diff options
Diffstat (limited to 'meta/recipes-graphics')
58 files changed, 4263 insertions, 30 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch index 5232cf70c6..a2dba6cb20 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch @@ -1,19 +1,20 @@ -There is a potential infinite-loop in function _arc_error_normalized(). +There is an assertion in function _cairo_arc_in_direction(). CVE: CVE-2019-6461 Upstream-Status: Pending Signed-off-by: Ross Burton <ross.burton@intel.com> diff --git a/src/cairo-arc.c b/src/cairo-arc.c -index 390397bae..f9249dbeb 100644 +index 390397bae..1bde774a4 100644 --- a/src/cairo-arc.c +++ b/src/cairo-arc.c -@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) - do { - angle = M_PI / i++; - error = _arc_error_normalized (angle); -- } while (error > tolerance); -+ } while (error > tolerance && error > __DBL_EPSILON__); +@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; - return angle; - } +- assert (angle_max >= angle_min); ++ if (angle_max < angle_min) ++ return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch index 4e4598c5b5..7c3209291b 100644 --- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch @@ -1,20 +1,40 @@ -There is an assertion in function _cairo_arc_in_direction(). - CVE: CVE-2019-6462 -Upstream-Status: Pending -Signed-off-by: Ross Burton <ross.burton@intel.com> +Upstream-Status: Backport +Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> + +From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <hlewin@gmx.de> +Date: Sun, 1 Aug 2021 11:16:03 +0000 +Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop + +--- + src/cairo-arc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/cairo-arc.c b/src/cairo-arc.c -index 390397bae..1bde774a4 100644 +index 390397bae..1c891d1a0 100644 --- a/src/cairo-arc.c +++ b/src/cairo-arc.c -@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, - if (cairo_status (cr)) - return; +@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) + { M_PI / 11.0, 9.81410988043554039085e-09 }, + }; + int table_size = ARRAY_LENGTH (table); ++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */ -- assert (angle_max >= angle_min); -+ if (angle_max < angle_min) -+ return; + for (i = 0; i < table_size; i++) + if (table[i].error < tolerance) + return table[i].angle; - if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { - angle_max = fmod (angle_max - angle_min, 2 * M_PI); + ++i; ++ + do { + angle = M_PI / i++; + error = _arc_error_normalized (angle); +- } while (error > tolerance); ++ } while (error > tolerance && i < max_segments); + + return angle; + } +-- +2.38.1 + diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..800d77579e --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch @@ -0,0 +1,40 @@ +From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 14 Nov 2022 19:18:19 +0100 +Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer + overflow. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 + +Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611] +CVE: CVE-2023-2004 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/truetype/ttgxvar.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index 78d87dc..258d701 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -43,6 +43,7 @@ + #include FT_INTERNAL_DEBUG_H + #include FT_CONFIG_CONFIG_H + #include FT_INTERNAL_STREAM_H ++#include <freetype/internal/ftcalc.h> + #include FT_INTERNAL_SFNT_H + #include FT_TRUETYPE_TAGS_H + #include FT_TRUETYPE_IDS_H +@@ -1065,7 +1066,7 @@ + delta == 1 ? "" : "s", + vertical ? "VVAR" : "HVAR" )); + +- *avalue += delta; ++ *avalue = ADD_INT( *avalue, delta ); + + Exit: + return error; +-- +2.17.1 diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb index 72001c529a..6af744b981 100644 --- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb @@ -18,6 +18,7 @@ SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ file://CVE-2022-27404.patch \ file://CVE-2022-27405.patch \ file://CVE-2022-27406.patch \ + file://CVE-2023-2004.patch \ " SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch new file mode 100644 index 0000000000..90d4cfefb4 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch @@ -0,0 +1,335 @@ +From 3122c2cdc45a964efedad8953a2df67205c3e3a8 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <behdad@behdad.org> +Date: Sat, 4 Dec 2021 19:50:33 -0800 +Subject: [PATCH] [buffer] Add HB_GLYPH_FLAG_UNSAFE_TO_CONCAT + +Fixes https://github.com/harfbuzz/harfbuzz/issues/1463 +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/3122c2cdc45a964efedad8953a2df67205c3e3a8] +Comment1: To backport the fix for CVE-2023-25193, add defination for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT. This patch is needed along with CVE-2023-25193-pre1.patch for sucessfull porting. +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + src/hb-buffer.cc | 10 ++--- + src/hb-buffer.h | 76 ++++++++++++++++++++++++++++++------ + src/hb-buffer.hh | 33 ++++++++++------ + src/hb-ot-layout-gsubgpos.hh | 39 +++++++++++++++--- + src/hb-ot-shape.cc | 8 +--- + 5 files changed, 124 insertions(+), 42 deletions(-) + +diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc +index 6131c86..bba5eae 100644 +--- a/src/hb-buffer.cc ++++ b/src/hb-buffer.cc +@@ -610,14 +610,14 @@ done: + } + + void +-hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end) ++hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end, hb_mask_t mask) + { + unsigned int cluster = (unsigned int) -1; + cluster = _unsafe_to_break_find_min_cluster (info, start, end, cluster); +- _unsafe_to_break_set_mask (info, start, end, cluster); ++ _unsafe_to_break_set_mask (info, start, end, cluster, mask); + } + void +-hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end) ++hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end, hb_mask_t mask) + { + if (!have_output) + { +@@ -631,8 +631,8 @@ hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int en + unsigned int cluster = (unsigned int) -1; + cluster = _unsafe_to_break_find_min_cluster (out_info, start, out_len, cluster); + cluster = _unsafe_to_break_find_min_cluster (info, idx, end, cluster); +- _unsafe_to_break_set_mask (out_info, start, out_len, cluster); +- _unsafe_to_break_set_mask (info, idx, end, cluster); ++ _unsafe_to_break_set_mask (out_info, start, out_len, cluster, mask); ++ _unsafe_to_break_set_mask (info, idx, end, cluster, mask); + } + + void +diff --git a/src/hb-buffer.h b/src/hb-buffer.h +index d5cb746..42dc92a 100644 +--- a/src/hb-buffer.h ++++ b/src/hb-buffer.h +@@ -77,26 +77,76 @@ typedef struct hb_glyph_info_t + * @HB_GLYPH_FLAG_UNSAFE_TO_BREAK: Indicates that if input text is broken at the + * beginning of the cluster this glyph is part of, + * then both sides need to be re-shaped, as the +- * result might be different. On the flip side, +- * it means that when this flag is not present, +- * then it's safe to break the glyph-run at the +- * beginning of this cluster, and the two sides +- * represent the exact same result one would get +- * if breaking input text at the beginning of +- * this cluster and shaping the two sides +- * separately. This can be used to optimize +- * paragraph layout, by avoiding re-shaping +- * of each line after line-breaking, or limiting +- * the reshaping to a small piece around the +- * breaking point only. ++ * result might be different. ++ * ++ * On the flip side, it means that when this ++ * flag is not present, then it is safe to break ++ * the glyph-run at the beginning of this ++ * cluster, and the two sides will represent the ++ * exact same result one would get if breaking ++ * input text at the beginning of this cluster ++ * and shaping the two sides separately. ++ * ++ * This can be used to optimize paragraph ++ * layout, by avoiding re-shaping