rpms
/
pixman
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c8-beta/pixman-0.36.0-1.el8
Branches Tags
rpms:c8
rpms:c8-beta
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:imports/c8/pixman-0.38.4-4.el8
rpms:imports/c8/pixman-0.38.4-3.el8_9
rpms:imports/c9/pixman-0.40.0-6.el9_3
rpms:imports/c9/pixman-0.40.0-5.el9
rpms:imports/c8/pixman-0.38.4-2.el8
rpms:imports/c8-beta/pixman-0.38.4-2.el8
rpms:imports/c8s/pixman-0.38.4-2.el8
rpms:imports/c9-beta/pixman-0.40.0-5.el9
rpms:imports/c8-beta/pixman-0.38.4-1.el8
rpms:imports/c8-beta/pixman-0.36.0-1.el8
rpms:imports/c8s/pixman-0.38.4-1.el8
rpms:imports/c8/pixman-0.38.4-1.el8
rpms:imports/c8/pixman-0.36.0-1.el8
..
compare: rpms:c8
Branches Tags
rpms:c8
rpms:c8-beta
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:imports/c8/pixman-0.38.4-4.el8
rpms:imports/c8/pixman-0.38.4-3.el8_9
rpms:imports/c9/pixman-0.40.0-6.el9_3
rpms:imports/c9/pixman-0.40.0-5.el9
rpms:imports/c8/pixman-0.38.4-2.el8
rpms:imports/c8-beta/pixman-0.38.4-2.el8
rpms:imports/c8s/pixman-0.38.4-2.el8
rpms:imports/c9-beta/pixman-0.40.0-5.el9
rpms:imports/c8-beta/pixman-0.38.4-1.el8
rpms:imports/c8-beta/pixman-0.36.0-1.el8
rpms:imports/c8s/pixman-0.38.4-1.el8
rpms:imports/c8/pixman-0.38.4-1.el8
rpms:imports/c8/pixman-0.36.0-1.el8

No commits in common. "imports/c8-beta/pixman-0.36.0-1.el8" and "c8" have entirely different histories.
imports/c8 ... c8

6 changed files with 167 additions and 4 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/pixman-0.36.0.tar.bz2
SOURCES/pixman-0.38.4.tar.bz2

2
.pixman.metadata
View File

@ -1 +1 @@
10d85590beee287a508a148297808a66d1ce11cd SOURCES/pixman-0.36.0.tar.bz2
87e1abc91ac4e5dfcc275f744f1d0ec3277ee7cd SOURCES/pixman-0.38.4.tar.bz2

29
SOURCES/0001-Avoid-integer-overflow-leading-to-out-of-bounds-writ.patch Normal file
View File

@ -0,0 +1,29 @@
From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001
From: Matt Turner <mattst88@gmail.com>
Date: Wed, 2 Nov 2022 12:07:32 -0400
Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write
Thanks to Maddie Stone and Google's Project Zero for discovering this
issue, providing a proof-of-concept, and a great analysis.
Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
---
pixman/pixman-trap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c
index 91766fd..7560405 100644
--- a/pixman/pixman-trap.c
+++ b/pixman/pixman-trap.c
@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y,
if (f < Y_FRAC_FIRST (n))
{
- if (pixman_fixed_to_int (i) == 0x8000)
+ if (pixman_fixed_to_int (i) == 0xffff8000)
{
f = 0; /* saturate */
}
--
2.41.0

