pixman: Changes to 'debian-unstable'

Mon, 18 Feb 2013 11:33:14 -0800 

 debian/changelog        |    7 +++++++
 pixman/pixman-inlines.h |    2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

New commits:
commit 259f6811872a1ab60089ec094c0d8129e03dae85
Author: Julien Cristau <[email protected]>
Date:   Mon Feb 18 20:17:18 2013 +0100

    Upload to unstable

diff --git a/debian/changelog b/debian/changelog
index f23215c..93c3e94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pixman (0.26.0-4) sid; urgency=high
+
+  * Fix for CVE-2013-1591 (stack-based buffer overflow), cherry-picked from
+    0.27.4 (closes: #700308).
+
+ -- Julien Cristau <[email protected]>  Mon, 18 Feb 2013 19:58:33 +0100
+
 pixman (0.26.0-3) unstable; urgency=low
 
   * Pass LS_CFLAGS=" " to configure to prevent -march=loongson2f from

commit 6dfdd8534f92efc48efb35266b1c42eaaf073f8b
Author: Søren Sandmann Pedersen <[email protected]>
Date:   Sat Sep 15 03:13:09 2012 -0400

    Fix for infinite-loop test
    
    The infinite loop detected by "affine-test 212944861" is caused by an
    overflow in this expression:
    
        max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1;
    
    where (width - 1) * unit_x doesn't fit in a signed int. This causes
    max_x to be too small so that this:
    
        src_width = 0
    
        while (src_width < REPEAT_NORMAL_MIN_WIDTH && src_width <= max_x)
            src_width += src_image->bits.width;
    
    results in src_width being 0. Later on when src_width is used for
    repeat calculations, we get the infinite loop.
    
    By casting unit_x to int64_t, the expression no longer overflows and
    affine-test 212944861 and infinite-loop no longer loop forever.
    (cherry picked from commit de60e2e0e3eb6084f8f14b63f25b3cbfb012943f)

diff --git a/pixman/pixman-inlines.h b/pixman/pixman-inlines.h
index 3532867..66c998e 100644
--- a/pixman/pixman-inlines.h
+++ b/pixman/pixman-inlines.h
@@ -844,7 +844,7 @@ fast_composite_scaled_bilinear ## scale_func_name 
(pixman_implementation_t *imp,
     {                                                                          
                \
        vx = v.vector[0];                                                       
                \
        repeat (PIXMAN_REPEAT_NORMAL, &vx, 
pixman_int_to_fixed(src_image->bits.width));         \
-       max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1;            
                \
+       max_x = pixman_fixed_to_int (vx + (width - 1) * (int64_t)unit_x) + 1;   
                \
                                                                                
                \
        if (src_image->bits.width < REPEAT_NORMAL_MIN_WIDTH)                    
                \
        {                                                                       
                \


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]

Reply via email to