CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

librsvg: Security fix CVE-2015-7558

Browse Source 
CVE-2015-7558 librsvg2: Stack exhaustion causing DoS

including two supporting patches.

(From OE-Core master rev: 4945643bab1ee6b844115cc747e5c67d874d5fe6)

(From OE-Core rev: 4e21caee47a0ca3e66e84a15d104d3b532731263)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster 2016-01-30 20:45:31 -08:00 committed by Richard Purdie
parent 34c865c7ba
commit d192c62891
4 changed files with 597 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch Normal file
View File

@ -0,0 +1,139 @@
From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Wed, 7 Oct 2015 05:31:08 +0200
Subject: [PATCH] state: Store mask as reference
Instead of immediately looking up the mask, store the reference and look
it up on use.
Upstream-status: Backport
supporting patch
https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2
CVE: CVE-2015-7558
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
rsvg-cairo-draw.c | 6 +++++-
rsvg-mask.c | 17 -----------------
rsvg-mask.h | 2 --
rsvg-styles.c | 12 ++++++++----
rsvg-styles.h | 2 +-
5 files changed, 14 insertions(+), 25 deletions(-)
Index: librsvg-2.40.10/rsvg-cairo-draw.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
+++ librsvg-2.40.10/rsvg-cairo-draw.c
@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
cairo_set_operator (render->cr, state->comp_op);
if (state->mask) {
- rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
+ RsvgNode *mask;
+
+ mask = rsvg_defs_lookup (ctx->defs, state->mask);
+ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
+ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
} else if (state->opacity != 0xFF)
cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
else
Index: librsvg-2.40.10/rsvg-mask.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-mask.c
+++ librsvg-2.40.10/rsvg-mask.c
@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
}
RsvgNode *
-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
-{
- char *name;
-
- name = rsvg_get_url_string (str);
- if (name) {
- RsvgNode *val;
- val = rsvg_defs_lookup (defs, name);
- g_free (name);
-
- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
- return val;
- }
- return NULL;
-}
-
-RsvgNode *
rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
{
char *name;
Index: librsvg-2.40.10/rsvg-mask.h
===================================================================
--- librsvg-2.40.10.orig/rsvg-mask.h
+++ librsvg-2.40.10/rsvg-mask.h
@@ -48,8 +48,6 @@ struct _RsvgMask {
G_GNUC_INTERNAL
RsvgNode *rsvg_new_mask (void);
-G_GNUC_INTERNAL
-RsvgNode *rsvg_mask_parse (const RsvgDefs * defs, const char *str);
typedef struct _RsvgClipPath RsvgClipPath;
Index: librsvg-2.40.10/rsvg-styles.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-styles.c
+++ librsvg-2.40.10/rsvg-styles.c
@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const
*dst = *src;
dst->parent = parent;
+ dst->mask = g_strdup (src->mask);
dst->font_family = g_strdup (src->font_family);
dst->lang = g_strdup (src->lang);
rsvg_paint_server_ref (dst->fill);
@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
if (inherituninheritables) {
dst->clip_path_ref = src->clip_path_ref;
- dst->mask = src->mask;
+ g_free (dst->mask);
+ dst->mask = g_strdup (src->mask);
dst->enable_background = src->enable_background;
dst->adobe_blend = src->adobe_blend;
dst->opacity = src->opacity;
@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
void
rsvg_state_finalize (RsvgState * state)
{
+ g_free (state->mask);
g_free (state->font_family);
g_free (state->lang);
rsvg_paint_server_unref (state->fill);
@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
state->adobe_blend = 11;
else
state->adobe_blend = 0;
- } else if (g_str_equal (name, "mask"))
- state->mask = rsvg_mask_parse (ctx->priv->defs, value);
- else if (g_str_equal (name, "clip-path")) {
+ } else if (g_str_equal (name, "mask")) {
+ g_free (state->mask);
+ state->mask = rsvg_get_url_string (value);
+ } else if (g_str_equal (name, "clip-path")) {
state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
} else if (g_str_equal (name, "overflow")) {
if (!g_str_equal (value, "inherit")) {
Index: librsvg-2.40.10/rsvg-styles.h
===================================================================
--- librsvg-2.40.10.orig/rsvg-styles.h
+++ librsvg-2.40.10/rsvg-styles.h
@@ -80,7 +80,7 @@ struct _RsvgState {
cairo_matrix_t personal_affine;
RsvgFilter *filter;
- void *mask;
+ char *mask;
void *clip_path_ref;
guint8 adobe_blend; /* 0..11 */
guint8 opacity; /* 0..255 */

