summaryrefslogtreecommitdiffstats
path: root/poky/meta/recipes-graphics/cairo/cairo
diff options
context:
space:
mode:
Diffstat (limited to 'poky/meta/recipes-graphics/cairo/cairo')
-rw-r--r--poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch45
-rw-r--r--poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch34
-rw-r--r--poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch19
-rw-r--r--poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch20
4 files changed, 73 insertions, 45 deletions
diff --git a/poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch b/poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch
deleted file mode 100644
index 7d02ab947..000000000
--- a/poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 042421e9e3d266ad0bb7805132041ef51ad3234d Mon Sep 17 00:00:00 2001
-From: Adrian Johnson <ajohnson@redneon.com>
-Date: Wed, 16 Aug 2017 22:52:35 -0400
-Subject: [PATCH] cairo: Fix CVE-2017-9814
-
-The bug happens because in some scenarios the variable size can
-have a value of 0 at line 1288. And malloc(0) is not returning
-NULL as some people could expect:
-
- https://stackoverflow.com/questions/1073157/zero-size-malloc
-
-malloc(0) returns the smallest chunk possible. So the line 1290
-with the return is not execute. And the execution continues with
-an invalid map.
-
-Since the size is 0 the variable map is not initialized correctly
-at load_trutype_table. So, later when the variable map is accessed
-previous values from a freed chunk are used. This could allows an
-attacker to control the variable map.
-
-This patch have not merge in upstream now.
-
-Upstream-Status: Backport [https://bugs.freedesktop.org/show_bug.cgi?id=101547]
-CVE: CVE-2017-9814
-Signed-off-by: Dengke Du <dengke.du@windriver.com>
----
- src/cairo-truetype-subset.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
-index e3449a0..f77d11c 100644
---- a/src/cairo-truetype-subset.c
-+++ b/src/cairo-truetype-subset.c
-@@ -1285,7 +1285,7 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
- return CAIRO_INT_STATUS_UNSUPPORTED;
-
- size = be16_to_cpu (map->length);
-- map = malloc (size);
-+ map = _cairo_malloc (size);
- if (unlikely (map == NULL))
- return _cairo_error (CAIRO_STATUS_NO_MEMORY);
-
---
-2.8.1
-
diff --git a/poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch b/poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch
new file mode 100644
index 000000000..4252a5663
--- /dev/null
+++ b/poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch
@@ -0,0 +1,34 @@
+CVE: CVE-2018-19876
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Mon, 19 Nov 2018 12:33:07 +0100
+Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in
+ cairo_ft_apply_variations
+
+Fixes a crash when using freetype >= 2.9
+---
+ src/cairo-ft-font.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
+index 325dd61b4..981973f78 100644
+--- a/src/cairo-ft-font.c
++++ b/src/cairo-ft-font.c
+@@ -2393,7 +2393,11 @@ skip:
+ done:
+ free (coords);
+ free (current_coords);
++#if HAVE_FT_DONE_MM_VAR
++ FT_Done_MM_Var (face->glyph->library, ft_mm_var);
++#else
+ free (ft_mm_var);
++#endif
+ }
+ }
+
+--
+2.11.0
+
diff --git a/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
new file mode 100644
index 000000000..5232cf70c
--- /dev/null
+++ b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
@@ -0,0 +1,19 @@
+There is a potential infinite-loop in function _arc_error_normalized().
+
+CVE: CVE-2019-6461
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..f9249dbeb 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ do {
+ angle = M_PI / i++;
+ error = _arc_error_normalized (angle);
+- } while (error > tolerance);
++ } while (error > tolerance && error > __DBL_EPSILON__);
+
+ return angle;
+ }
diff --git a/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
new file mode 100644
index 000000000..4e4598c5b
--- /dev/null
+++ b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
@@ -0,0 +1,20 @@
+There is an assertion in function _cairo_arc_in_direction().
+
+CVE: CVE-2019-6462
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1bde774a4 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr,
+ if (cairo_status (cr))
+ return;
+
+- assert (angle_max >= angle_min);
++ if (angle_max < angle_min)
++ return;
+
+ if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
+ angle_max = fmod (angle_max - angle_min, 2 * M_PI);
OpenPOWER on IntegriCloud