of each line ++ * after line-breaking. ++ * ++ * @HB_GLYPH_FLAG_UNSAFE_TO_CONCAT: Indicates that if input text is changed on one ++ * side of the beginning of the cluster this glyph ++ * is part of, then the shaping results for the ++ * other side might change. ++ * ++ * Note that the absence of this flag will NOT by ++ * itself mean that it IS safe to concat text. ++ * Only two pieces of text both of which clear of ++ * this flag can be concatenated safely. ++ * ++ * This can be used to optimize paragraph ++ * layout, by avoiding re-shaping of each line ++ * after line-breaking, by limiting the ++ * reshaping to a small piece around the ++ * breaking positin only, even if the breaking ++ * position carries the ++ * #HB_GLYPH_FLAG_UNSAFE_TO_BREAK or when ++ * hyphenation or other text transformation ++ * happens at line-break position, in the following ++ * way: ++ * ++ * 1. Iterate back from the line-break position till ++ * the the first cluster start position that is ++ * NOT unsafe-to-concat, 2. shape the segment from ++ * there till the end of line, 3. check whether the ++ * resulting glyph-run also is clear of the ++ * unsafe-to-concat at its start-of-text position; ++ * if it is, just splice it into place and the line ++ * is shaped; If not, move on to a position further ++ * back that is clear of unsafe-to-concat and retry ++ * from there, and repeat. ++ * ++ * At the start of next line a similar algorithm can ++ * be implemented. A slight complication will arise, ++ * because while our buffer API has a way to ++ * return flags for position corresponding to ++ * start-of-text, there is currently no position ++ * corresponding to end-of-text. This limitation ++ * can be alleviated by shaping more text than needed ++ * and looking for unsafe-to-concat flag within text ++ * clusters. ++ * ++ * The #HB_GLYPH_FLAG_UNSAFE_TO_BREAK flag will ++ * always imply this flag. ++ * ++ * Since: REPLACEME ++ * + * @HB_GLYPH_FLAG_DEFINED: All the currently defined flags. + * + * Since: 1.5.0 + */ + typedef enum { /*< flags >*/ + HB_GLYPH_FLAG_UNSAFE_TO_BREAK = 0x00000001, ++ HB_GLYPH_FLAG_UNSAFE_TO_CONCAT = 0x00000002, + +- HB_GLYPH_FLAG_DEFINED = 0x00000001 /* OR of all defined flags */ ++ HB_GLYPH_FLAG_DEFINED = 0x00000003 /* OR of all defined flags */ + } hb_glyph_flags_t; + + HB_EXTERN hb_glyph_flags_t +diff --git a/src/hb-buffer.hh b/src/hb-buffer.hh +index b5596d9..beac7b6 100644 +--- a/src/hb-buffer.hh ++++ b/src/hb-buffer.hh +@@ -67,8 +67,8 @@ enum hb_buffer_scratch_flags_t { + HB_BUFFER_SCRATCH_FLAG_HAS_DEFAULT_IGNORABLES = 0x00000002u, + HB_BUFFER_SCRATCH_FLAG_HAS_SPACE_FALLBACK = 0x00000004u, + HB_BUFFER_SCRATCH_FLAG_HAS_GPOS_ATTACHMENT = 0x00000008u, +- HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK = 0x00000010u, +- HB_BUFFER_SCRATCH_FLAG_HAS_CGJ = 0x00000020u, ++ HB_BUFFER_SCRATCH_FLAG_HAS_CGJ = 0x00000010u, ++ HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS = 0x00000020u, + + /* Reserved for complex shapers' internal use. */ + HB_BUFFER_SCRATCH_FLAG_COMPLEX0 = 0x01000000u, +@@ -324,8 +324,19 @@ struct hb_buffer_t + return; + unsafe_to_break_impl (start, end); + } +- HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end); +- HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end); ++ void unsafe_to_concat (unsigned int start, ++ unsigned int end) ++ { ++ if (end - start < 2) ++ return; ++ unsafe_to_break_impl (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); ++ } ++ HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end, ++ hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); ++ HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end, ++ hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); ++ void unsafe_to_concat_from_outbuffer (unsigned int start, unsigned int end) ++ { unsafe_to_break_from_outbuffer (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); } + + + /* Internal methods */ +@@ -377,12 +388,7 @@ struct hb_buffer_t + set_cluster (hb_glyph_info_t &inf, unsigned int cluster, unsigned int mask = 0) + { + if (inf.cluster != cluster) +- { +- if (mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK) +- inf.mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK; +- else +- inf.mask &= ~HB_GLYPH_FLAG_UNSAFE_TO_BREAK; +- } ++ inf.mask = (inf.mask & ~HB_GLYPH_FLAG_DEFINED) | (mask & HB_GLYPH_FLAG_DEFINED); + inf.cluster = cluster; + } + +@@ -398,13 +404,14 @@ struct hb_buffer_t + void + _unsafe_to_break_set_mask (hb_glyph_info_t *infos, + unsigned int start, unsigned int end, +- unsigned int cluster) ++ unsigned int cluster, ++ hb_mask_t mask) + { + for (unsigned int i = start; i < end; i++) + if (cluster != infos[i].cluster) + { +- scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK; +- infos[i].mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK; ++ scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS; ++ infos[i].mask |= mask; + } + } + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index 579d178..a6ca456 100644 +--- a/src/hb-ot-layout-gsubgpos.hh ++++ b/src/hb-ot-layout-gsubgpos.hh +@@ -369,7 +369,7 @@ struct hb_ot_apply_context_t : + may_skip (const hb_glyph_info_t &info) const + { return matcher.may_skip (c, info); } + +- bool next () ++ bool next (unsigned *unsafe_to = nullptr) + { + assert (num_items > 0); + while (idx + num_items < end) +@@ -392,11 +392,17 @@ struct hb_ot_apply_context_t : + } + + if (skip == matcher_t::SKIP_NO) ++ { ++ if (unsafe_to) ++ *unsafe_to = idx + 1; + return false; ++ } + } ++ if (unsafe_to) ++ *unsafe_to = end; + return false; + } +- bool prev () ++ bool prev (unsigned *unsafe_from = nullptr) + { + assert (num_items > 0); + while (idx > num_items - 1) +@@ -419,8 +425,14 @@ struct hb_ot_apply_context_t : + } + + if (skip == matcher_t::SKIP_NO) ++ { ++ if (unsafe_from) ++ *unsafe_from = hb_max (1u, idx) - 1u; + return false; ++ } + } ++ if (unsafe_from) ++ *unsafe_from = 0; + return false; + } + +@@ -834,7 +846,12 @@ static inline bool match_input (hb_ot_apply_context_t *c, + match_positions[0] = buffer->idx; + for (unsigned int i = 1; i < count; i++) + { +- if (!skippy_iter.next ()) return_trace (false); ++ unsigned unsafe_to; ++ if (!skippy_iter.next (&unsafe_to)) ++ { ++ c->buffer->unsafe_to_concat (c->buffer->idx, unsafe_to); ++ return_trace (false); ++ } + + match_positions[i] = skippy_iter.idx; + +@@ -1022,8 +1039,14 @@ static inline bool match_backtrack (hb_ot_apply_context_t *c, + skippy_iter.set_match_func (match_func, match_data, backtrack); + + for (unsigned int i = 0; i < count; i++) +- if (!skippy_iter.prev ()) ++ { ++ unsigned unsafe_from; ++ if (!skippy_iter.prev (&unsafe_from)) ++ { ++ c->buffer->unsafe_to_concat_from_outbuffer (unsafe_from, c->buffer->idx); + return_trace (false); ++ } ++ } + + *match_start = skippy_iter.idx; + +@@ -1045,8 +1068,14 @@ static inline bool match_lookahead (hb_ot_apply_context_t *c, + skippy_iter.set_match_func (match_func, match_data, lookahead); + + for (unsigned int i = 0; i < count; i++) +- if (!skippy_iter.next ()) ++ { ++ unsigned unsafe_to; ++ if (!skippy_iter.next (&unsafe_to)) ++ { ++ c->buffer->unsafe_to_concat (c->buffer->idx + offset, unsafe_to); + return_trace (false); ++ } ++ } + + *end_index = skippy_iter.idx + 1; + +diff --git a/src/hb-ot-shape.cc b/src/hb-ot-shape.cc +index 5d9a70c..5d10b30 100644 +--- a/src/hb-ot-shape.cc ++++ b/src/hb-ot-shape.cc +@@ -1008,7 +1008,7 @@ hb_propagate_flags (hb_buffer_t *buffer) + /* Propagate cluster-level glyph flags to be the same on all cluster glyphs. + * Simplifies using them. */ + +- if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK)) ++ if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS)) + return; + + hb_glyph_info_t *info = buffer->info; +@@ -1017,11 +1017,7 @@ hb_propagate_flags (hb_buffer_t *buffer) + { + unsigned int mask = 0; + for (unsigned int i = start; i < end; i++) +- if (info[i].mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK) +- { +- mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK; +- break; +- } ++ mask |= info[i].mask & HB_GLYPH_FLAG_DEFINED; + if (mask) + for (unsigned int i = start; i < end; i++) + info[i].mask |= mask; +-- +2.25.1 + diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch new file mode 100644 index 0000000000..4994e0ef68 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch @@ -0,0 +1,135 @@ +From b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <behdad@behdad.org> +Date: Mon, 6 Feb 2023 13:08:52 -0700 +Subject: [PATCH] [gsubgpos] Refactor skippy_iter.match() + +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324] +Comment1: To backport the fix for CVE-2023-25193, add defination for MATCH, NOT_MATCH and SKIP. +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + src/hb-ot-layout-gsubgpos.hh | 94 +++++++++++++++++++++--------------- + 1 file changed, 54 insertions(+), 40 deletions(-) + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index a6ca456..5a7e564 100644 +--- a/src/hb-ot-layout-gsubgpos.hh ++++ b/src/hb-ot-layout-gsubgpos.hh +@@ -369,33 +369,52 @@ struct hb_ot_apply_context_t : + may_skip (const hb_glyph_info_t &info) const + { return matcher.may_skip (c, info); } + ++ enum match_t { ++ MATCH, ++ NOT_MATCH, ++ SKIP ++ }; ++ ++ match_t match (hb_glyph_info_t &info) ++ { ++ matcher_t::may_skip_t skip = matcher.may_skip (c, info); ++ if (unlikely (skip == matcher_t::SKIP_YES)) ++ return SKIP; ++ ++ matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); ++ if (match == matcher_t::MATCH_YES || ++ (match == matcher_t::MATCH_MAYBE && ++ skip == matcher_t::SKIP_NO)) ++ return MATCH; ++ ++ if (skip == matcher_t::SKIP_NO) ++ return NOT_MATCH; ++ ++ return SKIP; ++ } ++ + bool next (unsigned *unsafe_to = nullptr) + { + assert (num_items > 0); + while (idx + num_items < end) + { + idx++; +- const hb_glyph_info_t &info = c->buffer->info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +- continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) +- { +- num_items--; +- if (match_glyph_data) match_glyph_data++; +- return true; +- } +- +- if (skip == matcher_t::SKIP_NO) ++ switch (match (c->buffer->info[idx])) + { +- if (unsafe_to) +- *unsafe_to = idx + 1; +- return false; ++ case MATCH: ++ { ++ num_items--; ++ if (match_glyph_data) match_glyph_data++; ++ return true; ++ } ++ case NOT_MATCH: ++ { ++ if (unsafe_to) ++ *unsafe_to = idx + 1; ++ return false; ++ } ++ case SKIP: ++ continue; + } + } + if (unsafe_to) +@@ -408,27 +427,22 @@ struct hb_ot_apply_context_t : + while (idx > num_items - 1) + { + idx--; +- const hb_glyph_info_t &info = c->buffer->out_info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +- continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) ++ switch (match (c->buffer->out_info[idx])) + { +- num_items--; +- if (match_glyph_data) match_glyph_data++; +- return true; +- } +- +- if (skip == matcher_t::SKIP_NO) +- { +- if (unsafe_from) +- *unsafe_from = hb_max (1u, idx) - 1u; +- return false; ++ case MATCH: ++ { ++ num_items--; ++ if (match_glyph_data) match_glyph_data++; ++ return true; ++ } ++ case NOT_MATCH: ++ { ++ if (unsafe_from) ++ *unsafe_from = hb_max (1u, idx) - 1u; ++ return false; ++ } ++ case SKIP: ++ continue; + } + } + if (unsafe_from) +-- +2.25.1 + diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch new file mode 100644 index 0000000000..e4ac13dbad --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch @@ -0,0 +1,179 @@ +From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <behdad@behdad.org> +Date: Mon, 6 Feb 2023 14:51:25 -0700 +Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment + +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] +Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc] causes