aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/pixman-CVE-2016-5296.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/pixman-CVE-2016-5296.patch')
-rw-r--r--gnu/packages/patches/pixman-CVE-2016-5296.patch19
1 files changed, 19 insertions, 0 deletions
diff --git a/gnu/packages/patches/pixman-CVE-2016-5296.patch b/gnu/packages/patches/pixman-CVE-2016-5296.patch
new file mode 100644
index 0000000000..21942326ae
--- /dev/null
+++ b/gnu/packages/patches/pixman-CVE-2016-5296.patch
@@ -0,0 +1,19 @@
+Fix CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
+Adapted for upstream pixman based on:
+
+ https://hg.mozilla.org/releases/mozilla-esr45/rev/5e39c1c2fded
+
+--- pixman-0.34.0/pixman/pixman-edge-imp.h.orig 2015-06-30 05:48:31.000000000 -0400
++++ pixman-0.34.0/pixman/pixman-edge-imp.h 2016-11-16 01:09:34.046335106 -0500
+@@ -55,8 +55,9 @@
+ *
+ * (The AA case does a similar adjustment in RENDER_SAMPLES_X)
+ */
+- lx += X_FRAC_FIRST(1) - pixman_fixed_e;
+- rx += X_FRAC_FIRST(1) - pixman_fixed_e;
++ /* we cast to unsigned to get defined behaviour for overflow */
++ lx = (unsigned)lx + X_FRAC_FIRST(1) - pixman_fixed_e;
++ rx = (unsigned)rx + X_FRAC_FIRST(1) - pixman_fixed_e;
+ #endif
+ /* clip X */
+ if (lx < 0)