diff --git a/cairo-1.15.12-CVE-2020-35492.patch b/cairo-1.15.12-CVE-2020-35492.patch new file mode 100644 index 0000000..142eb59 --- /dev/null +++ b/cairo-1.15.12-CVE-2020-35492.patch @@ -0,0 +1,199 @@ +From 40e9d1a0a69f01b55b4fa131bc253c7c09a0ae91 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH 1/2] Fix mask usage in image-compositor + +--- + src/cairo-image-compositor.c | 8 ++-- + test/Makefile.sources | 1 + + test/bug-image-compositor.c | 39 ++++++++++++++++++++ + test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes + 4 files changed, 44 insertions(+), 4 deletions(-) + create mode 100644 test/bug-image-compositor.c + create mode 100644 test/reference/bug-image-compositor.ref.png + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 122a8ca42..b20e2ec78 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +diff --git a/test/Makefile.sources b/test/Makefile.sources +index c47131faf..86fd53d15 100644 +--- a/test/Makefile.sources ++++ b/test/Makefile.sources +@@ -33,6 +33,7 @@ test_sources = \ + bug-source-cu.c \ + bug-extents.c \ + bug-seams.c \ ++ bug-image-compositor.c \ + caps.c \ + checkerboard.c \ + caps-joins.c \ +diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c +new file mode 100644 +index 000000000..fc4fd370b +--- /dev/null ++++ b/test/bug-image-compositor.c +@@ -0,0 +1,39 @@ ++#include "cairo-test.h" ++ ++static cairo_test_status_t ++draw (cairo_t *cr, int width, int height) ++{ ++ cairo_set_source_rgb (cr, 0., 0., 0.); ++ cairo_paint (cr); ++ ++ cairo_set_source_rgb (cr, 1., 1., 1.); ++ cairo_set_line_width (cr, 1.); ++ ++ cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height); ++ cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); ++ cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); ++ cairo_set_source (cr, p); ++ ++ cairo_move_to (cr, 0.5, -1); ++ for (int i = 0; i < width; i+=3) { ++ cairo_rel_line_to (cr, 2, 2); ++ cairo_rel_line_to (cr, 1, -2); ++ } ++ ++ cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); ++ cairo_stroke (cr); ++ ++ cairo_pattern_destroy(p); ++ ++ return CAIRO_TEST_SUCCESS; ++} ++ ++ ++CAIRO_TEST (bug_image_compositor, ++ "Crash in image-compositor", ++ "stroke, stress", /* keywords */ ++ NULL, /* requirements */ ++ 10000, 1, ++ NULL, draw) ++ ++ +diff --git a/test/reference/bug-image-compositor.ref.png b/test/reference/bug-image-compositor.ref.png +new file mode 100644 +index 0000000000000000000000000000000000000000..939f659d2c8620e9927a3a79f5e96fb639c418be +GIT binary patch +literal 185 +zcmeAS@N?(olHy`uVBq!ia0y~yP!|BQ89A7Mi(P$bXO +z#WAE}&f8-f1se=_SPWL_NSx=C)BnJ0eBr6Z%1egFEOv(*t#+|{>X&v^RS7GQe(vez +lf)$wgmAfM(p2Sx&&i!{gWy)N&qd=P(JYD@<);T3K0RWsgHuC@g + +literal 0 +HcmV?d00001 + +-- +2.34.1 + + +From afc23bfdc3c2597b9fe0ee34b9b4bfa47fa03698 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin +Date: Tue, 15 Dec 2020 17:14:18 +0100 +Subject: [PATCH 2/2] Minor cleanups + +--- + test/bug-image-compositor.c | 33 ++++++++++++++++++++++++++++++--- + 1 file changed, 30 insertions(+), 3 deletions(-) + +diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c +index fc4fd370b..304ea089c 100644 +--- a/test/bug-image-compositor.c ++++ b/test/bug-image-compositor.c +@@ -1,5 +1,34 @@ ++/* ++ * Copyright © 2020 Uli Schlachter, Heiko Lewin ++ * ++ * Permission is hereby granted, free of charge, to any person ++ * obtaining a copy of this software and associated documentation ++ * files (the "Software"), to deal in the Software without ++ * restriction, including without limitation the rights to use, copy, ++ * modify, merge, publish, distribute, sublicense, and/or sell copies ++ * of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS ++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN ++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ * ++ * Author: Uli Schlachter ++ * Author: Heiko Lewin ++ */ + #include "cairo-test.h" + ++ ++/* This test reproduces an overflow of a mask-buffer in cairo-image-compositor.c */ ++ + static cairo_test_status_t + draw (cairo_t *cr, int width, int height) + { +@@ -13,6 +42,7 @@ draw (cairo_t *cr, int width, int height) + cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); + cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); + cairo_set_source (cr, p); ++ cairo_pattern_destroy(p); + + cairo_move_to (cr, 0.5, -1); + for (int i = 0; i < width; i+=3) { +@@ -23,8 +53,6 @@ draw (cairo_t *cr, int width, int height) + cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); + cairo_stroke (cr); + +- cairo_pattern_destroy(p); +- + return CAIRO_TEST_SUCCESS; + } + +@@ -36,4 +64,3 @@ CAIRO_TEST (bug_image_compositor, + 10000, 1, + NULL, draw) + +- +-- +2.34.1 + diff --git a/cairo.spec b/cairo.spec index 2f1c699..8b919f2 100644 --- a/cairo.spec +++ b/cairo.spec @@ -11,7 +11,7 @@ Name: cairo Version: 1.17.4 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A 2D graphics library License: LGPLv2 or MPLv1.1 @@ -26,6 +26,11 @@ Patch4: 0001-Set-default-LCD-filter-to-FreeType-s-default.patch # Fix generating PDF font names # https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/125 Patch5: 125.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1911486 +Patch6: cairo-1.15.12-CVE-2020-35492.patch + +# For Patch6. +BuildRequires: autoconf automake gettext-devel libtool BuildRequires: gcc BuildRequires: pkgconfig @@ -97,9 +102,10 @@ This package contains tools for working with the cairo graphics library. * cairo-trace: Record cairo library calls for later playback %prep -%autosetup -p1 +%autosetup -S git %build +autoreconf --force --install %configure --disable-static \ --enable-xlib \ --enable-ft \ @@ -177,6 +183,9 @@ find $RPM_BUILD_ROOT -name '*.la' -delete %{_libdir}/cairo/ %changelog +* Mon Feb 21 2022 David King - 1.17.4-6 +- Fix CVE-2020-35492 (#1911486) + * Mon Aug 09 2021 Mohan Boddu - 1.17.4-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688