Git-Url:
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-0.7.git;a=commitdiff;h=1b265647c5f70a6d390788d459aab6c1a14876b8
commit 1b265647c5f70a6d390788d459aab6c1a14876b8
Author: voroskoi <[EMAIL PROTECTED]>
Date: Wed Jan 9 19:27:22 2008 +0100
cairo-1.4.10-2sayshell1-x86_64
secfix relbump, closes #2654
diff --git a/source/xlib/cairo/CVE-2007-5503.diff
b/source/xlib/cairo/CVE-2007-5503.diff
new file mode 100644
index 0000000..4021c52
--- /dev/null
+++ b/source/xlib/cairo/CVE-2007-5503.diff
@@ -0,0 +1,1193 @@
+diff -Naur cairo-1.4.10/CODING_STYLE fw_cairo-1.4.10/CODING_STYLE
+--- cairo-1.4.10/CODING_STYLE 2007-04-27 19:02:33.000000000 +0200
++++ fw_cairo-1.4.10/CODING_STYLE 2008-01-09 18:00:35.000000000 +0100
+@@ -243,3 +243,28 @@
+ this. If it's not available due to additional nesting above which
+ require some cleanup after the current block, then consider splitting
+ the current block into a new function before using goto.
++
++Memory allocation
++-----------------
++
++Because much of cairo's data consists of dynamically allocated arrays,
++it's very easy to introduce integer overflow issues whenever malloc()
++is called. Use the _cairo_malloc2(), _cairo_malloc3(), and
++_cairo_malloc2_add1 macros to avoid these cases; these macros check
++for overflow and will return NULL in that case.
++
++ malloc (n * size) => _cairo_malloc_ab (n, size)
++ e.g. malloc (num_elts * sizeof(some_type)) =>
++ _cairo_malloc2 (num_elts, sizeof(some_type))
++
++ malloc (a * b * size) => _cairo_malloc_abc (a, b, size)
++ e.g. malloc (width * height * 4) =>
++ _cairo_malloc3 (width, height, 4)
++
++ malloc (n * size + k) => _cairo_malloc_ab_plus_c (n, size, k)
++ e.g. malloc (num * sizeof(entry) + sizeof(header)) =>
++ _cairo_malloc2k (num, sizeof(entry), sizeof(header))
++
++In general, be wary of performing any arithmetic operations in an
++argument to malloc. You should explicitly check for integer overflow
++yourself in any more complex situations.
+\ No newline at end of file
+diff -Naur cairo-1.4.10/pixman/src/fbcompose.c
fw_cairo-1.4.10/pixman/src/fbcompose.c
+--- cairo-1.4.10/pixman/src/fbcompose.c 2007-04-27 19:02:33.000000000
+0200
++++ fw_cairo-1.4.10/pixman/src/fbcompose.c 2008-01-09 18:00:36.000000000
+0100
+@@ -3883,7 +3883,7 @@
+ }
+
+ if (width > SCANLINE_BUFFER_LENGTH)
+- alpha_buffer = (CARD32 *) malloc(width*sizeof(CARD32));
++ alpha_buffer = (CARD32 *) _pixman_malloc_ab (width, sizeof(CARD32));
+
+ fbFetchTransformed(pict, x, y, width, buffer, mask, maskBits);
+ fbFetchTransformed(pict->alphaMap, x - pict->alphaOrigin.x,
+@@ -4286,7 +4286,7 @@
+ compose_data.mask = pMask;
+ compose_data.dest = pDst;
+ if (width > SCANLINE_BUFFER_LENGTH)
+- scanline_buffer = (CARD32 *) malloc(width * 3 * sizeof(CARD32));
++ scanline_buffer = (CARD32 *) _pixman_malloc_abc (width, 3,
sizeof(CARD32));
+
+ n = pixman_region_num_rects (®ion);
+ pbox = pixman_region_rects (®ion);
+diff -Naur cairo-1.4.10/pixman/src/icimage.c
fw_cairo-1.4.10/pixman/src/icimage.c
+--- cairo-1.4.10/pixman/src/icimage.c 2007-04-27 19:02:33.000000000 +0200
++++ fw_cairo-1.4.10/pixman/src/icimage.c 2008-01-09 18:00:36.000000000
+0100
+@@ -215,8 +215,8 @@
+ if (!image)
+ return NULL;
+
+- linear = malloc (sizeof (pixman_linear_gradient_image_t) +
+- sizeof (pixman_gradient_stop_t) * n_stops);
++ linear = _pixman_malloc_ab_plus_c (n_stops, sizeof
(pixman_gradient_stop_t),
++ sizeof (pixman_linear_gradient_image_t));
+ if (!linear)
+ {
+ free (image);
+@@ -259,8 +259,8 @@
+ if (!image)
+ return NULL;
+
+- radial = malloc (sizeof (pixman_radial_gradient_image_t) +
+- sizeof (pixman_gradient_stop_t) * n_stops);
++ radial = _pixman_malloc_ab_plus_c (n_stops, sizeof
(pixman_gradient_stop_t),
++ sizeof (pixman_radial_gradient_image_t));
+ if (!radial)
+ {
+ free (image);
+diff -Naur cairo-1.4.10/pixman/src/pixman.h fw_cairo-1.4.10/pixman/src/pixman.h
+--- cairo-1.4.10/pixman/src/pixman.h 2007-06-27 20:00:55.000000000 +0200
++++ fw_cairo-1.4.10/pixman/src/pixman.h 2008-01-09 18:00:36.000000000
+0100
+@@ -89,6 +89,13 @@
+ typedef unsigned __int32 uint32_t;
+ typedef __int64 int64_t;
+ typedef unsigned __int64 uint64_t;
++
++# ifndef UINT16_MAX
++# define UINT16_MAX (65535)
++# endif
++# ifndef UINT32_MAX
++# define UINT32_MAX (0xffffffffU)
++# endif
+ #else
+ #error Cannot find definitions for fixed-width integral types (uint8_t,
uint32_t, etc.)