regression and was reverted. This Patch completes the fix. +Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00 +CVE: CVE-2023-25193 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com> + +--- + src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++---------- + src/hb-ot-layout-gsubgpos.hh | 5 +- + 2 files changed, 78 insertions(+), 30 deletions(-) + +diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh +index 024312d..db5f9ae 100644 +--- a/src/hb-ot-layout-gpos-table.hh ++++ b/src/hb-ot-layout-gpos-table.hh +@@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1 + + const Coverage &get_coverage () const { return this+markCoverage; } + ++ static inline bool accept (hb_buffer_t *buffer, unsigned idx) ++ { ++ /* We only want to attach to the first of a MultipleSubst sequence. ++ * https://github.com/harfbuzz/harfbuzz/issues/740 ++ * Reject others... ++ * ...but stop if we find a mark in the MultipleSubst sequence: ++ * https://github.com/harfbuzz/harfbuzz/issues/1020 */ ++ return !_hb_glyph_info_multiplied (&buffer->info[idx]) || ++ 0 == _hb_glyph_info_get_lig_comp (&buffer->info[idx]) || ++ (idx == 0 || ++ _hb_glyph_info_is_mark (&buffer->info[idx - 1]) || ++ !_hb_glyph_info_multiplied (&buffer->info[idx - 1]) || ++ _hb_glyph_info_get_lig_id (&buffer->info[idx]) != ++ _hb_glyph_info_get_lig_id (&buffer->info[idx - 1]) || ++ _hb_glyph_info_get_lig_comp (&buffer->info[idx]) != ++ _hb_glyph_info_get_lig_comp (&buffer->info[idx - 1]) + 1 ++ ); ++ } ++ + bool apply (hb_ot_apply_context_t *c) const + { + TRACE_APPLY (this); +@@ -1465,37 +1484,46 @@ struct MarkBasePosFormat1 + unsigned int mark_index = (this+markCoverage).get_coverage (buffer->cur().codepoint); + if (likely (mark_index == NOT_COVERED)) return_trace (false); + +- /* Now we search backwards for a non-mark glyph */ ++ /* Now we search backwards for a non-mark glyph. ++ * We don't use skippy_iter.prev() to avoid O(n^2) behavior. */ ++ + hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; +- skippy_iter.reset (buffer->idx, 1); + skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); +- do { +- if (!skippy_iter.prev ()) return_trace (false); +- /* We only want to attach to the first of a MultipleSubst sequence. +- * https://github.com/harfbuzz/harfbuzz/issues/740 +- * Reject others... +- * ...but stop if we find a mark in the MultipleSubst sequence: +- * https://github.com/harfbuzz/harfbuzz/issues/1020 */ +- if (!_hb_glyph_info_multiplied (&buffer->info[skippy_iter.idx]) || +- 0 == _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) || +- (skippy_iter.idx == 0 || +- _hb_glyph_info_is_mark (&buffer->info[skippy_iter.idx - 1]) || +- _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx]) != +- _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx - 1]) || +- _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) != +- _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx - 1]) + 1 +- )) +- break; +- skippy_iter.reject (); +- } while (true); ++ unsigned j; ++ for (j = buffer->idx; j > c->last_base_until; j--) ++ { ++ auto match = skippy_iter.match (buffer->info[j - 1]); ++ if (match == skippy_iter.MATCH) ++ { ++ if (!accept (buffer, j - 1)) ++ match = skippy_iter.SKIP; ++ } ++ if (match == skippy_iter.MATCH) ++ { ++ c->last_base = (signed) j - 1; ++ break; ++ } ++ } ++ c->last_base_until = buffer->idx; ++ if (c->last_base == -1) ++ { ++ buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1); ++ return_trace (false); ++ } ++ ++ unsigned idx = (unsigned) c->last_base; + + /* Checking that matched glyph is actually a base glyph by GDEF is too strong; disabled */ +- //if (!