230
meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch Normal file
View File

@ -0,0 +1,230 @@
From 6cfaab12c70cd4a34c4730837f1ecdf792593c90 Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Wed, 7 Oct 2015 07:57:39 +0200
Subject: [PATCH] state: Look up clip path lazily
Upstream-status: Backport
supporting patch
https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=6cfaab12c70cd4a34c4730837f1ecdf792593c90
CVE: CVE-2015-7558
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
rsvg-cairo-draw.c | 56 +++++++++++++++++++++++++++++++++----------------------
rsvg-mask.c | 17 -----------------
rsvg-mask.h | 2 --
rsvg-styles.c | 10 +++++++---
rsvg-styles.h | 2 +-
5 files changed, 42 insertions(+), 45 deletions(-)
Index: librsvg-2.40.10/rsvg-cairo-draw.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
+++ librsvg-2.40.10/rsvg-cairo-draw.c
@@ -461,7 +461,7 @@ rsvg_cairo_render_path (RsvgDrawingCtx *
return;
need_tmpbuf = ((state->fill != NULL) && (state->stroke != NULL) && state->opacity != 0xff)
- || state->clip_path_ref || state->mask || state->filter
+ || state->clip_path || state->mask || state->filter
|| (state->comp_op != CAIRO_OPERATOR_OVER);
if (need_tmpbuf)
@@ -708,18 +708,6 @@ rsvg_cairo_generate_mask (cairo_t * cr,
}
static void
-rsvg_cairo_push_early_clips (RsvgDrawingCtx * ctx)
-{
- RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
-
- cairo_save (render->cr);
- if (rsvg_current_state (ctx)->clip_path_ref)
- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == userSpaceOnUse)
- rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, NULL);
-
-}
-
-static void
rsvg_cairo_push_render_stack (RsvgDrawingCtx * ctx)
{
/* XXX: Untested, probably needs help wrt filters */
@@ -731,9 +719,27 @@ rsvg_cairo_push_render_stack (RsvgDrawin
RsvgState *state = rsvg_current_state (ctx);
gboolean lateclip = FALSE;
- if (rsvg_current_state (ctx)->clip_path_ref)
- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
- lateclip = TRUE;
+ if (rsvg_current_state (ctx)->clip_path) {
+ RsvgNode *node;
+ node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
+ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
+ RsvgClipPath *clip_path = (RsvgClipPath *) node;
+
+ switch (clip_path->units) {
+ case userSpaceOnUse:
+ rsvg_cairo_clip (ctx, clip_path, NULL);
+ break;
+ case objectBoundingBox:
+ lateclip = TRUE;
+ break;
+
+ default:
+ g_assert_not_reached ();
+ break;
+ }
+
+ }
+ }
if (state->opacity == 0xFF
&& !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
@@ -774,7 +780,9 @@ rsvg_cairo_push_render_stack (RsvgDrawin
void
rsvg_cairo_push_discrete_layer (RsvgDrawingCtx * ctx)
{
- rsvg_cairo_push_early_clips (ctx);
+ RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
+
+ cairo_save (render->cr);
rsvg_cairo_push_render_stack (ctx);
}
@@ -783,14 +791,18 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
{
RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
cairo_t *child_cr = render->cr;
- gboolean lateclip = FALSE;
+ RsvgClipPath *lateclip = NULL;
cairo_surface_t *surface = NULL;
RsvgState *state = rsvg_current_state (ctx);
gboolean nest;
- if (rsvg_current_state (ctx)->clip_path_ref)
- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
- lateclip = TRUE;
+ if (rsvg_current_state (ctx)->clip_path) {
+ RsvgNode *node;
+ node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
+ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
+ && ((RsvgClipPath *) node)->units == objectBoundingBox)