+ #endif
+diff -Naur cairo-1.4.10/pixman/src/pixmanint.h
fw_cairo-1.4.10/pixman/src/pixmanint.h
+--- cairo-1.4.10/pixman/src/pixmanint.h 2007-04-27 19:02:33.000000000
+0200
++++ fw_cairo-1.4.10/pixman/src/pixmanint.h 2008-01-09 18:00:36.000000000
+0100
+@@ -1073,4 +1073,21 @@
+ (*((a)+2) = (CARD8) ((v) >> 16))))
+ #endif
+
++
++/* Allocation helpers */
++
++#define _pixman_malloc_ab(n, size) \
++ ((unsigned) (n) >= INT32_MAX / (unsigned) (size) ? NULL : \
++ malloc((unsigned) (n) * (unsigned) (size)))
++
++#define _pixman_malloc_abc(a, b, size) \
++ ((unsigned) (a) >= INT32_MAX / (unsigned) (b) ? NULL : \
++ (unsigned) ((a)*(b)) >= INT32_MAX / (unsigned) (size) ? NULL : \
++ malloc((unsigned) (a) * (unsigned) (b) * (unsigned) size))
++
++#define _pixman_malloc_ab_plus_c(n, size, k) \
++ ((unsigned) (n) >= INT32_MAX / (unsigned) (size) ? NULL : \
++ (unsigned) (k) >= INT32_MAX - (unsigned) (n) * (unsigned) (size) ? NULL : \
++ malloc((unsigned) (n) * (unsigned) (size) + (unsigned) (k)))
++
+ #endif /* _PIXMANINT_H_ */
+diff -Naur cairo-1.4.10/pixman/src/pixregion.c
fw_cairo-1.4.10/pixman/src/pixregion.c
+--- cairo-1.4.10/pixman/src/pixregion.c 2007-06-27 20:00:55.000000000
+0200
++++ fw_cairo-1.4.10/pixman/src/pixregion.c 2008-01-09 18:00:36.000000000
+0100
+@@ -148,7 +148,31 @@
+ ((r1)->y1 <= (r2)->y1) && \
+ ((r1)->y2 >= (r2)->y2) )
+
+-#define allocData(n) malloc(PIXREGION_SZOF(n))
++static size_t
++PIXREGION_SZOF(size_t n)
++{
++ size_t size = n * sizeof(pixman_box16_t);
++ if (n > UINT32_MAX / sizeof(pixman_box16_t))
++ return 0;
++
++ if (sizeof(pixman_region16_data_t) > UINT32_MAX - size)
++ return 0;
++
++ return size + sizeof(pixman_region16_data_t);
++}
++
++static void
++allocData(size_t n, void **data)
++{
++ size_t sz = PIXREGION_SZOF(n);
++ if (!sz) {
++ *data = NULL;
++ return;
++ }
++
++ *data = malloc(sz);
++}
++
+ #define freeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
+
+ #define RECTALLOC_BAIL(pReg,n,bail) \
+@@ -185,7 +209,10 @@
+ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
+ { \
+ pixman_region16_data_t * NewData;
\
+- NewData = (pixman_region16_data_t *)realloc((reg)->data,
PIXREGION_SZOF(numRects)); \
++ size_t data_size = PIXREGION_SZOF(numRects); \
++ if (!data_size) \
++ goto bail; \
++ NewData = (pixman_region16_data_t *)realloc((reg)->data, data_size); \
+ if (NewData) \
+ { \
+ NewData->size = (numRects); \
+@@ -372,11 +399,12 @@
+ pixman_rect_alloc(pixman_region16_t * region, int n)
+ {
+ pixman_region16_data_t *data;
++ size_t data_size;
+
+ if (!region->data)
+ {
+ n++;
+- region->data = allocData(n);
++ allocData(n, (void **) ®ion->data);
+ if (!region->data)
+ return pixman_break (region);
+ region->data->numRects = 1;
+@@ -384,7 +412,7 @@
+ }
+ else if (!region->data->size)
+ {
+- region->data = allocData(n);
++ allocData(n, (void **) ®ion->data);
+ if (!region->data)
+ return pixman_break (region);
+ region->data->numRects = 0;
+@@ -398,7 +426,10 @@
+ n = 250;
+ }
+ n += region->data->numRects;
+- data = (pixman_region16_data_t *)realloc(region->data,
PIXREGION_SZOF(n));
++ data_size = PIXREGION_SZOF(n);
++ if (!data_size)
++ return pixman_break (region);
++ data = (pixman_region16_data_t *)realloc(region->data, data_size);
+ if (!data)
+ return pixman_break (region);
+ region->data = data;
+@@ -424,7 +455,7 @@
+ if (!dst->data || (dst->data->size < src->data->numRects))
+ {
+ freeData(dst);
+- dst->data = allocData(src->data->numRects);
++ allocData(src->data->numRects, (void **) &dst->data);
+ if (!dst->data)
+ return pixman_break (dst);
+ dst->data->size = src->data->numRects;
+@@ -835,8 +866,10 @@
+ AppendRegions(newReg, r2BandEnd, r2End);
+ }
+
+- if (oldData)
++ if (oldData) {
+ free(oldData);
++ oldData = NULL;
++ }
+
+ if (!(numRects = newReg->data->numRects))
+ {
+@@ -1493,7 +1526,7 @@
+
+ /* Set up the first region to be the first rectangle in badreg */
+ /* Note that step 2 code will never overflow the ri[0].reg rects array */
+- ri = (RegionInfo *) malloc(4 * sizeof(RegionInfo));
++ ri = (RegionInfo *) _pixman_malloc_ab(4, sizeof(RegionInfo));
+ if (!ri)
+ return pixman_break (badreg);
+ sizeRI = 4;
+@@ -1555,9 +1588,13 @@
+ /* Uh-oh. No regions were appropriate. Create a new one. */
+ if (sizeRI == numRI)
+ {
++ size_t data_size;
+ /* Oops, allocate space for new region information */
+ sizeRI <<= 1;
+- rit = (RegionInfo *) realloc(ri, sizeRI * sizeof(RegionInfo));
++ data_size = sizeRI * sizeof(RegionInfo);
++ if (data_size / sizeRI != sizeof(RegionInfo))
++ goto bail;
++ rit = (RegionInfo *) realloc(ri, data_size);
+ if (!rit)
+ goto bail;
+ ri = rit;
+@@ -1659,7 +1696,7 @@
+ }
+ return region;
+ }
+- pData = allocData(nrects);
++ allocData(nrects, &pData);
+ if (!pData)
+ {
+ pixman_break (region);
+@@ -2167,7 +2204,7 @@
+ if (!dst->data || (dst->data->size < src->data->numRects))
+ {
+ freeData(dst);
+- dst->data = allocData(src->data->numRects);
++ allocData(src->data->numRects, &dst->data);
+ if (!dst->data)
+ return pixman_break (dst);
+ }
+diff -Naur cairo-1.4.10/pixman/src/pixregionint.h
fw_cairo-1.4.10/pixman/src/pixregionint.h
+--- cairo-1.4.10/pixman/src/pixregionint.h 2007-04-27 19:02:33.000000000
+0200
++++ fw_cairo-1.4.10/pixman/src/pixregionint.h 2008-01-09 18:00:36.000000000
+0100
+@@ -70,6 +70,5 @@
+ #define PIXREGION_BOX(reg,i) (&PIXREGION_BOXPTR(reg)[i])
+ #define PIXREGION_TOP(reg) PIXREGION_BOX(reg, (reg)->data->numRects)
+ #define PIXREGION_END(reg) PIXREGION_BOX(reg, (reg)->data->numRects - 1)
+-#define PIXREGION_SZOF(n) (sizeof(pixman_region16_data_t) + ((n) *
sizeof(pixman_box16_t)))
+
+ #endif /* _PIXREGIONINT_H_ */
+diff -Naur cairo-1.4.10/src/cairo-array.c fw_cairo-1.4.10/src/cairo-array.c
+--- cairo-1.4.10/src/cairo-array.c 2007-04-27 19:02:33.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-array.c 2008-01-09 18:00:53.000000000 +0100
+@@ -138,8 +138,8 @@
+ }
+
+ array->size = new_size;
+- new_elements = realloc (*array->elements,
+- array->size * array->element_size);
++ new_elements = _cairo_realloc_ab (*array->elements,
++ array->size, array->element_size);
+
+ if (new_elements == NULL) {
+ array->size = old_size;
+diff -Naur cairo-1.4.10/src/cairo-atsui-font.c
fw_cairo-1.4.10/src/cairo-atsui-font.c
+--- cairo-1.4.10/src/cairo-atsui-font.c 2007-06-27 20:00:55.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-atsui-font.c 2008-01-09 18:00:36.000000000
+0100
+@@ -809,7 +809,7 @@
+
+ *num_glyphs = glyphCount - 1;
+ *glyphs =
+- (cairo_glyph_t *) malloc(*num_glyphs * (sizeof (cairo_glyph_t)));