_hb_glyph_info_is_base_glyph (&buffer->info[skippy_iter.idx])) { return_trace (false); } ++ //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); } + +- unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint); +- if (base_index == NOT_COVERED) return_trace (false); ++ unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint); ++ if (base_index == NOT_COVERED) ++ { ++ buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1); ++ return_trace (false); ++ } + +- return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, skippy_iter.idx)); ++ return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, idx)); + } + + bool subset (hb_subset_context_t *c) const +@@ -1587,15 +1615,32 @@ struct MarkLigPosFormat1 + if (likely (mark_index == NOT_COVERED)) return_trace (false); + + /* Now we search backwards for a non-mark glyph */ ++ + hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; +- skippy_iter.reset (buffer->idx, 1); + skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); +- if (!skippy_iter.prev ()) return_trace (false); ++ ++ unsigned j; ++ for (j = buffer->idx; j > c->last_base_until; j--) ++ { ++ auto match = skippy_iter.match (buffer->info[j - 1]); ++ if (match == skippy_iter.MATCH) ++ { ++ c->last_base = (signed) j - 1; ++ break; ++ } ++ } ++ c->last_base_until = buffer->idx; ++ if (c->last_base == -1) ++ { ++ buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1); ++ return_trace (false); ++ } ++ ++ j = (unsigned) c->last_base; + + /* Checking that matched glyph is actually a ligature by GDEF is too strong; disabled */ +- //if (!_hb_glyph_info_is_ligature (&buffer->info[skippy_iter.idx])) { return_trace (false); } ++ //if (!_hb_glyph_info_is_ligature (&buffer->info[idx])) { return_trace (false); } + +- unsigned int j = skippy_iter.idx; + unsigned int lig_index = (this+ligatureCoverage).get_coverage (buffer->info[j].codepoint); + if (lig_index == NOT_COVERED) return_trace (false); + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index 5a7e564..437123c 100644 +--- a/src/hb-ot-layout-gsubgpos.hh ++++ b/src/hb-ot-layout-gsubgpos.hh +@@ -503,6 +503,9 @@ struct hb_ot_apply_context_t : + uint32_t random_state; + + ++ signed last_base = -1; // GPOS uses ++ unsigned last_base_until = 0; // GPOS uses ++ + hb_ot_apply_context_t (unsigned int table_index_, + hb_font_t *font_, + hb_buffer_t *buffer_) : +@@ -536,7 +539,7 @@ struct hb_ot_apply_context_t : + iter_context.init (this, true); + } + +- void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); } ++ void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); } + void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } + void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } + void set_random (bool random_) { random = random_; } diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb index ee08c12bee..0cfe01f1e5 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb @@ -7,7 +7,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=e11f5c3149cdec4bb309babb020b32b9 \ file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc" -SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz" +SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz \ + file://CVE-2023-25193-pre0.patch \ + file://CVE-2023-25193-pre1.patch \ + file://CVE-2023-25193.patch" SRC_URI[md5sum] = "2b3a4dfdb3e5e50055f941978944da9f" SRC_URI[sha256sum] = "9413b8d96132d699687ef914ebb8c50440efc87b3f775d25856d7ec347c03c12" diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch new file mode 100644 index 0000000000..8a52ed01e9 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch @@ -0,0 +1,457 @@ +From 9120a247436e84c0b4eea828cb11e8f665fcde30 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Thu, 23 Jul 2020 21:24:38 -0500 +Subject: [PATCH] Fix jpeg_skip_scanlines() segfault w/merged upsamp + +The additional segfault mentioned in #244 was due to the fact that +the merged upsamplers use a different private structure than the +non-merged upsamplers. jpeg_skip_scanlines() was assuming the latter, so +when merged upsampling was enabled, jpeg_skip_scanlines() clobbered