gnu: cairo: Fix CVE-2016-9082.

* gnu/packages/gtk.scm (cairo)[replacement]: New field.
(cairo/fixed): New variable.
(cairo-xcb)[source]: Use patch.
[replacement]: New field, set false.
* gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be
replaced by a new custom patched cairo.
* gnu/packages/patches/cairo-CVE-2016-9082.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
Efraim Flashner 2016-11-28 19:25:21 +02:00
parent eb55f01821
commit c51d926c74
No known key found for this signature in database
GPG Key ID: F4C1D3917EACEE93
4 changed files with 146 additions and 0 deletions

View File

@ -489,6 +489,7 @@ dist_patch_DATA = \
%D%/packages/patches/binutils-loongson-workaround.patch \
%D%/packages/patches/binutils-mips-bash-bug.patch \
%D%/packages/patches/byobu-writable-status.patch \
%D%/packages/patches/cairo-CVE-2016-9082.patch \
%D%/packages/patches/calibre-drop-unrar.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/cdparanoia-fpic.patch \

View File

@ -100,6 +100,7 @@ tools have full access to view and control running applications.")
(define-public cairo
(package
(name "cairo")
(replacement cairo/fixed)
(version "1.14.6")
(source (origin
(method url-fetch)
@ -153,6 +154,10 @@ affine transformation (scale, rotation, shear, etc.).")
(package
(inherit cairo)
(name "cairo-xcb")
(source (origin
(inherit (package-source cairo))
(patches (search-patches "cairo-CVE-2016-9082.patch"))))
(replacement #f)
(inputs
`(("mesa" ,mesa)
,@(package-inputs cairo)))
@ -162,6 +167,13 @@ affine transformation (scale, rotation, shear, etc.).")
'("--enable-xlib-xcb" "--enable-gl" "--enable-egl")))
(synopsis "2D graphics library (with X11 support)")))
(define cairo/fixed
(package
(inherit cairo)
(source (origin
(inherit (package-source cairo))
(patches (search-patches "cairo-CVE-2016-9082.patch"))))))
(define-public harfbuzz
(package
(name "harfbuzz")

View File

@ -0,0 +1,122 @@
From: Adrian Johnson <ajohnson@redneon.com>
Date: Thu, 20 Oct 2016 21:12:30 +1030
Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
Image data is often accessed using:
image->data + y * image->stride
On 64-bit achitectures if the image data is > 4GB, this computation
will overflow since both y and stride are 32-bit types.
bug report: https://bugs.freedesktop.org/show_bug.cgi?id=98165
patch: https://bugs.freedesktop.org/attachment.cgi?id=127421
---
boilerplate/cairo-boilerplate.c | 4 +++-
src/cairo-image-compositor.c | 4 ++--
src/cairo-image-surface-private.h | 2 +-
src/cairo-mesh-pattern-rasterizer.c | 2 +-
src/cairo-png.c | 2 +-
src/cairo-script-surface.c | 3 ++-
6 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c
index 7fdbf79..4804dea 100644
--- a/boilerplate/cairo-boilerplate.c
+++ b/boilerplate/cairo-boilerplate.c
@@ -42,6 +42,7 @@
#undef CAIRO_VERSION_H
#include "../cairo-version.h"
+#include <stddef.h>
#include <stdlib.h>
#include <ctype.h>
#include <assert.h>
@@ -976,7 +977,8 @@ cairo_surface_t *
cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
{
char format;
- int width, height, stride;
+ int width, height;
+ ptrdiff_t stride;
int x, y;
unsigned char *data;
cairo_surface_t *image = NULL;
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
index 48072f8..3ca0006 100644
--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
pixman_image_t *src, *mask;
union {
struct fill {
- int stride;
+ ptrdiff_t stride;
uint8_t *data;
uint32_t pixel;
} fill;
@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
struct finish {
cairo_rectangle_int_t extents;
int src_x, src_y;
- int stride;
+ ptrdiff_t stride;
uint8_t *data;
} mask;
} u;
diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h
index 8ca694c..7e78d61 100644
--- a/src/cairo-image-surface-private.h
+++ b/src/cairo-image-surface-private.h
@@ -71,7 +71,7 @@ struct _cairo_image_surface {
int width;
int height;
- int stride;
+ ptrdiff_t stride;
int depth;
unsigned owns_data : 1;
diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
index 1b63ca8..e7f0db6 100644
--- a/src/cairo-mesh-pattern-rasterizer.c
+++ b/src/cairo-mesh-pattern-rasterizer.c
@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
tg += tg >> 16;
tb += tb >> 16;
- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
+ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
}
}
diff --git a/src/cairo-png.c b/src/cairo-png.c
index 562b743..aa8c227 100644
--- a/src/cairo-png.c
+++ b/src/cairo-png.c
@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
}
for (i = 0; i < png_height; i++)
- row_pointers[i] = &data[i * stride];
+ row_pointers[i] = &data[i * (ptrdiff_t)stride];
png_read_image (png, row_pointers);
png_read_end (png, info);
diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
index ea0117d..91e4baa 100644
--- a/src/cairo-script-surface.c
+++ b/src/cairo-script-surface.c
@@ -1202,7 +1202,8 @@ static cairo_status_t
_write_image_surface (cairo_output_stream_t *output,
const cairo_image_surface_t *image)
{
- int stride, row, width;
+ int row, width;
+ ptrdiff_t stride;
uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
uint8_t *rowdata;
uint8_t *data;
--
2.1.4

View File

@ -95,6 +95,17 @@
;; To build poppler-glib (as needed by Evince), we need Cairo and
;; GLib. But of course, that Cairo must not depend on Poppler.
("cairo" ,(package (inherit cairo)
(replacement
(package
(inherit cairo)
(replacement #f)
(source
(origin
(inherit (package-source cairo))
(patches (search-patches
"cairo-CVE-2016-9082.patch"))))
(inputs (alist-delete "poppler"
(package-inputs cairo)))))
(inputs (alist-delete "poppler"
(package-inputs cairo)))))
("glib" ,glib)))