xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunFix stack buffer overflow.
2*4882a593Smuzhiyun
3*4882a593SmuzhiyunCVE: CVE-2020-35492
4*4882a593SmuzhiyunUpstream-Status: Backport
5*4882a593SmuzhiyunSigned-off-by: Ross Burton <ross.burton@arm.com>
6*4882a593Smuzhiyun
7*4882a593SmuzhiyunFrom 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
8*4882a593SmuzhiyunFrom: Heiko Lewin <heiko.lewin@worldiety.de>
9*4882a593SmuzhiyunDate: Tue, 15 Dec 2020 16:48:19 +0100
10*4882a593SmuzhiyunSubject: [PATCH] Fix mask usage in image-compositor
11*4882a593Smuzhiyun
12*4882a593Smuzhiyun---
13*4882a593Smuzhiyun src/cairo-image-compositor.c                |   8 ++--
14*4882a593Smuzhiyun test/Makefile.sources                       |   1 +
15*4882a593Smuzhiyun test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
16*4882a593Smuzhiyun test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes
17*4882a593Smuzhiyun 4 files changed, 44 insertions(+), 4 deletions(-)
18*4882a593Smuzhiyun create mode 100644 test/bug-image-compositor.c
19*4882a593Smuzhiyun create mode 100644 test/reference/bug-image-compositor.ref.png
20*4882a593Smuzhiyun
21*4882a593Smuzhiyundiff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
22*4882a593Smuzhiyunindex 79ad69f68..4f8aaed99 100644
23*4882a593Smuzhiyun--- a/src/cairo-image-compositor.c
24*4882a593Smuzhiyun+++ b/src/cairo-image-compositor.c
25*4882a593Smuzhiyun@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
26*4882a593Smuzhiyun 		    unsigned num_spans)
27*4882a593Smuzhiyun {
28*4882a593Smuzhiyun     cairo_image_span_renderer_t *r = abstract_renderer;
29*4882a593Smuzhiyun-    uint8_t *m;
30*4882a593Smuzhiyun+    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
31*4882a593Smuzhiyun     int x0;
32*4882a593Smuzhiyun
33*4882a593Smuzhiyun     if (num_spans == 0)
34*4882a593Smuzhiyun 	return CAIRO_STATUS_SUCCESS;
35*4882a593Smuzhiyun
36*4882a593Smuzhiyun     x0 = spans[0].x;
37*4882a593Smuzhiyun-    m = r->_buf;
38*4882a593Smuzhiyun+    m = base;
39*4882a593Smuzhiyun     do {
40*4882a593Smuzhiyun 	int len = spans[1].x - spans[0].x;
41*4882a593Smuzhiyun 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
42*4882a593Smuzhiyun@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
43*4882a593Smuzhiyun 				      spans[0].x, y,
44*4882a593Smuzhiyun 				      spans[1].x - spans[0].x, h);
45*4882a593Smuzhiyun
46*4882a593Smuzhiyun-	    m = r->_buf;
47*4882a593Smuzhiyun+	    m = base;
48*4882a593Smuzhiyun 	    x0 = spans[1].x;
49*4882a593Smuzhiyun 	} else if (spans[0].coverage == 0x0) {
50*4882a593Smuzhiyun 	    if (spans[0].x != x0) {
51*4882a593Smuzhiyun@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
52*4882a593Smuzhiyun #endif
53*4882a593Smuzhiyun 	    }
54*4882a593Smuzhiyun
55*4882a593Smuzhiyun-	    m = r->_buf;
56*4882a593Smuzhiyun+	    m = base;
57*4882a593Smuzhiyun 	    x0 = spans[1].x;
58*4882a593Smuzhiyun 	} else {
59*4882a593Smuzhiyun 	    *m++ = spans[0].coverage;
60*4882a593Smuzhiyun--
61