+ lateclip = (RsvgClipPath *) node;
+ }
if (state->opacity == 0xFF
&& !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
@@ -820,7 +832,7 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
nest ? 0 : render->offset_y);
if (lateclip)
- rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, &render->bbox);
+ rsvg_cairo_clip (ctx, lateclip, &render->bbox);
cairo_set_operator (render->cr, state->comp_op);
Index: librsvg-2.40.10/rsvg-mask.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-mask.c
+++ librsvg-2.40.10/rsvg-mask.c
@@ -102,23 +102,6 @@ rsvg_get_url_string (const char *str)
return NULL;
}
-RsvgNode *
-rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
-{
- char *name;
-
- name = rsvg_get_url_string (str);
- if (name) {
- RsvgNode *val;
- val = rsvg_defs_lookup (defs, name);
- g_free (name);
-
- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_CLIP_PATH)
- return val;
- }
- return NULL;
-}
-
static void
rsvg_clip_path_set_atts (RsvgNode * self, RsvgHandle * ctx, RsvgPropertyBag * atts)
{
Index: librsvg-2.40.10/rsvg-mask.h
===================================================================
--- librsvg-2.40.10.orig/rsvg-mask.h
+++ librsvg-2.40.10/rsvg-mask.h
@@ -58,8 +58,6 @@ struct _RsvgClipPath {
G_GNUC_INTERNAL
RsvgNode *rsvg_new_clip_path (void);
-G_GNUC_INTERNAL
-RsvgNode *rsvg_clip_path_parse (const RsvgDefs * defs, const char *str);
G_END_DECLS
#endif
Index: librsvg-2.40.10/rsvg-styles.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-styles.c
+++ librsvg-2.40.10/rsvg-styles.c
@@ -149,7 +149,7 @@ rsvg_state_init (RsvgState * state)
state->visible = TRUE;
state->cond_true = TRUE;
state->filter = NULL;
- state->clip_path_ref = NULL;
+ state->clip_path = NULL;
state->startMarker = NULL;
state->middleMarker = NULL;
state->endMarker = NULL;
@@ -222,6 +222,7 @@ rsvg_state_clone (RsvgState * dst, const
*dst = *src;
dst->parent = parent;
dst->mask = g_strdup (src->mask);
+ dst->clip_path = g_strdup (src->clip_path);
dst->font_family = g_strdup (src->font_family);
dst->lang = g_strdup (src->lang);
rsvg_paint_server_ref (dst->fill);
@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
}
if (inherituninheritables) {
- dst->clip_path_ref = src->clip_path_ref;
+ g_free (dst->clip_path);
+ dst->clip_path = g_strdup (src->clip_path);
g_free (dst->mask);
dst->mask = g_strdup (src->mask);
dst->enable_background = src->enable_background;
@@ -447,6 +449,7 @@ void
rsvg_state_finalize (RsvgState * state)
{
g_free (state->mask);
+ g_free (state->clip_path);
g_free (state->font_family);
g_free (state->lang);
rsvg_paint_server_unref (state->fill);
@@ -524,7 +527,8 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
g_free (state->mask);
state->mask = rsvg_get_url_string (value);
} else if (g_str_equal (name, "clip-path")) {
- state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
+ g_free (state->clip_path);
+ state->clip_path = rsvg_get_url_string (value);
} else if (g_str_equal (name, "overflow")) {
if (!g_str_equal (value, "inherit")) {
state->overflow = rsvg_css_parse_overflow (value, &state->has_overflow);
Index: librsvg-2.40.10/rsvg-styles.h
===================================================================
--- librsvg-2.40.10.orig/rsvg-styles.h
+++ librsvg-2.40.10/rsvg-styles.h
@@ -81,7 +81,7 @@ struct _RsvgState {
RsvgFilter *filter;
char *mask;
- void *clip_path_ref;
+ char *clip_path;
guint8 adobe_blend; /* 0..11 */
guint8 opacity; /* 0..255 */

