Hello community, here is the log from the commit of package efl for openSUSE:Factory checked in at 2016-04-12 19:40:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/efl (Old) and /work/SRC/openSUSE:Factory/.efl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "efl" Changes: -------- --- /work/SRC/openSUSE:Factory/efl/efl.changes 2016-03-04 19:30:28.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.efl.new/efl.changes 2016-04-12 19:40:05.000000000 +0200 @@ -1,0 +2,10 @@ +Thu Apr 7 01:48:46 UTC 2016 - [email protected] +- Fix crash due to threadsafty issue fix-evas-sw-cutout-rects-threads.patch T3348 +- Fix spinlock handling leading to deadlock (fix-evas-sw-spinlock-free.patch) +- Fix mulitple possible crashes in gif loader that could lead to DOS attacks +(CVE-2014-9762 boo#963796, boo#963797, boo#973759) + * fix-evas-gif-loader-CVE-2014-9762.patch + * fix-evas-gif-loader-pixel-lookup-decode.patch + * fix-evas-gif-loader-cmap-null.patch + +------------------------------------------------------------------- New: ---- fix-evas-gif-loader-CVE-2014-9762.patch fix-evas-gif-loader-cmap-null.patch fix-evas-gif-loader-pixel-lookup-decode.patch fix-evas-sw-cutout-rects-threads.patch fix-evas-sw-spinlock-free.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ efl.spec ++++++ --- /var/tmp/diff_new_pack.tO14gj/_old 2016-04-12 19:40:06.000000000 +0200 +++ /var/tmp/diff_new_pack.tO14gj/_new 2016-04-12 19:40:06.000000000 +0200 @@ -59,6 +59,12 @@ Url: http://enlightenment.org Source: http://download.enlightenment.org/rel/libs/efl/%{name}-%{version}.tar.xz Patch1: efl-1.11.3-fix-bashisms.patch +Patch2: fix-evas-sw-cutout-rects-threads.patch +Patch3: fix-evas-sw-spinlock-free.patch +Patch4: fix-evas-gif-loader-CVE-2014-9762.patch +Patch5: fix-evas-gif-loader-pixel-lookup-decode.patch +Patch6: fix-evas-gif-loader-cmap-null.patch + BuildRequires: autoconf >= 2.5 BuildRequires: automake %if %build_doc @@ -645,6 +651,11 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 %build # fedora has the wrong autoconf version ++++++ fix-evas-gif-loader-CVE-2014-9762.patch ++++++ commit dd90b6afadf706aafec9e53a6b1efa8f899ab277 Author: Carsten Haitzler (Rasterman) <[email protected]> Date: Sat Apr 2 12:25:52 2016 +0900 evas: gif loader - fix out of bounds access on cmap of invalid pixels if gif has example 4 colors in colormap, pixels provided still can hold values higher than 3 (4, 8, 255 etc.) ass a pixel is still a byte. it should not, but it could. technically it'd be nice for gitlib to pad its palette out to 256 entires to ensure this cant be a problem, but it doesn't have to , so make a local copy of the cmap when decoding pixels and pad out to 256 entires (using color 0 as any value > pallette ize is invalid anyway so any color will do). this fixes a possible security attack vector in reading memory out of bounds of an allocated array. not very far out of bounds - but enough to cause a crash - ie a dos attack, (not to inject code though). @fix diff --git a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c index a9f67f7..5110158 100644 --- a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c +++ b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c @@ -46,7 +46,7 @@ do { \ goto on_error; \ } while (0) #define PIX(_x, _y) rows[yin + _y][xin + _x] -#define CMAP(_v) cmap->Colors[_v] +#define CMAP(_v) colors[_v] #define PIXLK(_p) ARGB_JOIN(0xff, CMAP(_p).Red, CMAP(_p).Green, CMAP(_p).Blue) // utility funcs... @@ -120,11 +120,19 @@ _fill_frame(DATA32 *data, int rowpix, GifFileType *gif, Frame_Info *finfo, { ColorMapObject *cmap; int bg; - + GifColorType colors[256]; + int cnum; + // work out color to use from cmap if (gif->Image.ColorMap) cmap = gif->Image.ColorMap; else cmap = gif->SColorMap; bg = gif->SBackGroundColor; + + // fill in local color table of guaranteed 256 entires with cmap & pad + for (cnum = 0; cnum < cmap->ColorCount; cnum++) + colors[cnum] = cmap->Colors[cnum]; + for (cnum = cmap->ColorCount; cnum < 256; cnum++) + colors[cnum] = cmap->Colors[0]; // and do the fill _fill_image (data, rowpix, @@ -208,6 +216,8 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin, Eina_Bool ret = EINA_FALSE; ColorMapObject *cmap; DATA32 *p; + GifColorType colors[256]; + int cnum; // build a blob of memory to have pointers to rows of pixels // AND store the