++ (cairo_glyph_t *) _cairo_malloc_ab(*num_glyphs, sizeof (cairo_glyph_t));
+ if (*glyphs == NULL) {
+ return CAIRO_STATUS_NO_MEMORY;
+ }
+diff -Naur cairo-1.4.10/src/cairo-bentley-ottmann.c
fw_cairo-1.4.10/src/cairo-bentley-ottmann.c
+--- cairo-1.4.10/src/cairo-bentley-ottmann.c 2007-06-07 19:45:39.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-bentley-ottmann.c 2008-01-09
18:00:36.000000000 +0100
+@@ -754,7 +754,7 @@
+ * or stop events, so this allocation is safe. XXX: make the
+ * event type a union so it doesn't always contain the skip
+ * elt? */
+- events = malloc (num_events * (sizeof (cairo_bo_event_t) +
sizeof(cairo_bo_event_t*)));
++ events = _cairo_malloc_ab (num_events, sizeof (cairo_bo_event_t) +
sizeof(cairo_bo_event_t*));
+ if (events == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+@@ -1436,7 +1436,7 @@
+ if (polygon->num_edges < ARRAY_LENGTH (stack_edges)) {
+ edges = stack_edges;
+ } else {
+- edges = malloc (polygon->num_edges * sizeof (cairo_bo_edge_t));
++ edges = _cairo_malloc_ab (polygon->num_edges, sizeof (cairo_bo_edge_t));
+ if (edges == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+ }
+@@ -1757,7 +1757,7 @@
+ while (intersections) {
+ int num_edges = _cairo_array_num_elements (&intersected_edges);
+ passes++;
+- edges = malloc (num_edges * sizeof (cairo_bo_edge_t));
++ edges = _cairo_malloc_ab (num_edges, sizeof (cairo_bo_edge_t));
+ assert (edges != NULL);
+ memcpy (edges, _cairo_array_index (&intersected_edges, 0), num_edges *
sizeof (cairo_bo_edge_t));
+ _cairo_array_fini (&intersected_edges);
+diff -Naur cairo-1.4.10/src/cairo-beos-surface.cpp
fw_cairo-1.4.10/src/cairo-beos-surface.cpp
+--- cairo-1.4.10/src/cairo-beos-surface.cpp 2007-04-27 19:02:33.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-beos-surface.cpp 2008-01-09 18:00:36.000000000
+0100
+@@ -259,7 +259,7 @@
+ int height,
+ int stride)
+ {
+- unsigned char* retdata = reinterpret_cast<unsigned char*>(malloc(stride *
height));
++ unsigned char* retdata = reinterpret_cast<unsigned
char*>(_cairo_malloc_ab(height, stride));
+ if (!retdata)
+ return NULL;
+
+@@ -322,7 +322,7 @@
+ bitmap->BytesPerRow());
+ } else {
+ premultiplied = reinterpret_cast<unsigned char*>(
+- malloc(bitmap->BytesPerRow() * height));
++ _cairo_malloc_ab(bitmap->BytesPerRow(),
height));
+ if (premultiplied)
+ memcpy(premultiplied, bits, bitmap->BytesPerRow() * height);
+ }
+diff -Naur cairo-1.4.10/src/cairo-clip.c fw_cairo-1.4.10/src/cairo-clip.c
+--- cairo-1.4.10/src/cairo-clip.c 2007-05-16 15:52:56.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-clip.c 2008-01-09 18:00:36.000000000 +0100
+@@ -634,9 +634,13 @@
+ return (cairo_rectangle_list_t*) &_cairo_rectangles_not_representable;
+
+ n_boxes = clip->has_region ? pixman_region_num_rects (&clip->region) : 1;
+- rectangles = malloc (sizeof (cairo_rectangle_t)*n_boxes);
+- if (rectangles == NULL)
+- return (cairo_rectangle_list_t*) &_cairo_rectangles_nil;
++ if (n_boxes > 0) {
++ rectangles = _cairo_malloc_ab (n_boxes, sizeof (cairo_rectangle_t));
++ if (rectangles == NULL)
++ return (cairo_rectangle_list_t*) &_cairo_rectangles_nil;
++ } else {
++ rectangles = NULL;
++ }
+
+ if (clip->has_region) {
+ pixman_box16_t *boxes;
+diff -Naur cairo-1.4.10/src/cairo-directfb-surface.c
fw_cairo-1.4.10/src/cairo-directfb-surface.c
+--- cairo-1.4.10/src/cairo-directfb-surface.c 2007-06-27 20:00:55.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-directfb-surface.c 2008-01-09
18:00:36.000000000 +0100
+@@ -1113,7 +1113,7 @@
+ if( surface->clips )
+ free (surface->clips);
+
+- surface->clips = malloc (n_boxes * sizeof(DFBRegion));
++ surface->clips = _cairo_malloc_ab (n_boxes, sizeof(DFBRegion));
+ if (!surface->clips) {
+ surface->n_clips = 0;
+ return CAIRO_STATUS_NO_MEMORY;
+diff -Naur cairo-1.4.10/src/cairo-ft-font.c fw_cairo-1.4.10/src/cairo-ft-font.c
+--- cairo-1.4.10/src/cairo-ft-font.c 2007-06-07 19:45:39.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-ft-font.c 2008-01-09 18:00:36.000000000
+0100
+@@ -742,7 +742,7 @@
+ data = bitmap->buffer;
+ assert (stride == bitmap->pitch);
+ } else {
+- data = malloc (stride * height);
++ data = _cairo_malloc_ab (height, stride);
+ if (!data) {
+ _cairo_error (CAIRO_STATUS_NO_MEMORY);
+ return CAIRO_STATUS_NO_MEMORY;
+@@ -792,7 +792,7 @@
+ if (own_buffer) {
+ data = bitmap->buffer;
+ } else {
+- data = malloc (stride * height);
++ data = _cairo_malloc_ab (height, stride);
+ if (!data) {
+ _cairo_error (CAIRO_STATUS_NO_MEMORY);
+ return CAIRO_STATUS_NO_MEMORY;
+diff -Naur cairo-1.4.10/src/cairo-glitz-surface.c
fw_cairo-1.4.10/src/cairo-glitz-surface.c
+--- cairo-1.4.10/src/cairo-glitz-surface.c 2007-05-09 15:37:39.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-glitz-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -197,7 +197,7 @@
+ pf.bytes_per_line = (((width * format.bpp) / 8) + 3) & -4;
+ pf.scanline_order = GLITZ_PIXEL_SCANLINE_ORDER_TOP_DOWN;
+
+- pixels = malloc (height * pf.bytes_per_line);
++ pixels = _cairo_malloc_ab (height, pf.bytes_per_line);
+ if (!pixels)
+ return CAIRO_STATUS_NO_MEMORY;
+
+@@ -627,8 +627,22 @@
+
+ n_params = gradient->n_stops * 3 + n_base_params;
+
+- data = malloc (sizeof (glitz_fixed16_16_t) * n_params +
+- sizeof (unsigned int) * gradient->n_stops);
++ /* check for int overflow */
++ {
++ int size1, size2;
++ if (n_params >= INT32_MAX / sizeof (glitz_fixed16_16_t) ||
++ gradient->n_stops >= INT32_MAX / sizeof (unsigned int))
++ return CAIRO_STATUS_NO_MEMORY;
++
++ size1 = n_params * sizeof (glitz_fixed16_16_t);
++ size2 = gradient->n_stops * sizeof (unsigned int);
++
++ if (size1 >= INT32_MAX - size2)
++ return CAIRO_STATUS_NO_MEMORY;
++
++ data = malloc (size1 + size2);
++ }
++
+ if (!data)
+ return CAIRO_STATUS_NO_MEMORY;
+
+@@ -1992,9 +2006,19 @@
+ if (num_glyphs > N_STACK_BUF)
+ {
+ char *data;
++ int size1, size2;
++
++ if (num_glyphs >= INT32_MAX / sizeof(void*) ||
++ num_glyphs >= INT32_MAX / sizeof(glitz_float_t) ||
++ (num_glyphs * sizeof(glitz_float_t)) >= INT32_MAX / 16)
++ goto FAIL1;
++
++ size1 = num_glyphs * sizeof(void *);
++ size2 = num_glyphs * sizeof(glitz_float_t) * 16;
++ if (size1 >= INT32_MAX - size2)
++ goto FAIL1;
+
+- data = malloc (num_glyphs * sizeof (void *) +
+- num_glyphs * sizeof (glitz_float_t) * 16);
++ data = malloc (size1 + size2);
+ if (!data)
+ goto FAIL1;
+
+diff -Naur cairo-1.4.10/src/cairo-gstate.c fw_cairo-1.4.10/src/cairo-gstate.c
