Thanks, applied as 0f6b26a4fede60cbbd05adc5a96807951ec80632. Michael
[sent from post-receive hook] On Wed, 25 May 2022 11:45:18 +0200, Christian Melki <christian.me...@t2data.com> wrote: > * Plug CVEs: CVE-2017-7475, CVE-2018-19876, CVE-2019-6461, > CVE-2019-6462, CVE-2020-35492. > > Signed-off-by: Christian Melki <christian.me...@t2data.com> > Message-Id: <20220518082005.1474409-1-christian.me...@t2data.com> > Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> > > diff --git > a/patches/cairo-1.16.0/0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch > > b/patches/cairo-1.16.0/0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch > new file mode 100644 > index 000000000000..cc9add93cc7b > --- /dev/null > +++ > b/patches/cairo-1.16.0/0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch > @@ -0,0 +1,32 @@ > +From: Christian Melki <christian.me...@t2data.com> > +Date: Tue, 17 May 2022 11:03:07 +0200 > +Subject: [PATCH] Cairo: Fix Denial-of-Service Attack due to Logical Problem > in > + Program > + > +https://bugs.freedesktop.org/show_bug.cgi?id=100763 > + > +CVE: CVE-2017-7475 > +Upstream-Status: Submitted > + > +Signed-off-by: Fan Xin <fan....@jp.fujitsu.com> > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki <christian.me...@t2data.com> > +--- > + src/cairo-ft-font.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c > +index 325dd61b47b1..7de310ac5531 100644 > +--- a/src/cairo-ft-font.c > ++++ b/src/cairo-ft-font.c > +@@ -1207,7 +1207,7 @@ _get_bitmap_surface (FT_Bitmap *bitmap, > + width = bitmap->width; > + height = bitmap->rows; > + > +- if (width == 0 || height == 0) { > ++ if (width == 0 || height == 0 || bitmap->buffer == NULL) { > + *surface = (cairo_image_surface_t *) > + cairo_image_surface_create_for_data (NULL, format, 0, 0, 0); > + return (*surface)->base.status; > diff --git > a/patches/cairo-1.16.0/0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch > > b/patches/cairo-1.16.0/0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch > new file mode 100644 > index 000000000000..7eb9f9a9b14b > --- /dev/null > +++ > b/patches/cairo-1.16.0/0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch > @@ -0,0 +1,36 @@ > +From: Christian Melki <christian.me...@t2data.com> > +Date: Tue, 17 May 2022 11:06:54 +0200 > +Subject: [PATCH] CVE: CVE-2018-19876 Upstream-Status: Backport Signed-off-by: > + Ross Burton <ross.bur...@intel.com> > + > +From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001 > +From: Carlos Garcia Campos <cgar...@igalia.com> > +Date: Mon, 19 Nov 2018 12:33:07 +0100 > +Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in > + cairo_ft_apply_variations > + > +Fixes a crash when using freetype >= 2.9 > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki <christian.me...@t2data.com> > +--- > + src/cairo-ft-font.c | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c > +index 7de310ac5531..51eff850a924 100644 > +--- a/src/cairo-ft-font.c > ++++ b/src/cairo-ft-font.c > +@@ -2393,7 +2393,11 @@ skip: > + done: > + free (coords); > + free (current_coords); > ++#if HAVE_FT_DONE_MM_VAR > ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); > ++#else > + free (ft_mm_var); > ++#endif > + } > + } > + > diff --git > a/patches/cairo-1.16.0/0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch > > b/patches/cairo-1.16.0/0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch > new file mode 100644 > index 000000000000..42fa25a1b51c > --- /dev/null > +++ > b/patches/cairo-1.16.0/0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch > @@ -0,0 +1,29 @@ > +From: Christian Melki <christian.me...@t2data.com> > +Date: Tue, 17 May 2022 11:09:24 +0200 > +Subject: [PATCH] There is a potential infinite-loop in function > + _arc_error_normalized(). > + > +CVE: CVE-2019-6461 > +Upstream-Status: Pending > +Signed-off-by: Ross Burton <ross.bur...@intel.com> > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki <christian.me...@t2data.com> > +--- > + src/cairo-arc.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/cairo-arc.c b/src/cairo-arc.c > +index 390397bae104..f9249dbeb3c8 100644 > +--- a/src/cairo-arc.c > ++++ b/src/cairo-arc.c > +@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) > + do { > + angle = M_PI / i++; > + error = _arc_error_normalized (angle); > +- } while (error > tolerance); > ++ } while (error > tolerance && error > __DBL_EPSILON__); > + > + return angle; > + } > diff --git > a/patches/cairo-1.16.0/0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch > > b/patches/cairo-1.16.0/0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch > new file mode 100644 > index 000000000000..9a64b69c2d0a > --- /dev/null > +++ > b/patches/cairo-1.16.0/0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch > @@ -0,0 +1,29 @@ > +From: Christian Melki <christian.me...