223
meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch Normal file
View File

@ -0,0 +1,223 @@
From a51919f7e1ca9c535390a746fbf6e28c8402dc61 Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Wed, 7 Oct 2015 08:45:37 +0200
Subject: [PATCH] rsvg: Add rsvg_acquire_node()
This function does proper recursion checks when looking up resources
from URLs and thereby helps avoiding infinite loops when cyclic
references span multiple types of elements.
Upstream-status: Backport
https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61
CVE: CVE-2015-7558
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
rsvg-base.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
rsvg-cairo-draw.c | 15 +++++++++++----
rsvg-cairo-render.c | 1 +
rsvg-filter.c | 9 +++++++--
rsvg-private.h | 5 +++++
5 files changed, 79 insertions(+), 6 deletions(-)
Index: librsvg-2.40.10/rsvg-base.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-base.c
+++ librsvg-2.40.10/rsvg-base.c
@@ -1236,6 +1236,8 @@ rsvg_drawing_ctx_free (RsvgDrawingCtx *
g_slist_free (handle->drawsub_stack);
g_slist_free (handle->ptrs);
+ g_warn_if_fail (handle->acquired_nodes == NULL);
+ g_slist_free (handle->acquired_nodes);
if (handle->base_uri)
g_free (handle->base_uri);
@@ -2018,6 +2020,59 @@ rsvg_push_discrete_layer (RsvgDrawingCtx
ctx->render->push_discrete_layer (ctx);
}
+/*
+ * rsvg_acquire_node:
+ * @ctx: The drawing context in use
+ * @url: The IRI to lookup
+ *
+ * Use this function when looking up urls to other nodes. This
+ * function does proper recursion checking and thereby avoids
+ * infinite loops.
+ *
+ * Nodes acquired by this function must be released using
+ * rsvg_release_node() in reverse acquiring order.
+ *
+ * Returns: The node referenced by @url or %NULL if the @url
+ * does not reference a node.
+ */
+RsvgNode *
+rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url)
+{
+ RsvgNode *node;
+
+ node = rsvg_defs_lookup (ctx->defs, url);
+ if (node == NULL)
+ return NULL;
+
+ if (g_slist_find (ctx->acquired_nodes, node))
+ return NULL;
+
+ ctx->acquired_nodes = g_slist_prepend (ctx->acquired_nodes, node);
+
+ return node;
+}
+
+/*
+ * rsvg_release_node:
+ * @ctx: The drawing context the node was acquired from
+ * @node: Node to release
+ *
+ * Releases a node previously acquired via rsvg_acquire_node().
+ *
+ * if @node is %NULL, this function does nothing.
+ */
+void
+rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node)
+{
+ if (node == NULL)
+ return;
+
+ g_return_if_fail (ctx->acquired_nodes != NULL);
+ g_return_if_fail (ctx->acquired_nodes->data == node);
+
+ ctx->acquired_nodes = g_slist_remove (ctx->acquired_nodes, node);
+}
+
void
rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path)
{
Index: librsvg-2.40.10/rsvg-cairo-draw.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
+++ librsvg-2.40.10/rsvg-cairo-draw.c
@@ -721,7 +721,7 @@ rsvg_cairo_push_render_stack (RsvgDrawin
if (rsvg_current_state (ctx)->clip_path) {
RsvgNode *node;
- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
+ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
RsvgClipPath *clip_path = (RsvgClipPath *) node;
@@ -739,6 +739,8 @@ rsvg_cairo_push_render_stack (RsvgDrawin
}
}
+
+ rsvg_release_node (ctx, node);
}
if (state->opacity == 0xFF
@@ -798,10 +800,12 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
if (rsvg_current_state (ctx)->clip_path) {
RsvgNode *node;
- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
+ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
&& ((RsvgClipPath *) node)->units == objectBoundingBox)
lateclip = (RsvgClipPath *) node;
+ else
+ rsvg_release_node (ctx, node);
}
if (state->opacity == 0xFF
@@ -831,17 +835,20 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
nest ? 0 : render->offset_x,
nest ? 0 : render->offset_y);
- if (lateclip)
+ if (lateclip) {
rsvg_cairo_clip (ctx, lateclip, &render->bbox);
+ rsvg_release_node (ctx, (RsvgNode *) lateclip);
+ }
cairo_set_operator (render->cr, state->comp_op);
if (state->mask) {
RsvgNode *mask;
- mask = rsvg_defs_lookup (ctx->defs, state->mask);
+ mask = rsvg_acquire_node (ctx, state->mask);
if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
+ rsvg_release_node (ctx, mask);
} else if (state->opacity != 0xFF)
cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
else
Index: librsvg-2.40.10/rsvg-cairo-render.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-cairo-render.c
+++ librsvg-2.40.10/rsvg-cairo-render.c
@@ -155,6 +155,7 @@ rsvg_cairo_new_drawing_ctx (cairo_t * cr
draw->pango_context = NULL;
draw->drawsub_stack = NULL;
draw->ptrs = NULL;
+ draw->acquired_nodes = NULL;
rsvg_state_push (draw);
state = rsvg_current_state (draw);
Index: librsvg-2.40.10/rsvg-filter.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-filter.c
+++ librsvg-2.40.10/rsvg-filter.c
@@ -3921,6 +3921,7 @@ rsvg_filter_primitive_image_render_in (R
RsvgDrawingCtx *ctx;
RsvgFilterPrimitiveImage *upself;
RsvgNode *drawable;
+ cairo_surface_t *result;
ctx = context->ctx;
@@ -3929,13 +3930,17 @@ rsvg_filter_primitive_image_render_in (R
if (!upself->href)
return NULL;
- drawable = rsvg_defs_lookup (ctx->defs, upself->href->str);
+ drawable = rsvg_acquire_node (ctx, upself->href->str);
if (!drawable)
return NULL;
rsvg_current_state (ctx)->affine = context->paffine;
- return rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
+ result = rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
+
+ rsvg_release_node (ctx, drawable);
+
+ return result;
}
static cairo_surface_t *
Index: librsvg-2.40.10/rsvg-private.h
===================================================================
--- librsvg-2.40.10.orig/rsvg-private.h
+++ librsvg-2.40.10/rsvg-private.h
@@ -200,6 +200,7 @@ struct RsvgDrawingCtx {
GSList *vb_stack;
GSList *drawsub_stack;
GSList *ptrs;
+ GSList *acquired_nodes;
};
/*Abstract base class for context for our backends (one as yet)*/
@@ -360,6 +361,10 @@ void rsvg_pop_discrete_layer (RsvgDra
G_GNUC_INTERNAL
void rsvg_push_discrete_layer (RsvgDrawingCtx * ctx);
G_GNUC_INTERNAL
+RsvgNode *rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url);
+G_GNUC_INTERNAL
+void rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node);
+G_GNUC_INTERNAL
void rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path);
G_GNUC_INTERNAL
void rsvg_render_surface (RsvgDrawingCtx * ctx, cairo_surface_t *surface,

6
meta/recipes-gnome/librsvg/librsvg_2.40.6.bb
View File

@ -14,7 +14,11 @@ inherit autotools pkgconfig gnomebase gtk-doc pixbufcache
GNOME_COMPRESS_TYPE = "xz"
SRC_URI += "file://gtk-option.patch"
SRC_URI += "file://gtk-option.patch \
file://CVE-2015-7558_1.patch \
file://CVE-2015-7558_2.patch \
file://CVE-2015-7558_3.patch \
"
SRC_URI[archive.md5sum] = "259fd160b47ec11f3c27d7e18e507c99"
SRC_URI[archive.sha256sum] = "8af349f241677b04b7a1ea6b9b33a6343e781bcccc8a09d00208a47342584f06"