+--- cairo-1.4.10/src/cairo-gstate.c 2007-06-07 19:44:01.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-gstate.c 2008-01-09 18:00:36.000000000 +0100
+@@ -530,7 +530,7 @@
+ return CAIRO_STATUS_SUCCESS;
+ }
+
+- gstate->stroke_style.dash = malloc (gstate->stroke_style.num_dashes *
sizeof (double));
++ gstate->stroke_style.dash = _cairo_malloc_ab
(gstate->stroke_style.num_dashes, sizeof (double));
+ if (gstate->stroke_style.dash == NULL) {
+ gstate->stroke_style.num_dashes = 0;
+ return CAIRO_STATUS_NO_MEMORY;
+@@ -1570,7 +1570,7 @@
+ if (num_glyphs <= STACK_GLYPHS_LEN) {
+ transformed_glyphs = stack_transformed_glyphs;
+ } else {
+- transformed_glyphs = malloc (num_glyphs * sizeof(cairo_glyph_t));
++ transformed_glyphs = _cairo_malloc_ab (num_glyphs,
sizeof(cairo_glyph_t));
+ if (transformed_glyphs == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+ }
+@@ -1615,7 +1615,7 @@
+ if (num_glyphs < STACK_GLYPHS_LEN)
+ transformed_glyphs = stack_transformed_glyphs;
+ else
+- transformed_glyphs = malloc (num_glyphs * sizeof(cairo_glyph_t));
++ transformed_glyphs = _cairo_malloc_ab (num_glyphs,
sizeof(cairo_glyph_t));
+ if (transformed_glyphs == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+diff -Naur cairo-1.4.10/src/cairo-hull.c fw_cairo-1.4.10/src/cairo-hull.c
+--- cairo-1.4.10/src/cairo-hull.c 2007-04-27 19:02:34.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-hull.c 2008-01-09 18:00:36.000000000 +0100
+@@ -62,7 +62,7 @@
+ *extremum = vertices[0].point;
+ vertices[0].point = tmp;
+
+- hull = malloc (num_vertices * sizeof (cairo_hull_t));
++ hull = _cairo_malloc_ab (num_vertices, sizeof (cairo_hull_t));
+ if (hull == NULL)
+ return NULL;
+
+diff -Naur cairo-1.4.10/src/cairoint.h fw_cairo-1.4.10/src/cairoint.h
+--- cairo-1.4.10/src/cairoint.h 2007-06-15 21:06:05.000000000 +0200
++++ fw_cairo-1.4.10/src/cairoint.h 2008-01-09 18:00:36.000000000 +0100
+@@ -181,6 +181,7 @@
+
+ #include "cairo-mutex-private.h"
+ #include "cairo-wideint-private.h"
++#include "cairo-malloc-private.h"
+
+ typedef int32_t cairo_fixed_16_16_t;
+ typedef cairo_int64_t cairo_fixed_32_32_t;
+diff -Naur cairo-1.4.10/src/cairo-lzw.c fw_cairo-1.4.10/src/cairo-lzw.c
+--- cairo-1.4.10/src/cairo-lzw.c 2007-04-27 19:02:34.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-lzw.c 2008-01-09 18:00:53.000000000 +0100
+@@ -93,7 +93,11 @@
+ if (buf->status)
+ return buf->status;
+
+- new_data = realloc (buf->data, new_size);
++ new_data = NULL;
++ /* check for integer overflow */
++ if (new_size / 2 == buf->data_size)
++ new_data = realloc (buf->data, new_size);
++
+ if (new_data == NULL) {
+ free (buf->data);
+ buf->data_size = 0;
+diff -Naur cairo-1.4.10/src/cairo-malloc-private.h
fw_cairo-1.4.10/src/cairo-malloc-private.h
+--- cairo-1.4.10/src/cairo-malloc-private.h 1970-01-01 01:00:00.000000000
+0100
++++ fw_cairo-1.4.10/src/cairo-malloc-private.h 2008-01-09 18:05:19.000000000
+0100
+@@ -0,0 +1,127 @@
++/* -*- Mode: c; tab-width: 8; c-basic-offset: 4; indent-tabs-mode: t; -*- */
++/* Cairo - a vector graphics library with display and print output
++ *
++ * Copyright é 2007 Mozilla Corporation
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it either under the terms of the GNU Lesser General Public
++ * License version 2.1 as published by the Free Software Foundation
++ * (the "LGPL") or, at your option, under the terms of the Mozilla
++ * Public License Version 1.1 (the "MPL"). If you do not alter this
++ * notice, a recipient may use your version of this file under either
++ * the MPL or the LGPL.
++ *
++ * You should have received a copy of the LGPL along with this library
++ * in the file COPYING-LGPL-2.1; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ * You should have received a copy of the MPL along with this library
++ * in the file COPYING-MPL-1.1
++ *
++ * The contents of this file are subject to the Mozilla Public License
++ * Version 1.1 (the "License"); you may not use this file except in
++ * compliance with the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY
++ * OF ANY KIND, either express or implied. See the LGPL or the MPL for
++ * the specific language governing rights and limitations.
++ *
++ * The Original Code is the cairo graphics library.
++ *
++ * The Initial Developer of the Original Code is Mozilla Corporation
++ *
++ * Contributor(s):
++ * Vladimir Vukicevic <[EMAIL PROTECTED]>
++ */
++
++#ifndef CAIRO_MALLOC_PRIVATE_H
++#define CAIRO_MALLOC_PRIVATE_H
++
++#include "cairo-wideint-private.h"
++
++/**
++ * _cairo_malloc_ab:
++ * @n: number of elements to allocate
++ * @size: size of each element
++ *
++ * Allocates @[EMAIL PROTECTED] memory using malloc(), taking care to not
++ * overflow when doing the multiplication. Behaves much like
++ * calloc(), except that the returned memory is not set to zero.
++ * The memory should be freed using free().
++ *
++ * @size should be a constant so that the compiler can optimize
++ * out a constant division.
++ *
++ * Return value: A pointer to the newly allocated memory, or %NULL in
++ * case of malloc() failure or overflow.
++ */
++
++#define _cairo_malloc_ab(a, size) \
++ ((unsigned) (a) >= INT32_MAX / (unsigned) (size) ? NULL : \
++ malloc((unsigned) (a) * (unsigned) (size)))
++
++/**
++ * _cairo_malloc_abc:
++ * @a: first factor of number of elements to allocate
++ * @b: second factor of number of elements to allocate
++ * @size: size of each element
++ *
++ * Allocates @[EMAIL PROTECTED]@size memory using malloc(), taking care to not
++ * overflow when doing the multiplication. Behaves like
++ * _cairo_malloc_ab(). The memory should be freed using free().
++ *
++ * @size should be a constant so that the compiler can optimize
++ * out a constant division.
++ *
++ * Return value: A pointer to the newly allocated memory, or %NULL in
++ * case of malloc() failure or overflow.
++ */
++
++#define _cairo_malloc_abc(a, b, size) \
++ ((unsigned) (a) >= INT32_MAX / (unsigned) (b) ? NULL : \
++ (unsigned) ((a)*(b)) >= INT32_MAX / (unsigned) (size) ? NULL : \
++ malloc((unsigned) (a) * (unsigned) (b) * (unsigned) size))
++
++/**
++ * _cairo_malloc_ab_plus_c:
++ * @n: number of elements to allocate
++ * @size: size of each element
++ * @k: additional size to allocate
++ *
++ * Allocates @[EMAIL PROTECTED]@k memory using malloc(), taking care to not
++ * overflow when doing the arithmetic. Behaves like
++ * _cairo_malloc_ab(). The memory should be freed using free().
++ *
++ * Return value: A pointer to the newly allocated memory, or %NULL in
++ * case of malloc() failure or overflow.
