Blame SOURCES/cairo-1.15.12-CVE-2020-35492.patch

f6e2e3
From 40e9d1a0a69f01b55b4fa131bc253c7c09a0ae91 Mon Sep 17 00:00:00 2001
f6e2e3
From: Heiko Lewin <heiko.lewin@worldiety.de>
f6e2e3
Date: Tue, 15 Dec 2020 16:48:19 +0100
f6e2e3
Subject: [PATCH 1/2] Fix mask usage in image-compositor
f6e2e3
f6e2e3
---
f6e2e3
 src/cairo-image-compositor.c                |   8 ++--
f6e2e3
 test/Makefile.sources                       |   1 +
f6e2e3
 test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
f6e2e3
 test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes
f6e2e3
 4 files changed, 44 insertions(+), 4 deletions(-)
f6e2e3
 create mode 100644 test/bug-image-compositor.c
f6e2e3
 create mode 100644 test/reference/bug-image-compositor.ref.png
f6e2e3
f6e2e3
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
f6e2e3
index 122a8ca42..b20e2ec78 100644
f6e2e3
--- a/src/cairo-image-compositor.c
f6e2e3
+++ b/src/cairo-image-compositor.c
f6e2e3
@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
f6e2e3
 		    unsigned num_spans)
f6e2e3
 {
f6e2e3
     cairo_image_span_renderer_t *r = abstract_renderer;
f6e2e3
-    uint8_t *m;
f6e2e3
+    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
f6e2e3
     int x0;
f6e2e3
 
f6e2e3
     if (num_spans == 0)
f6e2e3
 	return CAIRO_STATUS_SUCCESS;
f6e2e3
 
f6e2e3
     x0 = spans[0].x;
f6e2e3
-    m = r->_buf;
f6e2e3
+    m = base;
f6e2e3
     do {
f6e2e3
 	int len = spans[1].x - spans[0].x;
f6e2e3
 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
f6e2e3
@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
f6e2e3
 				      spans[0].x, y,
f6e2e3
 				      spans[1].x - spans[0].x, h);
f6e2e3
 
f6e2e3
-	    m = r->_buf;
f6e2e3
+	    m = base;
f6e2e3
 	    x0 = spans[1].x;
f6e2e3
 	} else if (spans[0].coverage == 0x0) {
f6e2e3
 	    if (spans[0].x != x0) {
f6e2e3
@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
f6e2e3
 #endif
f6e2e3
 	    }
f6e2e3
 