@t2data.com> > +Date: Tue, 17 May 2022 11:10:14 +0200 > +Subject: [PATCH] There is an assertion in function _cairo_arc_in_direction(). > + > +CVE: CVE-2019-6462 > +Upstream-Status: Pending > +Signed-off-by: Ross Burton <ross.bur...@intel.com> > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki <christian.me...@t2data.com> > +--- > + src/cairo-arc.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/src/cairo-arc.c b/src/cairo-arc.c > +index f9249dbeb3c8..1bde774a418d 100644 > +--- a/src/cairo-arc.c > ++++ b/src/cairo-arc.c > +@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, > + if (cairo_status (cr)) > + return; > + > +- assert (angle_max >= angle_min); > ++ if (angle_max < angle_min) > ++ return; > + > + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { > + angle_max = fmod (angle_max - angle_min, 2 * M_PI); > diff --git a/patches/cairo-1.16.0/0008-Fix-stack-buffer-overflow.patch > b/patches/cairo-1.16.0/0008-Fix-stack-buffer-overflow.patch > new file mode 100644 > index 000000000000..2ed134b8b9a0 > --- /dev/null > +++ b/patches/cairo-1.16.0/0008-Fix-stack-buffer-overflow.patch > @@ -0,0 +1,59 @@ > +From: Christian Melki <christian.me...@t2data.com> > +Date: Tue, 17 May 2022 11:10:57 +0200 > +Subject: [PATCH] Fix stack buffer overflow. > + > +CVE: CVE-2020-35492 > +Upstream-Status: Backport > +Signed-off-by: Ross Burton <ross.bur...@arm.com> > + > +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 > +From: Heiko Lewin <heiko.le...@worldiety.de> > +Date: Tue, 15 Dec 2020 16:48:19 +0100 > +Subject: [PATCH] Fix mask usage in image-compositor > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki <christian.me...@t2data.com> > +--- > + src/cairo-image-compositor.c | 8 ++++---- > + 1 file changed, 4 insertions(+), 4 deletions(-) > + > +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c > +index bbf4cf2281da..2352c478e6f0 100644 > +--- a/src/cairo-image-compositor.c > ++++ b/src/cairo-image-compositor.c > +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, > int h, > + unsigned num_spans) > + { > + cairo_image_span_renderer_t *r = abstract_renderer; > +- uint8_t *m; > ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); > + int x0; > + > + if (num_spans == 0) > + return CAIRO_STATUS_SUCCESS; > + > + x0 = spans[0].x; > +- m = r->_buf; > ++ m = base; > + do { > + int len = spans[1].x - spans[0].x; > + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { > +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, > int h, > + spans[0].x, y, > + spans[1].x - spans[0].x, h); > + > +- m = r->_buf; > ++ m = base; > + x0 = spans[1].x; > + } else if (spans[0].coverage == 0x0) { > + if (spans[0].x != x0) { > +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, > int h, > + #endif > + } > + > +- m = r->_buf; > ++ m = base; > + x0 = spans[1].x; > + } else { > + *m++ = spans[0].coverage; > diff --git a/patches/cairo-1.16.0/series b/patches/cairo-1.16.0/series > index dc125547febc..0904871d96f6 100644 > --- a/patches/cairo-1.16.0/series > +++ b/patches/cairo-1.16.0/series > @@ -3,4 +3,9 @@ > 0001-only-build-GL-surface-tests-if-GLX-is-enabled.patch > 0002-Makefile.sources-move-font-variations.c-a-test-code-.patch > 0003-regrouping-of-test-sources-with-new-fc_font_test_sou.patch > -# dfb78163a7d65338b42965982e516176 - git-ptx-patches magic > +0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch > +0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch > +0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch > +0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch > +0008-Fix-stack-buffer-overflow.patch > +# 1e1d9f93062b124d13fb5d535d4df3e1 - git-ptx-patches magic > diff --git a/rules/host-cairo.make b/rules/host-cairo.make > index e49ab9a6f4c4..aa5c24cec8a0 100644 > --- a/rules/host-cairo.make > +++ b/rules/host-cairo.make > @@ -25,9 +25,6 @@ HOST_CAIRO_CONF_OPT := \ > $(HOST_AUTOCONF) \ > --enable-shared \ > --disable-static \ > - --disable-gtk-doc \ > - --disable-gtk-doc-html \ > - --disable-gtk-doc-pdf \ > --enable-atomic \ > --disable-gcov \ > --disable-valgrind \