++ */
++
++#define _cairo_malloc_ab_plus_c(n, size, k) \
++ ((unsigned) (n) >= INT32_MAX / (unsigned) (size) ? NULL : \
++ (unsigned) (k) >= INT32_MAX - (unsigned) (n) * (unsigned) (size) ? NULL : \
++ malloc((unsigned) (n) * (unsigned) (size) + (unsigned) (k)))
++
++/**
++ * _cairo_realloc_ab:
++ * @ptr: original pointer to block of memory to be resized
++ * @n: number of elements to allocate
++ * @size: size of each element
++ *
++ * Reallocates @ptr a block of @[EMAIL PROTECTED] memory using realloc(),
taking
++ * care to not overflow when doing the multiplication. The memory
++ * should be freed using free().
++ *
++ * @size should be a constant so that the compiler can optimize
++ * out a constant division.
++ *
++ * Return value: A pointer to the newly allocated memory, or %NULL in
++ * case of realloc() failure or overflow (whereupon the original block
++ * of memory * is left untouched).
++ */
++
++#define _cairo_realloc_ab(ptr, a, size) \
++ ((size) && (unsigned) (a) >= INT32_MAX / (unsigned) (size) ? NULL : \
++ realloc(ptr, (unsigned) (a) * (unsigned) (size)))
++
++
++#endif /* CAIRO_MALLOC_PRIVATE_H */
+diff -Naur cairo-1.4.10/src/cairo-meta-surface.c
fw_cairo-1.4.10/src/cairo-meta-surface.c
+--- cairo-1.4.10/src/cairo-meta-surface.c 2007-05-16 15:52:56.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-meta-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -439,7 +439,7 @@
+ if (status)
+ goto CLEANUP_COMMAND;
+
+- command->glyphs = malloc (sizeof (cairo_glyph_t) * num_glyphs);
++ command->glyphs = _cairo_malloc_ab (num_glyphs, sizeof (cairo_glyph_t));
+ if (command->glyphs == NULL) {
+ status = CAIRO_STATUS_NO_MEMORY;
+ goto CLEANUP_SOURCE;
+@@ -735,7 +735,7 @@
+ int i, num_glyphs = command->show_glyphs.num_glyphs;
+
+ if (has_device_transform) {
+- dev_glyphs = malloc (sizeof (cairo_glyph_t) * num_glyphs);
++ dev_glyphs = _cairo_malloc_ab (num_glyphs, sizeof
(cairo_glyph_t));
+ if (dev_glyphs == NULL) {
+ status = CAIRO_STATUS_NO_MEMORY;
+ break;
+diff -Naur cairo-1.4.10/src/cairo-os2-surface.c
fw_cairo-1.4.10/src/cairo-os2-surface.c
+--- cairo-1.4.10/src/cairo-os2-surface.c 2007-04-27 19:02:34.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-os2-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -296,8 +296,9 @@
+ ULONG ulPixels;
+
+ /* allocate temporary pixel buffer */
+- pchPixBuf = (unsigned char *) malloc (3 * surface->bitmap_info.cx *
+- surface->bitmap_info.cy);
++ pchPixBuf = (unsigned char *) _cairo_malloc_abc
(surface->bitmap_info.cy,
++ surface->bitmap_info.cx,
++ 3);
+ pchPixSource = surface->pixels; /* start at beginning of pixel buffer
*/
+ pBufStart = pchPixBuf; /* remember beginning of the new pixel buffer
*/
+
+@@ -713,7 +714,7 @@
+ local_os2_surface->bitmap_info.cBitCount = 32;
+
+ /* Allocate memory for pixels */
+- local_os2_surface->pixels = (unsigned char *) malloc (width * height * 4);
++ local_os2_surface->pixels = (unsigned char *) _cairo_malloc_abc (height,
width, 4);
+ if (!(local_os2_surface->pixels)) {
+ /* Not enough memory for the pixels! */
+ DosCloseEventSem (local_os2_surface->hev_pixel_array_came_back);
+@@ -783,7 +784,7 @@
+ }
+
+ /* Allocate memory for new stuffs */
+- pchNewPixels = (unsigned char *) malloc (new_width * new_height * 4);
++ pchNewPixels = (unsigned char *) _cairo_malloc_abc (new_height,
new_width, 4);
+ if (!pchNewPixels) {
+ /* Not enough memory for the pixels!
+ * Everything remains the same!
+diff -Naur cairo-1.4.10/src/cairo-path.c fw_cairo-1.4.10/src/cairo-path.c
+--- cairo-1.4.10/src/cairo-path.c 2007-05-18 22:15:40.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-path.c 2008-01-09 18:00:36.000000000 +0100
+@@ -381,7 +381,7 @@
+ return (cairo_path_t*) &_cairo_path_nil;
+ }
+
+- path->data = malloc (path->num_data * sizeof (cairo_path_data_t));
++ path->data = _cairo_malloc_ab (path->num_data, sizeof
(cairo_path_data_t));
+ if (path->data == NULL) {
+ free (path);
+ return (cairo_path_t*) &_cairo_path_nil;
+diff -Naur cairo-1.4.10/src/cairo-path-stroke.c
fw_cairo-1.4.10/src/cairo-path-stroke.c
+--- cairo-1.4.10/src/cairo-path-stroke.c 2007-04-27 19:02:34.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-path-stroke.c 2008-01-09 18:00:53.000000000
+0100
+@@ -1076,7 +1076,8 @@
+ /* Common case is one rectangle of exactly 4 segments. */
+ if (new_size == 0)
+ new_size = 4;
+- new_segments = realloc (stroker->segments, new_size * sizeof
(cairo_line_t));
++ new_segments = _cairo_realloc_ab (stroker->segments,
++ new_size, sizeof (cairo_line_t));
+ if (new_segments == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+ stroker->segments_size = new_size;
+diff -Naur cairo-1.4.10/src/cairo-pattern.c fw_cairo-1.4.10/src/cairo-pattern.c
+--- cairo-1.4.10/src/cairo-pattern.c 2007-06-07 19:44:01.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-pattern.c 2008-01-09 18:07:32.000000000
+0100
+@@ -133,8 +133,8 @@
+ pattern->stops = pattern->stops_embedded;
+ else if (other->stops)
+ {
+- pattern->stops = malloc (other->stops_size *
+- sizeof (pixman_gradient_stop_t));
++ pattern->stops = _cairo_malloc_ab (other->stops_size,
++ sizeof (pixman_gradient_stop_t));
+ if (pattern->stops == NULL) {
+ pattern->stops_size = 0;
+ pattern->n_stops = 0;
+@@ -757,11 +757,13 @@
+ assert (pattern->n_stops <= pattern->stops_size);
+
+ if (pattern->stops == pattern->stops_embedded) {
+- new_stops = malloc (new_size * sizeof (pixman_gradient_stop_t));
++ new_stops = _cairo_malloc_ab (new_size, sizeof
(pixman_gradient_stop_t));
+ if (new_stops)
+ memcpy (new_stops, pattern->stops, old_size * sizeof
(pixman_gradient_stop_t));
+ } else {
+- new_stops = realloc (pattern->stops, new_size * sizeof
(pixman_gradient_stop_t));
++ new_stops = _cairo_realloc_ab (pattern->stops,
++ new_size,
++ sizeof (pixman_gradient_stop_t));
+ }
+
+ if (new_stops == NULL) {
+diff -Naur cairo-1.4.10/src/cairo-pdf-surface.c
fw_cairo-1.4.10/src/cairo-pdf-surface.c
+--- cairo-1.4.10/src/cairo-pdf-surface.c 2007-05-18 22:15:40.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-pdf-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -1262,7 +1262,7 @@