84
SOURCES/0001-Fix-bilinear-filter-computation-in-wide-pipeline.patch Normal file
View File

@ -0,0 +1,84 @@
From 8256c235d9b3854d039242356905eca854a890ba Mon Sep 17 00:00:00 2001
From: Basile Clement <basile-pixman@clement.pm>
Date: Tue, 9 Apr 2019 23:16:13 +0200
Subject: [PATCH] Fix bilinear filter computation in wide pipeline
The recently introduced wide pipeline for filters has a typo which
causes it to improperly compute bilinear interpolation positions,
causing various glitches when enabled.
This patch uses the proper computation for bilinear interpolation in the
wide pipeline. It also makes related `if` statements conformant to the
CODING_STYLE:
* If a substatement spans multiple lines, then there must be braces
around it.
* If one substatement of an if statement has braces, then the other
must too.
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
---
pixman/pixman-bits-image.c | 9 +++++++++
pixman/pixman-inlines.h | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/pixman/pixman-bits-image.c b/pixman/pixman-bits-image.c
index 564789e..7bc2ba8 100644
--- a/pixman/pixman-bits-image.c
+++ b/pixman/pixman-bits-image.c
@@ -432,29 +432,38 @@ bits_image_fetch_pixel_filtered (bits_image_t *image,
case PIXMAN_FILTER_CONVOLUTION:
if (wide)
+ {
bits_image_fetch_pixel_convolution (image, x, y,
get_pixel, out,
accum_float,
reduce_float);
+ }
else
+ {
bits_image_fetch_pixel_convolution (image, x, y,
get_pixel, out,
accum_32, reduce_32);
+ }
break;
case PIXMAN_FILTER_SEPARABLE_CONVOLUTION:
if (wide)
+ {
bits_image_fetch_pixel_separable_convolution (image, x, y,
get_pixel, out,
accum_float,
reduce_float);
+ }
else
+ {
bits_image_fetch_pixel_separable_convolution (image, x, y,
get_pixel, out,
accum_32, reduce_32);
+ }
break;
default:
+ assert (0);
break;
}
}
diff --git a/pixman/pixman-inlines.h b/pixman/pixman-inlines.h
index 332e208..f785910 100644
--- a/pixman/pixman-inlines.h
+++ b/pixman/pixman-inlines.h
@@ -231,7 +231,7 @@ bilinear_interpolation_float (argb_t tl, argb_t tr,
argb_t r;
distxy = distx * disty;
- distxiy = distx - (1.f - distxy);
+ distxiy = distx * (1.f - disty);
distixy = (1.f - distx) * disty;
distixiy = (1.f - distx) * (1.f - disty);
--
2.37.1

34
SOURCES/0001-Initialize-temporary-buffers-in-general_composite_re.patch Normal file
View File

@ -0,0 +1,34 @@
From 6fe0131394fb029d2fccaee6b8edcb108840ad8a Mon Sep 17 00:00:00 2001
From: Federico Mena Quintero <federico@gnome.org>
Date: Wed, 18 Mar 2020 18:49:30 -0600
Subject: [PATCH] Initialize temporary buffers in general_composite_rect()
Otherwise, Valgrind shows things like "conditional jump or move
depends on uninitialised values" errors much later in calling code.
For example, see https://gitlab.gnome.org/GNOME/librsvg/issues/572
Fixes https://gitlab.freedesktop.org/pixman/pixman/issues/9
---
pixman/pixman-general.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pixman/pixman-general.c b/pixman/pixman-general.c
index 7d74f98..7e5a0d0 100644
--- a/pixman/pixman-general.c
+++ b/pixman/pixman-general.c
@@ -165,6 +165,12 @@ general_composite_rect (pixman_implementation_t *imp,
if (!scanline_buffer)
return;
+
+ memset (scanline_buffer, 0, width * Bpp * 3 + 15 * 3);
+ }
+ else
+ {
+ memset (stack_scanline_buffer, 0, sizeof (stack_scanline_buffer));
}
src_buffer = ALIGN (scanline_buffer);
--
2.34.1

20
SPECS/pixman.spec
View File

@ -2,8 +2,8 @@
%define gitrev 8ff7213f39edc1b2b8b60d6b0cc5d5f14ca1928d
Name: pixman
Version: 0.36.0
Release: 1%{?dist}
Version: 0.38.4
Release: 4%{?dist}
Summary: Pixel manipulation library
Group: System Environment/Libraries
@ -16,6 +16,10 @@ URL: https://gitlab.freedesktop.org/pixman/pixman
Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2
Source1: make-pixman-snapshot.sh
Patch0: 0001-Initialize-temporary-buffers-in-general_composite_re.patch
Patch1: 0001-Fix-bilinear-filter-computation-in-wide-pipeline.patch
Patch2: 0001-Avoid-integer-overflow-leading-to-out-of-bounds-writ.patch
BuildRequires: automake autoconf libtool
BuildRequires: gcc
@ -66,6 +70,18 @@ make check %{?_smp_mflags} V=1
%{_libdir}/pkgconfig/pixman-1.pc
%changelog
* Wed Oct 04 2023 José Expósito <jexposit@redhat.com> - 0.38.4-4
- Backport fix for CVE-2022-44638
* Sat Sep 03 2022 Benjamin Gilbert <bgilbert@backtick.net> - 0.38.4-3
- Fix bilinear filter computation in wide pipeline
* Tue Feb 22 2022 Adam Jackson <ajax@redhat.com> - 0.38.4-2
- Backport the pixman part of cairo CVE-2020-35492
* Tue Nov 19 2019 Adam Jackson <ajax@redhat.com> - 0.38.4-1
- pixman 0.38.4
* Thu Nov 29 2018 Adam Jackson <ajax@redhat.com> - 0.36.0-1
- pixman 0.36.0