Trang chủ Khám phá Trợ giúp
Đăng nhập
crispAudio
/
poky
mirror of git://git.yoctoproject.org/poky
5
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Browse Source

cairo: fix CVE-2020-35492

(From OE-Core rev: 58e9ecbda48faff9c1babc90504eb76805eb9266)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changqing Li 4 năm trước cách đây
mục cha
1c8bded8ed
commit
5faaedd8e3
3 tập tin đã thay đổi với 132 bổ sung0 xóa
Split View Hiển thị tình trạng sai khác
  1. 121 0
      meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
  2. BIN
      meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
  3. 11 0
      meta/recipes-graphics/cairo/cairo_1.16.0.bb

+ 121 - 0
meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
Xem Tập Tin 

@@ -0,0 +1,121 @@
 
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
 
+From: Heiko Lewin <heiko.lewin@worldiety.de>
 
+Date: Tue, 15 Dec 2020 16:48:19 +0100
 
+Subject: [PATCH] Fix mask usage in image-compositor
 
+
 
+CVE: CVE-2020-35492
 
+
 
+Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85]
 
+
 
+original patch from upstream has a binary file, it will cause
 
+do_patch failed with "git binary diffs are not supported".
 
+
 
+so add do_patch_append in recipe to add this binary source. when removing
 
+this patch, please also remove do_patch_append for this patch
 
+
 
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
 
+---
 
+ src/cairo-image-compositor.c                |   8 ++--
 
+ test/Makefile.sources                       |   1 +
 
+ test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
 
+ 3 files changed, 44 insertions(+), 4 deletions(-)
 
+ create mode 100644 test/bug-image-compositor.c
 
+
 
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
 
+index 79ad69f68..4f8aaed99 100644
 
+--- a/src/cairo-image-compositor.c
 
++++ b/src/cairo-image-compositor.c
 
+@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
 
+ 		    unsigned num_spans)
 
+ {
 
+     cairo_image_span_renderer_t *r = abstract_renderer;
 
+-    uint8_t *m;
 
++    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
 
+     int x0;
 
+ 
+     if (num_spans == 0)
 
+ 	return CAIRO_STATUS_SUCCESS;
 
+ 
+     x0 = spans[0].x;
 
+-    m = r->_buf;
 
++    m = base;
 
+     do {
 
+ 	int len = spans[1].x - spans[0].x;
 
+ 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
 
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
 
+ 				      spans[0].x, y,
 
+ 				      spans[1].x - spans[0].x, h);
 
+ 
+-	    m = r->_buf;
 
++	    m = base;
 
+ 	    x0 = spans[1].x;
 
+ 	} else if (spans[0].coverage == 0x0) {
 
+ 	    if (spans[0].x != x0) {
 
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
 
+ #endif
 
+ 	    }
 
+ 
+-	    m = r->_buf;
 
++	    m = base;
 
+ 	    x0 = spans[1].x;
 
+ 	} else {
 
+ 	    *m++ = spans[0].coverage;
 
+diff --git a/test/Makefile.sources b/test/Makefile.sources
 
+index 7eb73647f..86494348d 100644
 
+--- a/test/Makefile.sources
 
++++ b/test/Makefile.sources
 
+@@ -34,6 +34,7 @@ test_sources = \
 
+ 	bug-source-cu.c					\
 
+ 	bug-extents.c					\
 
+ 	bug-seams.c					\
 
++	bug-image-compositor.c				\
 
+ 	caps.c						\
 
+ 	checkerboard.c					\
 
+ 	caps-joins.c					\
 
+diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c
 
+new file mode 100644
 
+index 000000000..fc4fd370b
 
+--- /dev/null
 
++++ b/test/bug-image-compositor.c
 
+@@ -0,0 +1,39 @@
 
++#include "cairo-test.h"
 
++
 
++static cairo_test_status_t
 
++draw (cairo_t *cr, int width, int height)
 
++{
 
++    cairo_set_source_rgb (cr, 0., 0., 0.);
 
++    cairo_paint (cr);
 
++
 
++    cairo_set_source_rgb (cr, 1., 1., 1.);
 
++    cairo_set_line_width (cr, 1.);
 
++
 
++    cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height);
 
++    cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1);
 
++    cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1);
 
++    cairo_set_source (cr, p);
 
++
 
++    cairo_move_to (cr, 0.5, -1);
 
++    for (int i = 0; i < width; i+=3) {
 
++	cairo_rel_line_to (cr, 2, 2);
 
++	cairo_rel_line_to (cr, 1, -2);
 
++    }
 
++
 
++    cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE);
 
++    cairo_stroke (cr);
 
++
 
++    cairo_pattern_destroy(p);
 
++
 
++    return CAIRO_TEST_SUCCESS;
 
++}
 
++
 
++
 
++CAIRO_TEST (bug_image_compositor,
 
++	    "Crash in image-compositor",
 
++	    "stroke, stress", /* keywords */
 
++	    NULL, /* requirements */
 
++	    10000, 1,
 
++	    NULL, draw)
 
++	    
++	    
+-- 
+GitLab

BIN
meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
Xem Tập Tin


+ 11 - 0
meta/recipes-graphics/cairo/cairo_1.16.0.bb
Xem Tập Tin 

@@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
 
            file://CVE-2018-19876.patch \
 
            file://CVE-2019-6461.patch \
 
            file://CVE-2019-6462.patch \
 
+           file://CVE-2020-35492.patch \
 
+           file://bug-image-compositor.ref.png \
 
           "
 
 
 SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552"
 
@@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no"
 
 # Ensure we don't depend on LZO
 
 export ac_cv_lib_lzo2_lzo2a_decompress="no"
 
 
+#for CVE-2020-35492.patch
 
+do_patch_append() {
 
+    bb.build.exec_func('do_cp_binary_source', d)
 
+}
 
+
 
+do_cp_binary_source () {
 
+	cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/
 
+}
 
+
 
 do_install_append () {
 
 	rm -rf ${D}${bindir}/cairo-sphinx
 
 	rm -rf ${D}${libdir}/cairo/cairo-fdr*