[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cairo CVE-2016-9082
From: |
Kei Kebreau |
Subject: |
Re: cairo CVE-2016-9082 |
Date: |
Mon, 28 Nov 2016 16:28:45 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Efraim Flashner <address@hidden> writes:
> The previous patch somehow stopped working for me, and I was getting
> complaints about unbound variable cairo/fixed, so I rewrote the patch to
> have every cairo use the patch separately.
>
>
> --
> Efraim Flashner <address@hidden> אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted
>
> From 14cdf8d6b0827912fd9bf8ec2a061d6eae3acd79 Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <address@hidden>
> Date: Mon, 28 Nov 2016 19:25:21 +0200
> Subject: [PATCH] gnu: cairo: Fix CVE-2016-9082.
>
> * gnu/packages/gtk.scm (cairo)[replacement]: New field.
> (cairo/fixed): New variable.
> (cairo-xcb)[source]: Use patch.
> [replacement]: Set false.
> * gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be
> replaced by a new custom patched cairo.
> * gnu/packages/patches/cairo-CVE-2016-9082.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/gtk.scm | 12 +++
> gnu/packages/patches/cairo-CVE-2016-9082.patch | 121
> +++++++++++++++++++++++++
> gnu/packages/pdf.scm | 11 +++
> 4 files changed, 145 insertions(+)
> create mode 100644 gnu/packages/patches/cairo-CVE-2016-9082.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index c50ef25..ea8aa73 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -488,6 +488,7 @@ dist_patch_DATA =
> \
> %D%/packages/patches/binutils-loongson-workaround.patch \
> %D%/packages/patches/binutils-mips-bash-bug.patch \
> %D%/packages/patches/byobu-writable-status.patch \
> + %D%/packages/patches/cairo-CVE-2016-9082.patch \
> %D%/packages/patches/calibre-drop-unrar.patch \
> %D%/packages/patches/calibre-no-updates-dialog.patch \
> %D%/packages/patches/cdparanoia-fpic.patch \
> diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
> index 17bd9c9..8a258b5 100644
> --- a/gnu/packages/gtk.scm
> +++ b/gnu/packages/gtk.scm
> @@ -100,6 +100,7 @@ tools have full access to view and control running
> applications.")
> (define-public cairo
> (package
> (name "cairo")
> + (replacement cairo/fixed)
> (version "1.14.6")
> (source (origin
> (method url-fetch)
> @@ -153,6 +154,10 @@ affine transformation (scale, rotation, shear, etc.).")
> (package
> (inherit cairo)
> (name "cairo-xcb")
> + (source (origin
> + (inherit (package-source cairo))
> + (patches (search-patches "cairo-CVE-2016-9082.patch"))))
> + (replacement #f)
> (inputs
> `(("mesa" ,mesa)
> ,@(package-inputs cairo)))
> @@ -162,6 +167,13 @@ affine transformation (scale, rotation, shear, etc.).")
> '("--enable-xlib-xcb" "--enable-gl" "--enable-egl")))
> (synopsis "2D graphics library (with X11 support)")))
>
> +(define cairo/fixed
> + (package
> + (inherit cairo)
> + (source (origin
> + (inherit (package-source cairo))
> + (patches (search-patches "cairo-CVE-2016-9082.patch"))))))
> +
> (define-public harfbuzz
> (package
> (name "harfbuzz")
> diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch
> b/gnu/packages/patches/cairo-CVE-2016-9082.patch
> new file mode 100644
> index 0000000..1dd57a0
> --- /dev/null
> +++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch
> @@ -0,0 +1,121 @@
> +From: Adrian Johnson <address@hidden>
> +Date: Thu, 20 Oct 2016 21:12:30 +1030
> +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
> +
> +Image data is often accessed using:
> +
> + image->data + y * image->stride
> +
> +On 64-bit achitectures if the image data is > 4GB, this computation
> +will overflow since both y and stride are 32-bit types.
