cairo: fix CVE-2020-35492

(From OE-Core rev: 58e9ecbda48faff9c1babc90504eb76805eb9266) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-01 13:58:04 +00:00 · 2021-04-22 16:10:10 +08:00 · 2021-04-22 16:10:10 +08:00 · 5faaedd8e3
commit 5faaedd8e3
parent 1c8bded8ed
3 changed files with 132 additions and 0 deletions
--- a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@ -0,0 +1,121 @@
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+
+CVE: CVE-2020-35492
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85]
+
+original patch from upstream has a binary file, it will cause
+do_patch failed with "git binary diffs are not supported".
+
+so add do_patch_append in recipe to add this binary source. when removing
+this patch, please also remove do_patch_append for this patch
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/cairo-image-compositor.c                |   8 ++--
+ test/Makefile.sources                       |   1 +
+ test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 4 deletions(-)
+ create mode 100644 test/bug-image-compositor.c
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 79ad69f68..4f8aaed99 100644
+--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
+@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 		    unsigned num_spans)
+ {
+     cairo_image_span_renderer_t *r = abstract_renderer;
+-    uint8_t *m;
+    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+     int x0;
+ 
+     if (num_spans == 0)
+ 	return CAIRO_STATUS_SUCCESS;
+ 
+     x0 = spans[0].x;
+-    m = r->_buf;
+    m = base;
+     do {
+ 	int len = spans[1].x - spans[0].x;
+ 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 				      spans[0].x, y,
+ 				      spans[1].x - spans[0].x, h);
+ 
+-	    m = r->_buf;
+	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else if (spans[0].coverage == 0x0) {
+ 	    if (spans[0].x != x0) {
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+ 	    }
+ 
+-	    m = r->_buf;
+	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else {
+ 	    *m++ = spans[0].coverage;
+diff --git a/test/Makefile.sources b/test/Makefile.sources
+index 7eb73647f..86494348d 100644
+--- a/test/Makefile.sources
+++ b/test/Makefile.sources
+@@ -34,6 +34,7 @@ test_sources = \
+ 	bug-source-cu.c					\
+ 	bug-extents.c					\
+ 	bug-seams.c					\
+	bug-image-compositor.c				\
+ 	caps.c						\
+ 	checkerboard.c					\
+ 	caps-joins.c					\
+diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c
+new file mode 100644
+index 000000000..fc4fd370b
+--- /dev/null
+++ b/test/bug-image-compositor.c
+@@ -0,0 +1,39 @@
+#include "cairo-test.h"
+
+static cairo_test_status_t
+draw (cairo_t *cr, int width, int height)
+{
+    cairo_set_source_rgb (cr, 0., 0., 0.);
+    cairo_paint (cr);
+
+    cairo_set_source_rgb (cr, 1., 1., 1.);
+    cairo_set_line_width (cr, 1.);
+
+    cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height);
+    cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1);
+    cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1);
+    cairo_set_source (cr, p);
+
+    cairo_move_to (cr, 0.5, -1);
+    for (int i = 0; i < width; i+=3) {
+	cairo_rel_line_to (cr, 2, 2);
+	cairo_rel_line_to (cr, 1, -2);
+    }
+
+    cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE);
+    cairo_stroke (cr);
+
+    cairo_pattern_destroy(p);
+
+    return CAIRO_TEST_SUCCESS;
+}
+
+
+CAIRO_TEST (bug_image_compositor,
+	    "Crash in image-compositor",
+	    "stroke, stress", /* keywords */
+	    NULL, /* requirements */
+	    10000, 1,
+	    NULL, draw)
+	    
+	    
+-- 
+GitLab
--- a/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
+++ b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
--- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
           file://CVE-2018-19876.patch \
           file://CVE-2019-6461.patch \
           file://CVE-2019-6462.patch \
+           file://CVE-2020-35492.patch \
+           file://bug-image-compositor.ref.png \
          "

 SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552"
@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no"
 # Ensure we don't depend on LZO
 export ac_cv_lib_lzo2_lzo2a_decompress="no"

+#for CVE-2020-35492.patch
+do_patch_append() {
+    bb.build.exec_func('do_cp_binary_source', d)
+}
+
+do_cp_binary_source () {
+	cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/
+}
+
 do_install_append () {
 	rm -rf ${D}${bindir}/cairo-sphinx
 	rm -rf ${D}${libdir}/cairo/cairo-fdr*