guix-devel/gnu/packages/patches/pixman-CVE-2016-5296.patch

Fix CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
Adapted for upstream pixman based on:

  https://hg.mozilla.org/releases/mozilla-esr45/rev/5e39c1c2fded

--- pixman-0.34.0/pixman/pixman-edge-imp.h.orig	2015-06-30 05:48:31.000000000 -0400
+++ pixman-0.34.0/pixman/pixman-edge-imp.h	2016-11-16 01:09:34.046335106 -0500
@@ -55,8 +55,9 @@
 	 *
 	 * (The AA case does a similar  adjustment in RENDER_SAMPLES_X)
 	 */
-	lx += X_FRAC_FIRST(1) - pixman_fixed_e;
-	rx += X_FRAC_FIRST(1) - pixman_fixed_e;
+	/* we cast to unsigned to get defined behaviour for overflow */
+	lx = (unsigned)lx + X_FRAC_FIRST(1) - pixman_fixed_e;
+	rx = (unsigned)rx + X_FRAC_FIRST(1) - pixman_fixed_e;
 #endif
 	/* clip X */
 	if (lx < 0)
gnu: pixman: Add fix for CVE-2016-5296. * gnu/packages/patches/pixman-CVE-2016-5296.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xdisorg.scm (pixman)[replacement]: New field. (pixman/fixed): New variable. 2016-11-16 08:14:28 +01:00			`Fix CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1`
			`Adapted for upstream pixman based on:`

			`https://hg.mozilla.org/releases/mozilla-esr45/rev/5e39c1c2fded`

			`--- pixman-0.34.0/pixman/pixman-edge-imp.h.orig 2015-06-30 05:48:31.000000000 -0400`
			`+++ pixman-0.34.0/pixman/pixman-edge-imp.h 2016-11-16 01:09:34.046335106 -0500`
			`@@ -55,8 +55,9 @@`
			`*`
			`* (The AA case does a similar adjustment in RENDER_SAMPLES_X)`
			`*/`
			`- lx += X_FRAC_FIRST(1) - pixman_fixed_e;`
			`- rx += X_FRAC_FIRST(1) - pixman_fixed_e;`
			`+ /* we cast to unsigned to get defined behaviour for overflow */`
			`+ lx = (unsigned)lx + X_FRAC_FIRST(1) - pixman_fixed_e;`
			`+ rx = (unsigned)rx + X_FRAC_FIRST(1) - pixman_fixed_e;`
			`#endif`
			`/* clip X */`
			`if (lx < 0)`