pixman < 0.42.2 is affected by an out-of-bounds write error in the
`rasterize_edges_8()` function due to an integer overflow in the
`pixman_sample_floor_y()` function.
For more information please check the upstream bug report [1].
This patch backports commit a1f88e842e02 ("Avoid integer overflow
leading to out-of-bounds write") [2] to fix CVE-2022-44638.
In order to test and validate the fix, a reproducer can be found in the
original bug report [3] and compiled with the following command:
$ gcc -o poc poc.c -ldl -fsanitize=address \
$(pkg-config --cflags --libs pixman-1)
[1] https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
[2] a1f88e842e
[3] https://gitlab.freedesktop.org/pixman/pixman/uploads/a55795e36afc03445ed838b0fda786f9/poc.c
Resolves: https://issues.redhat.com/browse/RHEL-7854
pixman 0.38.x has a regression that causes incorrect rendering in some
circumstances. This can be triggered by the use of cairo with
CAIRO_OPERATOR_SATURATE and subpixel positioning, and causes OpenSlide
to produce incorrect output.
This patch is a cherry-pick of [1], rebasing it on top of `c8s`.
It backports commit 8256c235d9b3 ("Fix bilinear filter computation in
wide pipeline") [2] from pixman 0.40.0 to fix the mentioned regression.
At the moment of writing this, pixman's version is:
- Fedora: 0.42.2
- CentOS Stream 9: 0.40.0
- CentOS Stream 8: 0.38.4
Therefore, CentOS Stream 8 needs to be patched.
A reproducer can be found in the original bug report [3].
[1] https://gitlab.com/redhat/centos-stream/rpms/pixman/-/merge_requests/2
[2] 8256c235d9
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2124013
Resolves: https://issues.redhat.com/browse/RHEL-3061