package/cairo: fix CVE-2020-35492
Add an upstream patch to fix CVE-2020-35492:
A flaw was found in cairo's image-compositor.c in all versions prior to
1.17.4. This flaw allows an attacker who can provide a crafted input
file to cairo's image-compositor (for example, by convincing a user to
open a file in an application using cairo, or if an application uses
cairo on untrusted input) to cause a stack buffer overflow ->
out-of-bounds WRITE. The highest impact from this vulnerability is to
confidentiality, integrity, as well as system availability.
Important note: this is not the exact upstream patch. Indeed, the
upstream patch[1] contains a png file which appears as a binary diff
inside the patch. The `patch` tool which is used by Buildroot to apply
patches does not handle that kind of diff. Since it is just a test, it
shouldn't impact the quality of the CVE fix and all changes related to
the test are removed from the patch.
[1] 03a820b173
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023.02.x
Quentin Schulz
Peter Korsgaard
parent
b38286d7e5
commit
111ab56d84
|
|
@ -0,0 +1,56 @@
|
|||
From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
|
||||
From: Heiko Lewin <heiko.lewin@worldiety.de>
|
||||
Date: Tue, 15 Dec 2020 16:48:19 +0100
|
||||
Subject: [PATCH] Fix mask usage in image-compositor
|
||||
|
||||
[Retrieved from
|
||||
https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be]
|
||||
[Removed changes in test/ directory to remove binary diff so that the
|
||||
patch can be applied by `patch` tool]
|
||||
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
|
||||
---
|
||||
src/cairo-image-compositor.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
|
||||
index bbf4cf228..2352c478e 100644
|
||||
--- a/src/cairo-image-compositor.c
|
||||
+++ b/src/cairo-image-compositor.c
|
||||
@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
|
||||
unsigned num_spans)
|
||||
{
|
||||
cairo_image_span_renderer_t *r = abstract_renderer;
|
||||
- uint8_t *m;
|
||||
+ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
|
||||
int x0;
|
||||
|
||||
if (num_spans == 0)
|
||||
return CAIRO_STATUS_SUCCESS;
|
||||
|
||||
x0 = spans[0].x;
|
||||
- m = r->_buf;
|
||||
+ m = base;
|
||||
do {
|
||||
int len = spans[1].x - spans[0].x;
|
||||
if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
|
||||
@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
|
||||
spans[0].x, y,
|
||||
spans[1].x - spans[0].x, h);
|
||||
|
||||
- m = r->_buf;
|
||||
+ m = base;
|
||||
x0 = spans[1].x;
|
||||
} else if (spans[0].coverage == 0x0) {
|
||||
if (spans[0].x != x0) {
|
||||
@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
|
||||
#endif
|
||||
}
|
||||
|
||||
- m = r->_buf;
|
||||
+ m = base;
|
||||
x0 = spans[1].x;
|
||||
} else {
|
||||
*m++ = spans[0].coverage;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -16,6 +16,8 @@ CAIRO_INSTALL_STAGING = YES
|
|||
CAIRO_IGNORE_CVES += CVE-2018-19876
|
||||
# 0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch
|
||||
CAIRO_IGNORE_CVES += CVE-2019-6462
|
||||
# 0004-Fix-mask-usage-in-image-compositor.patch
|
||||
CAIRO_IGNORE_CVES += CVE-2020-35492
|
||||
|
||||
CAIRO_CONF_ENV = LIBS="$(CAIRO_LIBS)"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue