001 +From: Adrian Johnson <ajohnson@redneon.com> +Date: Thu, 20 Oct 2016 21:12:30 +1030 +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images + +Image data is often accessed using: + + image->data + y * image->stride + +On 64-bit achitectures if the image data is > 4GB, this computation +will overflow since both y and stride are 32-bit types. + +https://bugs.freedesktop.org/show_bug.cgi?id=98165 +--- + boilerplate/cairo-boilerplate.c | 4 +++- + src/cairo-image-compositor.c | 4 ++-- + src/cairo-image-surface-private.h | 2 +- + src/cairo-mesh-pattern-rasterizer.c | 2 +- + src/cairo-png.c | 2 +- + src/cairo-script-surface.c | 3 ++- + 6 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c +index 7fdbf79..4804dea 100644 +--- a/boilerplate/cairo-boilerplate.c ++++ b/boilerplate/cairo-boilerplate.c +@@ -42,6 +42,7 @@ + #undef CAIRO_VERSION_H + #include "../cairo-version.h" + ++#include <stddef.h> + #include <stdlib.h> + #include <ctype.h> + #include <assert.h> +@@ -976,7 +977,8 @@ cairo_surface_t * + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file) + { + char format; +- int width, height, stride; ++ int width, height; ++ ptrdiff_t stride; + int x, y; + unsigned char *data; + cairo_surface_t *image = NULL; +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 48072f8..3ca0006 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer { + pixman_image_t *src, *mask; + union { + struct fill { +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + uint32_t pixel; + } fill; +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer { + struct finish { + cairo_rectangle_int_t extents; + int src_x, src_y; +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + } mask; + } u; +diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h +index 8ca694c..7e78d61 100644 +--- a/src/cairo-image-surface-private.h ++++ b/src/cairo-image-surface-private.h +@@ -71,7 +71,7 @@ struct _cairo_image_surface { + + int width; + int height; +- int stride; ++ ptrdiff_t stride; + int depth; + + unsigned owns_data : 1; +diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c +index 1b63ca8..e7f0db6 100644 +--- a/src/cairo-mesh-pattern-rasterizer.c ++++ b/src/cairo-mesh-pattern-rasterizer.c +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride, + tg += tg >> 16; + tb += tb >> 16; + +- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) | ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) | + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24); + } + } +diff --git a/src/cairo-png.c b/src/cairo-png.c +index 562b743..aa8c227 100644 +--- a/src/cairo-png.c ++++ b/src/cairo-png.c +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure) + } + + for (i = 0; i < png_height; i++) +- row_pointers[i] = &data[i * stride]; ++ row_pointers[i] = &data[i * (ptrdiff_t)stride]; + + png_read_image (png, row_pointers); + png_read_end (png, info); +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c +index ea0117d..91e4baa 100644 +--- a/src/cairo-script-surface.c ++++ b/src/cairo-script-surface.c +@@ -1202,7 +1202,8 @@ static cairo_status_t + _write_image_surface (cairo_output_stream_t *output, + const cairo_image_surface_t *image) + { +- int stride, row, width; ++ int row, width; ++ ptrdiff_t stride; + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE]; + uint8_t *rowdata; + uint8_t *data; +-- +2.1.4 + diff --git a/cairo/Pkgfile b/cairo/Pkgfile index 430cbcad9..52f3480c3 100644 --- a/cairo/Pkgfile +++ b/cairo/Pkgfile @@ -5,11 +5,20 @@ name=cairo version=1.15.6 -release=1 -source=(https://cairographics.org/snapshots/cairo-$version.tar.xz) +release=2 +source=(https://cairographics.org/snapshots/cairo-$version.tar.xz + cairo-xlib-endianness.patch + cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff + cairo-fix-off-by-one-check.patch + 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch) build() { cd $name-$version + patch -p1 -i $SRC/cairo-xlib-endianness.patch + patch -p1 -i $SRC/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff + patch -p1 -i $SRC/cairo-fix-off-by-one-check.patch + patch -p1 -i $SRC/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch + ./configure --prefix=/usr \ --enable-xcb=yes \ --enable-ps \ diff --git a/cairo/cairo-fix-off-by-one-check.patch b/cairo/cairo-fix-off-by-one-check.patch new file mode 100644 index 000000000..c9c2adddf --- /dev/null +++ b/cairo/cairo-fix-off-by-one-check.patch @@ -0,0 +1,23 @@ +From 57b40507dda3f58dfc8635548d606b86dc7bcf51 Mon Sep 17 00:00:00 2001 +From: Adrian Johnson <ajohnson@redneon.com> +Date: Thu, 15 Jun 2017 20:53:29 +0930 +Subject: Fix off by one check in cairo-image-info.c + +https://bugs.freedesktop.org/show_bug.cgi?id=101427 + +diff --git a/src/cairo-image-info.c b/src/cairo-image-info.c +index 2ecce95..3b4cf6e 100644 +--- a/src/cairo-image-info.c ++++ b/src/cairo-image-info.c +@@ -154,7 +154,7 @@ _cairo_image_info_get_jpeg_info (cairo_image_info_t *info, + break; + } + +- if (p + 2 > data + length) ++ if (p + 3 > data + length) + return CAIRO_INT_STATUS_UNSUPPORTED; + + p = _jpeg_skip_segment (p); +-- +cgit v0.10.2 + diff --git a/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff b/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff new file mode 100644 index 000000000..29e2b5ee4 --- /dev/null +++ b/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff @@ -0,0 +1,13 @@ +Index: cairo-1.15.4/src/cairo-ft-font.c +=================================================================== +--- cairo-1.15.4.orig/src/cairo-ft-font.c ++++ cairo-1.15.4/src/cairo-ft-font.c +@@ -1149,7 +1149,7 @@ _get_bitmap_surface (FT_Bitmap *bi + width = bitmap->width; + height = bitmap->rows; + +- if (width == 0 || height == 0) { ++ if (width == 0 || height == 0 || bitmap->buffer == NULL) { + *surface = (cairo_image_surface_t *) + cairo_image_surface_create_for_data (NULL, format, 0, 0, 0); + return (*surface)->base.status; diff --git a/cairo/cairo-xlib-endianness.patch b/cairo/cairo-xlib-endianness.patch new file mode 100644 index 000000000..68086d1ff --- /dev/null +++ b/cairo/cairo-xlib-endianness.patch @@ -0,0 +1,15 @@ +--- cairo/src/cairo-xlib-render-compositor.c 2013-04-12 11:22:48.010384018 +0200 ++++ cairo/src/cairo-xlib-render-compositor.c.new 2013-04-12 11:23:54.362925287 +0200 +@@ -1318,10 +1318,10 @@ + } + n = new; + d = (uint32_t *) data; +- do { ++ while (c--) { + *n++ = bswap_32 (*d); + d++; +- } while (--c); ++ } + data = (uint8_t *) new; + } + break; |