+ color_function->id = 0;
+ alpha_function->id = 0;
+
+- allstops = malloc ((pattern->n_stops + 2) * sizeof
(cairo_pdf_color_stop_t));
++ allstops = _cairo_malloc_ab ((pattern->n_stops + 2), sizeof
(cairo_pdf_color_stop_t));
+ if (allstops == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+@@ -2726,13 +2726,13 @@
+ cairo_box_t font_bbox = {{0,0},{0,0}};
+ cairo_box_t bbox = {{0,0},{0,0}};
+
+- glyphs = malloc (font_subset->num_glyphs * sizeof (cairo_pdf_resource_t));
++ glyphs = _cairo_malloc_ab (font_subset->num_glyphs, sizeof
(cairo_pdf_resource_t));
+ if (glyphs == NULL) {
+ _cairo_surface_set_error (&surface->base, CAIRO_STATUS_NO_MEMORY);
+ return CAIRO_STATUS_NO_MEMORY;
+ }
+
+- widths = malloc (font_subset->num_glyphs * sizeof (double));
++ widths = _cairo_malloc_ab (font_subset->num_glyphs, sizeof (double));
+ if (widths == NULL) {
+ free (glyphs);
+ _cairo_surface_set_error (&surface->base, CAIRO_STATUS_NO_MEMORY);
+diff -Naur cairo-1.4.10/src/cairo-pen.c fw_cairo-1.4.10/src/cairo-pen.c
+--- cairo-1.4.10/src/cairo-pen.c 2007-04-27 19:02:34.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-pen.c 2008-01-09 18:08:52.000000000 +0100
+@@ -78,7 +78,7 @@
+ radius,
+ ctm);
+
+- pen->vertices = malloc (pen->num_vertices * sizeof (cairo_pen_vertex_t));
++ pen->vertices = _cairo_malloc_ab (pen->num_vertices, sizeof
(cairo_pen_vertex_t));
+ if (pen->vertices == NULL) {
+ return CAIRO_STATUS_NO_MEMORY;
+ }
+@@ -119,7 +119,7 @@
+ *pen = *other;
+
+ if (pen->num_vertices) {
+- pen->vertices = malloc (pen->num_vertices * sizeof
(cairo_pen_vertex_t));
++ pen->vertices = _cairo_malloc_ab (pen->num_vertices, sizeof
(cairo_pen_vertex_t));
+ if (pen->vertices == NULL) {
+ return CAIRO_STATUS_NO_MEMORY;
+ }
+@@ -138,7 +138,8 @@
+ int i;
+
+ num_vertices = pen->num_vertices + num_points;
+- vertices = realloc (pen->vertices, num_vertices * sizeof
(cairo_pen_vertex_t));
++ vertices = _cairo_realloc_ab (pen->vertices,
++ num_vertices, sizeof (cairo_pen_vertex_t));
+ if (vertices == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+diff -Naur cairo-1.4.10/src/cairo-png.c fw_cairo-1.4.10/src/cairo-png.c
+--- cairo-1.4.10/src/cairo-png.c 2007-06-07 19:45:39.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-png.c 2008-01-09 18:00:36.000000000 +0100
+@@ -128,7 +128,7 @@
+ else if (status != CAIRO_STATUS_SUCCESS)
+ return CAIRO_STATUS_SURFACE_TYPE_MISMATCH;
+
+- rows = malloc (image->height * sizeof(png_byte*));
++ rows = _cairo_malloc_ab (image->height, sizeof(png_byte*));
+ if (rows == NULL) {
+ status = CAIRO_STATUS_NO_MEMORY;
+ goto BAIL1;
+@@ -429,11 +429,11 @@
+ png_read_update_info (png, info);
+
+ pixel_size = 4;
+- data = malloc (png_width * png_height * pixel_size);
++ data = _cairo_malloc_abc (png_height, png_width, pixel_size);
+ if (data == NULL)
+ goto BAIL;
+
+- row_pointers = malloc (png_height * sizeof(char *));
++ row_pointers = _cairo_malloc_ab (png_height, sizeof(char *));
+ if (row_pointers == NULL)
+ goto BAIL;
+
+diff -Naur cairo-1.4.10/src/cairo-polygon.c fw_cairo-1.4.10/src/cairo-polygon.c
+--- cairo-1.4.10/src/cairo-polygon.c 2007-04-27 19:02:34.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-polygon.c 2008-01-09 18:00:53.000000000
+0100
+@@ -93,11 +93,12 @@
+ assert (polygon->num_edges <= polygon->edges_size);
+
+ if (polygon->edges == polygon->edges_embedded) {
+- new_edges = malloc (new_size * sizeof (cairo_edge_t));
++ new_edges = _cairo_malloc_ab (new_size, sizeof (cairo_edge_t));
+ if (new_edges)
+ memcpy (new_edges, polygon->edges, old_size * sizeof
(cairo_edge_t));
+ } else {
+- new_edges = realloc (polygon->edges, new_size * sizeof (cairo_edge_t));
++ new_edges = _cairo_realloc_ab (polygon->edges,
++ new_size, sizeof (cairo_edge_t));
+ }
+
+ if (new_edges == NULL) {
+diff -Naur cairo-1.4.10/src/cairo-ps-surface.c
fw_cairo-1.4.10/src/cairo-ps-surface.c
+--- cairo-1.4.10/src/cairo-ps-surface.c 2007-06-07 19:44:01.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-ps-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -2037,7 +2037,7 @@
+ * can modify some of the values.
+ */
+ if (num_dashes % 2) {
+- dash = malloc (2 * num_dashes * sizeof (double));
++ dash = _cairo_malloc_abc (num_dashes, 2, sizeof (double));
+ if (dash == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+@@ -2215,7 +2215,7 @@
+ num_glyphs_unsigned = num_glyphs;
+
+ _cairo_ps_surface_emit_pattern (surface, source);
+- glyph_ids = malloc (num_glyphs_unsigned*sizeof (cairo_ps_glyph_id_t));
++ glyph_ids = _cairo_malloc_ab (num_glyphs_unsigned, sizeof
(cairo_ps_glyph_id_t));
+ if (glyph_ids == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+diff -Naur cairo-1.4.10/src/cairo-quartz-surface.c
fw_cairo-1.4.10/src/cairo-quartz-surface.c
+--- cairo-1.4.10/src/cairo-quartz-surface.c 2007-06-27 20:00:55.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-quartz-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -1255,7 +1255,7 @@
+ float *fdash = sdash;
+ unsigned int k;
+ if (style->num_dashes > STATIC_DASH)
+- fdash = malloc (sizeof(float)*style->num_dashes);
++ fdash = _cairo_malloc_ab (style->num_dashes, sizeof (float));
+
+ for (k = 0; k < style->num_dashes; k++)
+ fdash[k] = (float) style->dash[k];
+@@ -1394,8 +1394,8 @@
+ CGContextSetFontSize (surface->cgContext, 1.0);
+
+ if (num_glyphs > STATIC_BUF_SIZE) {
+- cg_glyphs = (CGGlyph*) malloc(sizeof(CGGlyph) * num_glyphs);
+- cg_advances = (CGSize*) malloc(sizeof(CGSize) * num_glyphs);
++ cg_glyphs = (CGGlyph*) _cairo_malloc_ab (num_glyphs, sizeof(CGGlyph));
++ cg_advances = (CGSize*) _cairo_malloc_ab (num_glyphs, sizeof(CGSize));
+ }
+
+ xprev = glyphs[0].x;
+@@ -1711,7 +1711,7 @@
+ return (cairo_surface_t*) &_cairo_surface_nil;
+ }
+
+- imageData = malloc (height * stride);
++ imageData = _cairo_malloc_ab (height, stride);
+ if (!imageData) {
+ CGColorSpaceRelease (cgColorspace);
+ _cairo_error (CAIRO_STATUS_NO_MEMORY);
+diff -Naur cairo-1.4.10/src/cairo-scaled-font.c
fw_cairo-1.4.10/src/cairo-scaled-font.c
