From: Ross Burton <[email protected]> Signed-off-by: Richard Purdie <[email protected]> (cherry picked from commit 0c4e6f99332ae253855708845a41fdfeb72d4c30) Signed-off-by: Steve Sakoman <[email protected]> --- .../cairo/cairo/CVE-2020-35492.patch | 60 +++++++++++++++++++ meta/recipes-graphics/cairo/cairo_1.16.0.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..fb6ce5cfdf --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch @@ -0,0 +1,60 @@ +Fix stack buffer overflow. + +CVE: CVE-2020-35492 +Upstream-Status: Backport +Signed-off-by: Ross Burton <[email protected]> + +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <[email protected]> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +--- + src/cairo-image-compositor.c | 8 ++-- + test/Makefile.sources | 1 + + test/bug-image-compositor.c | 39 ++++++++++++++++++++ + test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes + 4 files changed, 44 insertions(+), 4 deletions(-) + create mode 100644 test/bug-image-compositor.c + create mode 100644 test/reference/bug-image-compositor.ref.png + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 79ad69f68..4f8aaed99 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +-- diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 8663dec404..4827374ffc 100644 --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb @@ -27,6 +27,7 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ file://CVE-2018-19876.patch \ file://CVE-2019-6461.patch \ file://CVE-2019-6462.patch \ + file://CVE-2020-35492.patch \ " SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151946): https://lists.openembedded.org/g/openembedded-core/message/151946 Mute This Topic: https://lists.openembedded.org/mt/82887660/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