decoded gif pixels (1 byte per pixel) as welll @@ -247,6 +257,11 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin, if (gif->Image.ColorMap) cmap = gif->Image.ColorMap; else cmap = gif->SColorMap; + // fill in local color table of guaranteed 256 entires with cmap & pad + for (cnum = 0; cnum < cmap->ColorCount; cnum++) + colors[cnum] = cmap->Colors[cnum]; + for (cnum = cmap->ColorCount; cnum < 256; cnum++) + colors[cnum] = cmap->Colors[0]; // if we need to deal with transparent pixels at all... if (transparent >= 0) { ++++++ fix-evas-gif-loader-cmap-null.patch ++++++ commit db4ff548d356243638f5fa0898b2ee4ff1be55f5 Author: Carsten Haitzler (Rasterman) <[email protected]> Date: Mon Apr 4 09:51:12 2016 +0900 evas - gif loader - handle missing colormap follow on from dd90b6afadf706aafec9e53a6b1efa8f899ab277 - this handled if a gif file has no colormap (it'll decode as blank now as a colormap of all 0's is used instead). @fix diff --git a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c index 09d3b27..ac40352 100644 --- a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c +++ b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c @@ -128,11 +128,16 @@ _fill_frame(DATA32 *data, int rowpix, GifFileType *gif, Frame_Info *finfo, else cmap = gif->SColorMap; bg = gif->SBackGroundColor; - // fill in local color table of guaranteed 256 entires with cmap & pad - for (cnum = 0; cnum < cmap->ColorCount; cnum++) - colors[cnum] = cmap->Colors[cnum]; - for (cnum = cmap->ColorCount; cnum < 256; cnum++) - colors[cnum] = cmap->Colors[0]; + if (cmap) + { + // fill in local color table of guaranteed 256 with cmap & pad + for (cnum = 0; cnum < cmap->ColorCount; cnum++) + colors[cnum] = cmap->Colors[cnum]; + for (cnum = cmap->ColorCount; cnum < 256; cnum++) + colors[cnum] = cmap->Colors[0]; + } + else + memset(colors, 0, sizeof(colors)); // and do the fill _fill_image (data, rowpix, @@ -258,11 +263,16 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin, if (gif->Image.ColorMap) cmap = gif->Image.ColorMap; else cmap = gif->SColorMap; - // fill in local color table of guaranteed 256 entires with cmap & pad - for (cnum = 0; cnum < cmap->ColorCount; cnum++) - colors[cnum] = cmap->Colors[cnum]; - for (cnum = cmap->ColorCount; cnum < 256; cnum++) - colors[cnum] = cmap->Colors[0]; + if (cmap) + { + // fill in local color table of guaranteed 256 entires with cmap & pad + for (cnum = 0; cnum < cmap->ColorCount; cnum++) + colors[cnum] = cmap->Colors[cnum]; + for (cnum = cmap->ColorCount; cnum < 256; cnum++) + colors[cnum] = cmap->Colors[0]; + } + else + memset(colors, 0, sizeof(colors)); // if we need to deal with transparent pixels at all... if (transparent >= 0) { ++++++ fix-evas-gif-loader-pixel-lookup-decode.patch ++++++ commit f56e33f429cfc165a5a7e7c75c5b2271ba8b58d8 Author: Carsten Haitzler (Rasterman) <[email protected]> Date: Sat Apr 2 13:22:11 2016 +0900 evas - gif loader - be a little more optimal in pixel lookups on decode diff --git a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c index 5110158..09d3b27 100644 --- a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c +++ b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c @@ -213,6 +213,7 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin, int intjump[] = { 8, 8, 4, 2 }; int i, xx, yy, pix; GifRowType *rows; + GifPixelType *pixels; Eina_Bool ret = EINA_FALSE; ColorMapObject *cmap; DATA32 *p; @@ -270,10 +271,12 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin, { for (yy = 0; yy < h; yy++) { + pixels = &(PIX(0, yy)); p = data + ((y + yy) * rowpix) + x; for (xx = 0; xx < w; xx++) { - pix = PIX(xx, yy); + pix = *pixels; + pixels++; if (pix != transparent) *p = PIXLK(pix); else *p = 0; p++; @@ -285,10 +288,12 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin, { for (yy = 0; yy < h; yy++) { + pixels = &(PIX(0, yy)); p = data + ((y + yy) * rowpix) + x; for (xx = 0; xx < w; xx++) { - pix = PIX(xx, yy); + pix = *pixels; + pixels++; if (pix != transparent) *p = PIXLK(pix); p++; } @@ -300,10 +305,12 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin, // walk pixels without worring about transparency at all for (yy = 0; yy < h; yy++) { + pixels = &(PIX(0, yy)); p = data + ((y + yy) * rowpix) + x; for (xx = 0; xx < w; xx++) { - pix = PIX(xx, yy); + pix = *pixels; + pixels++; *p = PIXLK(pix); p++; } ++++++ fix-evas-sw-cutout-rects-threads.patch ++++++ commit 4d6a8a7fce51b5654404226668a27d52d1e30eb3 Author: Carsten Haitzler (Rasterman) <[email protected]> Date: Sat Mar 26 10:49:20 2016 +0900 evas sw render: cutout rects may be used in multiple threads several draw funcs keep a static Cutout_Rect *rects = NULL; variable to cache cutout rects to avoid re-allocating them a lot etc. this is fast and handy but we may use these from multiple threads. thats bad .... mmmkay. so this fixes it the dirty way - makes them thread local. :) this fixes T3348 - the crash mentioned by @zmike @fix diff --git a/src/lib/evas/common/evas_font_draw.c b/src/lib/evas/common/evas_font_draw.c index bbeecf6..bf5141b 100644 --- a/src/lib/evas/common/evas_font_draw.c +++ b/src/lib/evas/common/evas_font_draw.c @@ -348,7 +348,7 @@ error: EAPI Eina_Bool evas_common_font_draw_cb(RGBA_Image *dst, RGBA_Draw_Context *dc, int x, int y, Evas_Glyph_Array *glyphs, Evas_Common_Font_Draw_Cb cb) { - static Cutout_Rects *rects = NULL; + static __thread Cutout_Rects *rects = NULL; int ext_x, ext_y, ext_w, ext_h; int im_w, im_h; RGBA_Gfx_Func func; diff --git a/src/lib/evas/common/evas_map_image.c b/src/lib/evas/common/evas_map_image.c index cec21f6..eb94ada 100644 --- a/src/lib/evas/common/evas_map_image.c +++ b/src/lib/evas/common/evas_map_image.c @@ -745,7 +745,7 @@ evas_common_map_rgba_cb(RGBA_Image *src, RGBA_Image *dst, int smooth, int level, Evas_Common_Map_RGBA_Cb cb) { - static Cutout_Rects *rects = NULL; + static __thread Cutout_Rects *rects = NULL; Cutout_Rect *r; int c, cx, cy, cw, ch; int i; @@ -791,7 +791,7 @@ evas_common_map_rgba_cb(RGBA_Image *src, RGBA_Image *dst, EAPI Eina_Bool evas_common_map_thread_rgba_cb(RGBA_Image *src, RGBA_Image *dst, RGBA_Draw_Context *dc, RGBA_Map *map, int smooth, int level, int offset, Evas_Common_Map_Thread_RGBA_Cb cb) { - static Cutout_Rects *rects = NULL; + static __thread Cutout_Rects *rects = NULL; Cutout_Rect *r; int c, cx, cy, cw, ch; int i; diff --git a/src/lib/evas/common/evas_rectangle_main.c b/src/lib/evas/common/evas_rectangle_main.c index 220fd0f..bd4649b 100644 --- a/src/lib/evas/common/evas_rectangle_main.c +++ b/src/lib/evas/common/evas_rectangle_main.c @@ -12,7 +12,7 @@ evas_common_rectangle_init(void) EAPI void evas_common_rectangle_draw_cb(RGBA_Image *dst, RGBA_Draw_Context *dc, int x, int y, int w, int h, Evas_Common_Rectangle_Draw_Cb cb) { - static Cutout_Rects *rects = NULL; + static __thread Cutout_Rects *rects = NULL; Cutout_Rect *r; int c, cx, cy, cw, ch; int i; diff --git a/src/lib/evas/common/evas_scale_main.c b/src/lib/evas/common/evas_scale_main.c index cf34c31..bd30a47 100644 --- a/src/lib/evas/common/evas_scale_main.c +++ b/src/lib/evas/common/evas_scale_main.c @@ -40,7 +40,7 @@ evas_common_scale_rgba_in_to_out_clip_cb(RGBA_Image *src, RGBA_Image *dst, int dst_region_w, int dst_region_h, Evas_Common_Scale_In_To_Out_Clip_Cb cb) { - static Cutout_Rects *rects = NULL; + static __thread Cutout_Rects *rects = NULL; Cutout_Rect *r; int c, cx, cy, cw, ch; int i; ++++++ fix-evas-sw-spinlock-free.patch ++++++ commit 5f307809b1d2ba2204bf073a06b4bc2fe1b205bb Author: Carsten Haitzler (Rasterman) <[email protected]> Date: Tue Mar 29 12:09:40 2016 +0900 efl - evas - sw engine - donmt free spinlock because cache always needed never free the shm pool cache spinlock as it is alwasy needed once initiialized. this likely fixes a bsd hardlock issues @fix diff --git a/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c b/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c index d556595..52dffd6 100644 --- a/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c +++ b/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c @@ -26,6 +26,7 @@ struct _Outbuf_Region int h; }; +static Eina_Bool shmpool_initted = EINA_FALSE; static Eina_List *shmpool = NULL; static int shmsize = 0; static int shmmemlimit = 20 * 1024 * 1024; @@ -150,7 +151,11 @@ _clear_xob(int psync) void evas_software_xlib_outbuf_init(void) { - eina_spinlock_new(&shmpool_lock); + if (!shmpool_initted) + { + shmpool_initted = EINA_TRUE; + eina_spinlock_new(&shmpool_lock); + } } void @@ -192,7 +197,6 @@ evas_software_xlib_outbuf_free(Outbuf *buf) eina_array_flush(&buf->priv.onebuf_regions); free(buf); _clear_xob(0); - eina_spinlock_free(&shmpool_lock); } Outbuf *