+--- cairo-1.4.10/src/cairo-scaled-font.c 2007-06-15 21:06:05.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-scaled-font.c 2008-01-09 18:00:36.000000000
+0100
+@@ -927,7 +927,7 @@
+ if (status)
+ goto DONE;
+
+- *glyphs = (cairo_glyph_t *) malloc ((*num_glyphs) * (sizeof
(cairo_glyph_t)));
++ *glyphs = (cairo_glyph_t *) _cairo_malloc_ab ((*num_glyphs), sizeof
(cairo_glyph_t));
+
+ if (*glyphs == NULL) {
+ status = CAIRO_STATUS_NO_MEMORY;
+diff -Naur cairo-1.4.10/src/cairo-scaled-font-subsets.c
fw_cairo-1.4.10/src/cairo-scaled-font-subsets.c
+--- cairo-1.4.10/src/cairo-scaled-font-subsets.c 2007-06-07
19:44:01.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-scaled-font-subsets.c 2008-01-09
18:00:36.000000000 +0100
+@@ -390,7 +390,7 @@
+ subset.num_glyphs = collection->num_glyphs;
+ /* No need to check for out of memory here. If to_unicode is NULL,
the PDF
+ * surface does not emit an ToUnicode stream */
+- subset.to_unicode = malloc (collection->num_glyphs*sizeof(unsigned
long));
++ subset.to_unicode = _cairo_malloc_ab (collection->num_glyphs, sizeof
(unsigned long));
+ if (subset.to_unicode) {
+ for (j = 0; j < collection->num_glyphs; j++) {
+ /* default unicode character required when mapping fails */
+@@ -622,7 +622,7 @@
+ if (! collection.glyphs_size)
+ return CAIRO_STATUS_SUCCESS;
+
+- collection.glyphs = malloc (collection.glyphs_size * sizeof(unsigned
long));
++ collection.glyphs = _cairo_malloc_ab (collection.glyphs_size,
sizeof(unsigned long));
+ if (collection.glyphs == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+diff -Naur cairo-1.4.10/src/cairo-spline.c fw_cairo-1.4.10/src/cairo-spline.c
+--- cairo-1.4.10/src/cairo-spline.c 2007-04-27 19:02:34.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-spline.c 2008-01-09 18:00:53.000000000 +0100
+@@ -109,11 +109,12 @@
+ assert (spline->num_points <= spline->points_size);
+
+ if (spline->points == spline->points_embedded) {
+- new_points = malloc (new_size * sizeof (cairo_point_t));
++ new_points = _cairo_malloc_ab (new_size, sizeof (cairo_point_t));
+ if (new_points)
+ memcpy (new_points, spline->points, old_size * sizeof
(cairo_point_t));
+ } else {
+- new_points = realloc (spline->points, new_size * sizeof
(cairo_point_t));
++ new_points = _cairo_realloc_ab (spline->points,
++ new_size, sizeof (cairo_point_t));
+ }
+
+ if (new_points == NULL) {
+diff -Naur cairo-1.4.10/src/cairo-stroke-style.c
fw_cairo-1.4.10/src/cairo-stroke-style.c
+--- cairo-1.4.10/src/cairo-stroke-style.c 2007-04-27 19:02:34.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-stroke-style.c 2008-01-09 18:00:36.000000000
+0100
+@@ -62,7 +62,7 @@
+ if (other->dash == NULL) {
+ style->dash = NULL;
+ } else {
+- style->dash = malloc (style->num_dashes * sizeof (double));
++ style->dash = _cairo_malloc_ab (style->num_dashes, sizeof (double));
+ if (style->dash == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+diff -Naur cairo-1.4.10/src/cairo-surface.c fw_cairo-1.4.10/src/cairo-surface.c
+--- cairo-1.4.10/src/cairo-surface.c 2007-05-18 22:15:40.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -1245,7 +1245,7 @@
+
+ rects = stack_rects;
+ if (num_rects > ARRAY_LENGTH (stack_rects)) {
+- rects = malloc (sizeof (cairo_rectangle_int16_t) * num_rects);
++ rects = _cairo_malloc_ab (num_rects, sizeof (cairo_rectangle_int16_t));
+ if (!rects)
+ return CAIRO_STATUS_NO_MEMORY;
+ }
+diff -Naur cairo-1.4.10/src/cairo-surface-fallback.c
fw_cairo-1.4.10/src/cairo-surface-fallback.c
+--- cairo-1.4.10/src/cairo-surface-fallback.c 2007-05-16 15:52:56.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-surface-fallback.c 2008-01-09
18:00:36.000000000 +0100
+@@ -1166,7 +1166,7 @@
+ /* If the fetched image isn't at 0,0, we need to offset the rectangles */
+
+ if (state.image_rect.x != 0 || state.image_rect.y != 0) {
+- offset_rects = malloc (sizeof (cairo_rectangle_int16_t) * num_rects);
++ offset_rects = _cairo_malloc_ab (num_rects, sizeof
(cairo_rectangle_int16_t));
+ if (offset_rects == NULL) {
+ status = CAIRO_STATUS_NO_MEMORY;
+ goto DONE;
+@@ -1222,7 +1222,7 @@
+ /* If the destination image isn't at 0,0, we need to offset the
trapezoids */
+
+ if (state.image_rect.x != 0 || state.image_rect.y != 0) {
+- offset_traps = malloc (sizeof (cairo_trapezoid_t) * num_traps);
++ offset_traps = _cairo_malloc_ab (num_traps, sizeof (cairo_trapezoid_t));
+ if (!offset_traps) {
+ status = CAIRO_STATUS_NO_MEMORY;
+ goto DONE;
+diff -Naur cairo-1.4.10/src/cairo-svg-surface.c
fw_cairo-1.4.10/src/cairo-svg-surface.c
+--- cairo-1.4.10/src/cairo-svg-surface.c 2007-05-09 15:37:39.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-svg-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -1220,7 +1220,7 @@
+
+ if (emulate_reflect || reverse_stops) {
+ n_stops = emulate_reflect ? pattern->n_stops * 2 - 2: pattern->n_stops;
+- stops = malloc (sizeof (pixman_gradient_stop_t) * n_stops);
++ stops = _cairo_malloc_ab (n_stops, sizeof (pixman_gradient_stop_t));
+
+ for (i = 0; i < pattern->n_stops; i++) {
+ if (reverse_stops) {
+diff -Naur cairo-1.4.10/src/cairo-traps.c fw_cairo-1.4.10/src/cairo-traps.c
+--- cairo-1.4.10/src/cairo-traps.c 2007-06-27 20:00:55.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-traps.c 2008-01-09 18:00:53.000000000 +0100
+@@ -260,11 +260,12 @@
+ return traps->status;
+
+ if (traps->traps == traps->traps_embedded) {
+- new_traps = malloc (new_size * sizeof (cairo_trapezoid_t));
++ new_traps = _cairo_malloc_ab (new_size, sizeof (cairo_trapezoid_t));
+ if (new_traps)
+ memcpy (new_traps, traps->traps, sizeof (traps->traps_embedded));
+ } else {
+- new_traps = realloc (traps->traps, new_size * sizeof
(cairo_trapezoid_t));
++ new_traps = _cairo_realloc_ab (traps->traps,
++ new_size, sizeof (cairo_trapezoid_t));
+ }
+
+ if (new_traps == NULL) {
+diff -Naur cairo-1.4.10/src/cairo-unicode.c fw_cairo-1.4.10/src/cairo-unicode.c
+--- cairo-1.4.10/src/cairo-unicode.c 2007-04-27 19:02:34.000000000 +0200
++++ fw_cairo-1.4.10/src/cairo-unicode.c 2008-01-09 18:00:36.000000000
+0100
+@@ -240,7 +240,7 @@
+ in = UTF8_NEXT_CHAR (in);
+ }
+
+- str32 = malloc (sizeof (uint32_t) * (n_chars + 1));
