diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/gtk.scm | 12 | ||||
-rw-r--r-- | gnu/packages/patches/cairo-CVE-2016-9082.patch | 122 | ||||
-rw-r--r-- | gnu/packages/pdf.scm | 11 |
4 files changed, 146 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 49609cd68f..9d0e4c5094 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -489,6 +489,7 @@ dist_patch_DATA = \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/binutils-mips-bash-bug.patch \ %D%/packages/patches/byobu-writable-status.patch \ + %D%/packages/patches/cairo-CVE-2016-9082.patch \ %D%/packages/patches/calibre-drop-unrar.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/cdparanoia-fpic.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 17bd9c9b00..8a258b54cc 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -100,6 +100,7 @@ tools have full access to view and control running applications.") (define-public cairo (package (name "cairo") + (replacement cairo/fixed) (version "1.14.6") (source (origin (method url-fetch) @@ -153,6 +154,10 @@ affine transformation (scale, rotation, shear, etc.).") (package (inherit cairo) (name "cairo-xcb") + (source (origin + (inherit (package-source cairo)) + (patches (search-patches "cairo-CVE-2016-9082.patch")))) + (replacement #f) (inputs `(("mesa" ,mesa) ,@(package-inputs cairo))) @@ -162,6 +167,13 @@ affine transformation (scale, rotation, shear, etc.).") '("--enable-xlib-xcb" "--enable-gl" "--enable-egl"))) (synopsis "2D graphics library (with X11 support)"))) +(define cairo/fixed + (package + (inherit cairo) + (source (origin + (inherit (package-source cairo)) + (patches (search-patches "cairo-CVE-2016-9082.patch")))))) + (define-public harfbuzz (package (name "harfbuzz") diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch new file mode 100644 index 0000000000..ad83404194 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch @@ -0,0 +1,122 @@ +From: Adrian Johnson <ajohnson@redneon.com> +Date: Thu, 20 Oct 2016 21:12:30 +1030 +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images + +Image data is often accessed using: + + image->data + y * image->stride + +On 64-bit achitectures if the image data is > 4GB, this computation +will overflow since both y and stride are 32-bit types. + +bug report: https://bugs.freedesktop.org/show_bug.cgi?id=98165 +patch: https://bugs.freedesktop.org/attachment.cgi?id=127421 +--- + boilerplate/cairo-boilerplate.c | 4 +++- + src/cairo-image-compositor.c | 4 ++-- + src/cairo-image-surface-private.h | 2 +- + src/cairo-mesh-pattern-rasterizer.c | 2 +- + src/cairo-png.c | 2 +- + src/cairo-script-surface.c | 3 ++- + 6 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c +index 7fdbf79..4804dea 100644 +--- a/boilerplate/cairo-boilerplate.c ++++ b/boilerplate/cairo-boilerplate.c +@@ -42,6 +42,7 @@ + #undef CAIRO_VERSION_H + #include "../cairo-version.h" + ++#include <stddef.h> + #include <stdlib.h> + #include <ctype.h> + #include <assert.h> +@@ -976,7 +977,8 @@ cairo_surface_t * + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file) + { + char format; +- int width, height, stride; ++ int width, height; ++ ptrdiff_t stride; + int x, y; + unsigned char *data; + cairo_surface_t *image = NULL; +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 48072f8..3ca0006 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer { + pixman_image_t *src, *mask; + union { + struct fill { +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + uint32_t pixel; + } fill; +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer { + struct finish { + cairo_rectangle_int_t extents; + int src_x, src_y; +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + } mask; + } u; +diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h +index 8ca694c..7e78d61 100644 +--- a/src/cairo-image-surface-private.h ++++ b/src/cairo-image-surface-private.h +@@ -71,7 +71,7 @@ struct _cairo_image_surface { + + int width; + int height; +- int stride; ++ ptrdiff_t stride; + int depth; + + unsigned owns_data : 1; +diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c +index 1b63ca8..e7f0db6 100644 +--- a/src/cairo-mesh-pattern-rasterizer.c ++++ b/src/cairo-mesh-pattern-rasterizer.c +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride, + tg += tg >> 16; + tb += tb >> 16; + +- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) | ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) | + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24); + } + } +diff --git a/src/cairo-png.c b/src/cairo-png.c +index 562b743..aa8c227 100644 +--- a/src/cairo-png.c ++++ b/src/cairo-png.c +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure) + } + + for (i = 0; i < png_height; i++) +- row_pointers[i] = &data[i * stride]; ++ row_pointers[i] = &data[i * (ptrdiff_t)stride]; + + png_read_image (png, row_pointers); + png_read_end (png, info); +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c +index ea0117d..91e4baa 100644 +--- a/src/cairo-script-surface.c ++++ b/src/cairo-script-surface.c +@@ -1202,7 +1202,8 @@ static cairo_status_t + _write_image_surface (cairo_output_stream_t *output, + const cairo_image_surface_t *image) + { +- int stride, row, width; ++ int row, width; ++ ptrdiff_t stride; + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE]; + uint8_t *rowdata; + uint8_t *data; +-- +2.1.4 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 39f4d021de..6442f08af9 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -95,6 +95,17 @@ ;; To build poppler-glib (as needed by Evince), we need Cairo and ;; GLib. But of course, that Cairo must not depend on Poppler. ("cairo" ,(package (inherit cairo) + (replacement + (package + (inherit cairo) + (replacement #f) + (source + (origin + (inherit (package-source cairo)) + (patches (search-patches + "cairo-CVE-2016-9082.patch")))) + (inputs (alist-delete "poppler" + (package-inputs cairo))))) (inputs (alist-delete "poppler" (package-inputs cairo))))) ("glib" ,glib))) |