> +
> +https://bugs.freedesktop.org/show_bug.cgi?id=98165
> +---
> + boilerplate/cairo-boilerplate.c | 4 +++-
> + src/cairo-image-compositor.c | 4 ++--
> + src/cairo-image-surface-private.h | 2 +-
> + src/cairo-mesh-pattern-rasterizer.c | 2 +-
> + src/cairo-png.c | 2 +-
> + src/cairo-script-surface.c | 3 ++-
> + 6 files changed, 10 insertions(+), 7 deletions(-)
> +
> +diff --git a/boilerplate/cairo-boilerplate.c
> b/boilerplate/cairo-boilerplate.c
> +index 7fdbf79..4804dea 100644
> +--- a/boilerplate/cairo-boilerplate.c
> ++++ b/boilerplate/cairo-boilerplate.c
> +@@ -42,6 +42,7 @@
> + #undef CAIRO_VERSION_H
> + #include "../cairo-version.h"
> +
> ++#include <stddef.h>
> + #include <stdlib.h>
> + #include <ctype.h>
> + #include <assert.h>
> +@@ -976,7 +977,8 @@ cairo_surface_t *
> + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
> + {
> + char format;
> +- int width, height, stride;
> ++ int width, height;
> ++ ptrdiff_t stride;
> + int x, y;
> + unsigned char *data;
> + cairo_surface_t *image = NULL;
> +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
> +index 48072f8..3ca0006 100644
> +--- a/src/cairo-image-compositor.c
> ++++ b/src/cairo-image-compositor.c
> +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
> + pixman_image_t *src, *mask;
> + union {
> + struct fill {
> +- int stride;
> ++ ptrdiff_t stride;
> + uint8_t *data;
> + uint32_t pixel;
> + } fill;
> +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
> + struct finish {
> + cairo_rectangle_int_t extents;
> + int src_x, src_y;
> +- int stride;
> ++ ptrdiff_t stride;
> + uint8_t *data;
> + } mask;
> + } u;
> +diff --git a/src/cairo-image-surface-private.h
> b/src/cairo-image-surface-private.h
> +index 8ca694c..7e78d61 100644
> +--- a/src/cairo-image-surface-private.h
> ++++ b/src/cairo-image-surface-private.h
> +@@ -71,7 +71,7 @@ struct _cairo_image_surface {
> +
> + int width;
> + int height;
> +- int stride;
> ++ ptrdiff_t stride;
> + int depth;
> +
> + unsigned owns_data : 1;
> +diff --git a/src/cairo-mesh-pattern-rasterizer.c
> b/src/cairo-mesh-pattern-rasterizer.c
> +index 1b63ca8..e7f0db6 100644
> +--- a/src/cairo-mesh-pattern-rasterizer.c
> ++++ b/src/cairo-mesh-pattern-rasterizer.c
> +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height,
> int stride,
> + tg += tg >> 16;
> + tb += tb >> 16;
> +
> +- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
> ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) &
> 0xff000000) |
> + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
> + }
> + }
> +diff --git a/src/cairo-png.c b/src/cairo-png.c
> +index 562b743..aa8c227 100644
> +--- a/src/cairo-png.c
> ++++ b/src/cairo-png.c
> +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
> + }
> +
> + for (i = 0; i < png_height; i++)
> +- row_pointers[i] = &data[i * stride];
> ++ row_pointers[i] = &data[i * (ptrdiff_t)stride];
> +
> + png_read_image (png, row_pointers);
> + png_read_end (png, info);
> +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
> +index ea0117d..91e4baa 100644
> +--- a/src/cairo-script-surface.c
> ++++ b/src/cairo-script-surface.c
> +@@ -1202,7 +1202,8 @@ static cairo_status_t
> + _write_image_surface (cairo_output_stream_t *output,
> + const cairo_image_surface_t *image)
> + {
> +- int stride, row, width;
> ++ int row, width;
> ++ ptrdiff_t stride;
> + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
> + uint8_t *rowdata;
> + uint8_t *data;
> +--
> +2.1.4
> +
> diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
> index 39f4d02..6442f08 100644
> --- a/gnu/packages/pdf.scm
> +++ b/gnu/packages/pdf.scm
> @@ -95,6 +95,17 @@
> ;; To build poppler-glib (as needed by Evince), we need Cairo
> and
> ;; GLib. But of course, that Cairo must not depend on Poppler.
> ("cairo" ,(package (inherit cairo)
> + (replacement
> + (package
> + (inherit cairo)
> + (replacement #f)
> + (source
> + (origin
> + (inherit (package-source cairo))
> + (patches (search-patches
> + "cairo-CVE-2016-9082.patch"))))
> + (inputs (alist-delete "poppler"
> + (package-inputs cairo)))))
> (inputs (alist-delete "poppler"
> (package-inputs cairo)))))
> ("glib" ,glib)))
This patch LGTM.
signature.asc
Description: PGP signature