1Fix stack buffer overflow. 2 3CVE: CVE-2020-35492 4Upstream-Status: Backport 5Signed-off-by: Ross Burton <ross.burton@arm.com> 6 7From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 8From: Heiko Lewin <heiko.lewin@worldiety.de> 9Date: Tue, 15 Dec 2020 16:48:19 +0100 10Subject: [PATCH] Fix mask usage in image-compositor 11 12--- 13 src/cairo-image-compositor.c | 8 ++-- 14 test/Makefile.sources | 1 + 15 test/bug-image-compositor.c | 39 ++++++++++++++++++++ 16 test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes 17 4 files changed, 44 insertions(+), 4 deletions(-) 18 create mode 100644 test/bug-image-compositor.c 19 create mode 100644 test/reference/bug-image-compositor.ref.png 20 21diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c 22index 79ad69f68..4f8aaed99 100644 23--- a/src/cairo-image-compositor.c 24+++ b/src/cairo-image-compositor.c 25@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, 26 unsigned num_spans) 27 { 28 cairo_image_span_renderer_t *r = abstract_renderer; 29- uint8_t *m; 30+ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); 31 int x0; 32 33 if (num_spans == 0) 34 return CAIRO_STATUS_SUCCESS; 35 36 x0 = spans[0].x; 37- m = r->_buf; 38+ m = base; 39 do { 40 int len = spans[1].x - spans[0].x; 41 if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { 42@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, 43 spans[0].x, y, 44 spans[1].x - spans[0].x, h); 45 46- m = r->_buf; 47+ m = base; 48 x0 = spans[1].x; 49 } else if (spans[0].coverage == 0x0) { 50 if (spans[0].x != x0) { 51@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, 52 #endif 53 } 54 55- m = r->_buf; 56+ m = base; 57 x0 = spans[1].x; 58 } else { 59 *m++ = spans[0].coverage; 60-- 61