++ str32 = _cairo_malloc_ab (n_chars + 1, sizeof (uint32_t));
+ if (!str32)
+ return CAIRO_STATUS_NO_MEMORY;
+
+@@ -307,7 +307,7 @@
+ in = UTF8_NEXT_CHAR (in);
+ }
+
+- str16 = malloc (sizeof (uint16_t) * (n16 + 1));
++ str16 = _cairo_malloc_ab (n16 + 1, sizeof (uint16_t));
+ if (!str16)
+ return CAIRO_STATUS_NO_MEMORY;
+
+diff -Naur cairo-1.4.10/src/cairo-win32-font.c
fw_cairo-1.4.10/src/cairo-win32-font.c
+--- cairo-1.4.10/src/cairo-win32-font.c 2007-04-27 19:02:34.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-win32-font.c 2008-01-09 18:00:36.000000000
+0100
+@@ -613,8 +613,8 @@
+ dx = NULL;
+ }
+
+- glyph_indices = malloc (sizeof (WCHAR) * buffer_size);
+- dx = malloc (sizeof (int) * buffer_size);
++ glyph_indices = _cairo_malloc_ab (buffer_size, sizeof (WCHAR));
++ dx = _cairo_malloc_ab (buffer_size, sizeof (int));
+ if (!glyph_indices || !dx) {
+ status = CAIRO_STATUS_NO_MEMORY;
+ goto FAIL2;
+@@ -645,7 +645,7 @@
+ }
+
+ *num_glyphs = gcp_results.nGlyphs;
+- *glyphs = malloc (sizeof (cairo_glyph_t) * gcp_results.nGlyphs);
++ *glyphs = _cairo_malloc_ab (gcp_results.nGlyphs, sizeof (cairo_glyph_t));
+ if (!*glyphs) {
+ status = CAIRO_STATUS_NO_MEMORY;
+ goto FAIL2;
+diff -Naur cairo-1.4.10/src/cairo-win32-surface.c
fw_cairo-1.4.10/src/cairo-win32-surface.c
+--- cairo-1.4.10/src/cairo-win32-surface.c 2007-05-09 15:37:39.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-win32-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -186,7 +186,7 @@
+ }
+
+ if (num_palette > 2) {
+- bitmap_info = malloc (sizeof (BITMAPINFOHEADER) + num_palette * sizeof
(RGBQUAD));
++ bitmap_info = _cairo_malloc_ab_plus_c (num_palette, sizeof(RGBQUAD),
sizeof(BITMAPINFOHEADER));
+ if (!bitmap_info)
+ return CAIRO_STATUS_NO_MEMORY;
+ } else {
+@@ -1546,8 +1546,8 @@
+ SetBkMode(dst->dc, TRANSPARENT);
+
+ if (num_glyphs > STACK_GLYPH_SIZE) {
+- glyph_buf = (WORD *)malloc(num_glyphs * sizeof(WORD));
+- dxy_buf = (int *)malloc(num_glyphs * 2 * sizeof(int));
++ glyph_buf = (WORD *) _cairo_malloc_ab (num_glyphs, sizeof(WORD));
++ dxy_buf = (int *) _cairo_malloc_abc (num_glyphs, sizeof(int), 2);
+ }
+
+ /* It is vital that dx values for dxy_buf are calculated from the delta of
+diff -Naur cairo-1.4.10/src/cairo-xcb-surface.c
fw_cairo-1.4.10/src/cairo-xcb-surface.c
+--- cairo-1.4.10/src/cairo-xcb-surface.c 2007-05-09 15:37:39.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-xcb-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -403,7 +403,7 @@
+ bpp = _bits_per_pixel(surface->dpy, imagerep->depth);
+ bytes_per_line = _bytes_per_line(surface->dpy, surface->width, bpp);
+
+- data = malloc (bytes_per_line * surface->height);
++ data = _cairo_malloc_ab (surface->height, bytes_per_line);
+ if (data == NULL) {
+ free (imagerep);
+ return CAIRO_STATUS_NO_MEMORY;
+@@ -1328,7 +1328,7 @@
+ mask_picture = _create_a8_picture (dst, &transparent, width, height,
FALSE);
+ solid_picture = _create_a8_picture (dst, &solid, width, height, TRUE);
+
+- offset_traps = malloc (sizeof (xcb_render_trapezoid_t) * num_traps);
++ offset_traps = _cairo_malloc_ab (num_traps, sizeof
(xcb_render_trapezoid_t));
+ if (!offset_traps)
+ return XCB_NONE;
+
+@@ -1515,7 +1515,7 @@
+
+ n_boxes = pixman_region_num_rects (region);
+ if (n_boxes > 0) {
+- rects = malloc (sizeof(xcb_rectangle_t) * n_boxes);
++ rects = _cairo_malloc_ab (n_boxes, sizeof(xcb_rectangle_t));
+ if (rects == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+ } else {
+@@ -2360,7 +2360,7 @@
+ /* We make a copy of the glyphs so that we can elide any size-zero
+ * glyphs to workaround an X server bug, (present in at least Xorg
+ * 7.1 without EXA). */
+- output_glyphs = malloc (num_glyphs * sizeof (cairo_glyph_t));
++ output_glyphs = _cairo_malloc_ab (num_glyphs, sizeof (cairo_glyph_t));
+ if (output_glyphs == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+
+diff -Naur cairo-1.4.10/src/cairo-xlib-surface.c
fw_cairo-1.4.10/src/cairo-xlib-surface.c
+--- cairo-1.4.10/src/cairo-xlib-surface.c 2007-06-27 20:05:33.000000000
+0200
++++ fw_cairo-1.4.10/src/cairo-xlib-surface.c 2008-01-09 18:00:36.000000000
+0100
+@@ -1579,7 +1579,7 @@
+ mask_picture = _create_a8_picture (dst, &transparent, width, height,
FALSE);
+ solid_picture = _create_a8_picture (dst, &solid, width, height, TRUE);
+
+- offset_traps = malloc (sizeof (XTrapezoid) * num_traps);
++ offset_traps = _cairo_malloc_ab (num_traps, sizeof (XTrapezoid));
+ if (!offset_traps)
+ return None;
+
+@@ -1760,7 +1760,7 @@
+
+ n_boxes = pixman_region_num_rects (region);
+ if (n_boxes > ARRAY_LENGTH (surface->embedded_clip_rects)) {
+- rects = malloc (sizeof(XRectangle) * n_boxes);
++ rects = _cairo_malloc_ab (n_boxes, sizeof(XRectangle));
+ if (rects == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+ }else {
+@@ -2815,7 +2815,7 @@
+ if (num_elts <= STACK_ELTS_LEN) {
+ elts = stack_elts;
+ } else {
+- elts = malloc (num_elts * sizeof (XGlyphElt8));
++ elts = _cairo_malloc_ab (num_elts, sizeof (XGlyphElt8));
+ if (elts == NULL)
+ return CAIRO_STATUS_NO_MEMORY;
+ }
diff --git a/source/xlib/cairo/FrugalBuild b/source/xlib/cairo/FrugalBuild
index c7fca4d..5f24032 100644
--- a/source/xlib/cairo/FrugalBuild
+++ b/source/xlib/cairo/FrugalBuild
@@ -3,7 +3,7 @@
pkgname=cairo
pkgver=1.4.10
-pkgrel=1
+pkgrel=2sayshell1
pkgdesc="A vector graphics library with cross-device output support"
url="http://cairographics.org";
depends=('glitz' 'libxrender' 'fontconfig' 'libpng')
@@ -11,9 +11,10 @@ makedepends=('gtk-doc' 'poppler-glib' 'librsvg')
groups=('xlib')
archs=('x86_64' 'i686')
up2date="lynx -dump http://cairographics.org/|grep -m1 'release '|sed 's/.*ro
\(.*\) .*re.*/\1/'"
-source=($url/releases/$pkgname-$pkgver.tar.gz)
+source=($url/releases/$pkgname-$pkgver.tar.gz CVE-2007-5503.diff)
options=('scriptlet')
Fconfopts="$Fconfopts --enable-glitz --enable-gtk-doc --enable-pdf --enable-ps"
+sha1sums=('8371097e30650ec817b24694367110139627403e' \
+ '368c88f7551f8026f2ec1d9fddd9e6587357613b')
-sha1sums=('8371097e30650ec817b24694367110139627403e')
# optimization OK
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git