f6e2e3
-	    m = r->_buf;
f6e2e3
+	    m = base;
f6e2e3
 	    x0 = spans[1].x;
f6e2e3
 	} else {
f6e2e3
 	    *m++ = spans[0].coverage;
f6e2e3
diff --git a/test/Makefile.sources b/test/Makefile.sources
f6e2e3
index c47131faf..86fd53d15 100644
f6e2e3
--- a/test/Makefile.sources
f6e2e3
+++ b/test/Makefile.sources
f6e2e3
@@ -33,6 +33,7 @@ test_sources = \
f6e2e3
 	bug-source-cu.c					\
f6e2e3
 	bug-extents.c					\
f6e2e3
 	bug-seams.c					\
f6e2e3
+	bug-image-compositor.c				\
f6e2e3
 	caps.c						\
f6e2e3
 	checkerboard.c					\
f6e2e3
 	caps-joins.c					\
f6e2e3
diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c
f6e2e3
new file mode 100644
f6e2e3
index 000000000..fc4fd370b
f6e2e3
--- /dev/null
f6e2e3
+++ b/test/bug-image-compositor.c
f6e2e3
@@ -0,0 +1,39 @@
f6e2e3
+#include "cairo-test.h"
f6e2e3
+
f6e2e3
+static cairo_test_status_t
f6e2e3
+draw (cairo_t *cr, int width, int height)
f6e2e3
+{
f6e2e3
+    cairo_set_source_rgb (cr, 0., 0., 0.);
f6e2e3
+    cairo_paint (cr);
f6e2e3
+
f6e2e3
+    cairo_set_source_rgb (cr, 1., 1., 1.);
f6e2e3
+    cairo_set_line_width (cr, 1.);
f6e2e3
+
f6e2e3
+    cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height);
f6e2e3
+    cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1);
f6e2e3
+    cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1);
f6e2e3
+    cairo_set_source (cr, p);
f6e2e3
+
f6e2e3
+    cairo_move_to (cr, 0.5, -1);
f6e2e3
+    for (int i = 0; i < width; i+=3) {
f6e2e3
+	cairo_rel_line_to (cr, 2, 2);
f6e2e3
+	cairo_rel_line_to (cr, 1, -2);
f6e2e3
+    }
f6e2e3
+
f6e2e3
+    cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE);
f6e2e3
+    cairo_stroke (cr);
f6e2e3
+
f6e2e3
+    cairo_pattern_destroy(p);
f6e2e3
+
f6e2e3
+    return CAIRO_TEST_SUCCESS;
f6e2e3
+}
f6e2e3
+
f6e2e3
+
f6e2e3
+CAIRO_TEST (bug_image_compositor,
f6e2e3
+	    "Crash in image-compositor",
f6e2e3
+	    "stroke, stress", /* keywords */
f6e2e3
+	    NULL, /* requirements */
f6e2e3
+	    10000, 1,
f6e2e3
+	    NULL, draw)
f6e2e3
+	    
f6e2e3
+	    
f6e2e3
diff --git a/test/reference/bug-image-compositor.ref.png b/test/reference/bug-image-compositor.ref.png
f6e2e3
new file mode 100644
f6e2e3
index 0000000000000000000000000000000000000000..939f659d2c8620e9927a3a79f5e96fb639c418be
f6e2e3
GIT binary patch
f6e2e3
literal 185
f6e2e3
zcmeAS@N?(olHy`uVBq!ia0y~yP!|BQ89A7M<o7+wF+hqf$=lt9;Xep2*t>i(P$bXO
f6e2e3
z#WAE}&f8-f1se=_SPWL_NSx=C)BnJ0eBr6Z%1egFEOv(*t#+|{>X&v^RS7GQe(vez
f6e2e3
lf)$wgmAfM(p2Sx&&i!{gWy)N&qd=P(JYD@<);T3K0RWsgHuC@g
f6e2e3
f6e2e3
literal 0
f6e2e3
HcmV?d00001
f6e2e3
f6e2e3
-- 
f6e2e3
2.34.1
f6e2e3
f6e2e3
f6e2e3
From afc23bfdc3c2597b9fe0ee34b9b4bfa47fa03698 Mon Sep 17 00:00:00 2001
f6e2e3
From: Heiko Lewin <heiko.lewin@worldiety.de>
f6e2e3
Date: Tue, 15 Dec 2020 17:14:18 +0100
f6e2e3
Subject: [PATCH 2/2] Minor cleanups
f6e2e3
f6e2e3
---
f6e2e3
 test/bug-image-compositor.c | 33 ++++++++++++++++++++++++++++++---
f6e2e3
 1 file changed, 30 insertions(+), 3 deletions(-)
f6e2e3
f6e2e3
diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c
f6e2e3
index fc4fd370b..304ea089c 100644
f6e2e3
--- a/test/bug-image-compositor.c
f6e2e3
+++ b/test/bug-image-compositor.c
f6e2e3
@@ -1,5 +1,34 @@
f6e2e3
+/*
f6e2e3
+ * Copyright © 2020 Uli Schlachter, Heiko Lewin
f6e2e3
+ *
f6e2e3
+ * Permission is hereby granted, free of charge, to any person
f6e2e3
+ * obtaining a copy of this software and associated documentation
f6e2e3
+ * files (the "Software"), to deal in the Software without
f6e2e3
+ * restriction, including without limitation the rights to use, copy,
f6e2e3
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
f6e2e3
+ * of the Software, and to permit persons to whom the Software is
f6e2e3
+ * furnished to do so, subject to the following conditions:
f6e2e3
+ *
f6e2e3
+ * The above copyright notice and this permission notice shall be
f6e2e3
+ * included in all copies or substantial portions of the Software.
f6e2e3
+ *
f6e2e3
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
f6e2e3
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
f6e2e3
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
f6e2e3
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
f6e2e3
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
f6e2e3
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
f6e2e3
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
f6e2e3
+ * SOFTWARE.
f6e2e3
+ *
f6e2e3
+ * Author: Uli Schlachter <psychon@znc.in>
f6e2e3
+ * Author: Heiko Lewin <hlewin@gmx.de>
f6e2e3
+ */
f6e2e3
 #include "cairo-test.h"
f6e2e3
 
f6e2e3
+
f6e2e3
+/* This test reproduces an overflow of a mask-buffer in cairo-image-compositor.c */
f6e2e3
+
f6e2e3
 static cairo_test_status_t
f6e2e3
 draw (cairo_t *cr, int width, int height)
f6e2e3
 {
f6e2e3
@@ -13,6 +42,7 @@ draw (cairo_t *cr, int width, int height)
f6e2e3
     cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1);
f6e2e3
     cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1);
f6e2e3
     cairo_set_source (cr, p);
f6e2e3
+    cairo_pattern_destroy(p);
f6e2e3
 
f6e2e3
     cairo_move_to (cr, 0.5, -1);
f6e2e3
     for (int i = 0; i < width; i+=3) {
f6e2e3
@@ -23,8 +53,6 @@ draw (cairo_t *cr, int width, int height)
f6e2e3
     cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE);
f6e2e3
     cairo_stroke (cr);
f6e2e3
 
f6e2e3
-    cairo_pattern_destroy(p);
f6e2e3
-
f6e2e3
     return CAIRO_TEST_SUCCESS;
f6e2e3
 }
f6e2e3
 
f6e2e3
@@ -36,4 +64,3 @@ CAIRO_TEST (bug_image_compositor,
f6e2e3
 	    10000, 1,
f6e2e3
 	    NULL, draw)
f6e2e3
 	    
f6e2e3
-	    
f6e2e3
-- 
f6e2e3
2.34.1
f6e2e3