one +of the IDCT method pointers in the merged upsampler's private structure. + +For reasons unknown, the test image in #441 did not encounter this +segfault (too small?), but it encountered an issue similar to the one +fixed in 5bc43c7821df982f65aa1c738f67fbf7cba8bd69, whereby it was +necessary to set up a dummy postprocessing function in +read_and_discard_scanlines() when merged upsampling was enabled. +Failing to do so caused either a segfault in merged_2v_upsample() (due +to a NULL pointer being passed to jcopy_sample_rows()) or an error +("Corrupt JPEG data: premature end of data segment"), depending on the +number of scanlines skipped and whether the first scanline skipped was +an odd- or even-numbered row. + +Fixes #441 +Fixes #244 (for real this time) + +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9120a247436e84c0b4eea828cb11e8f665fcde30] +CVE: CVE-2020-35538 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + ChangeLog.md | 7 +++++ + jdapistd.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++------ + jdmerge.c | 46 +++++++-------------------------- + jdmerge.h | 47 ++++++++++++++++++++++++++++++++++ + jdmrg565.c | 10 ++++---- + jdmrgext.c | 6 ++--- + 6 files changed, 135 insertions(+), 53 deletions(-) + create mode 100644 jdmerge.h + +diff --git a/ChangeLog.md b/ChangeLog.md +index 2ebfe71..19d18fa 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -54,6 +54,13 @@ a 16-bit binary PGM file into an RGB image buffer. + generated when using the `tjLoadImage()` function to load a 16-bit binary PPM + file into an extended RGB image buffer. + ++2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors ++in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG ++images using the merged (non-fancy) upsampling algorithms (that is, when ++setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a similar fix, ++but it did not cover all cases. ++ ++ + 2.0.3 + ===== + +diff --git a/jdapistd.c b/jdapistd.c +index 2c808fa..91da642 100644 +--- a/jdapistd.c ++++ b/jdapistd.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2010, 2015-2018, D. R. Commander. ++ * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -21,6 +21,8 @@ + #include "jinclude.h" + #include "jdmainct.h" + #include "jdcoefct.h" ++#include "jdmaster.h" ++#include "jdmerge.h" + #include "jdsample.h" + #include "jmemsys.h" + +@@ -304,6 +306,16 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf, + } + + ++/* Dummy postprocessing function used by jpeg_skip_scanlines() */ ++LOCAL(void) ++noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, ++ JDIMENSION *in_row_group_ctr, ++ JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf, ++ JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) ++{ ++} ++ ++ + /* + * In some cases, it is best to call jpeg_read_scanlines() and discard the + * output, rather than skipping the scanlines, because this allows us to +@@ -316,11 +328,17 @@ LOCAL(void) + read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + { + JDIMENSION n; ++ my_master_ptr master = (my_master_ptr)cinfo->master; + void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION input_row, JSAMPARRAY output_buf, + int num_rows) = NULL; + void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf, + JSAMPARRAY output_buf, int num_rows) = NULL; ++ void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, ++ JDIMENSION *in_row_group_ctr, ++ JDIMENSION in_row_groups_avail, ++ JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, ++ JDIMENSION out_rows_avail) = NULL; + + if (cinfo->cconvert && cinfo->cconvert->color_convert) { + color_convert = cinfo->cconvert->color_convert; +@@ -332,6 +350,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->cquantize->color_quantize = noop_quantize; + } + ++ if (master->using_merged_upsample && cinfo->post && ++ cinfo->post->post_process_data) { ++ post_process_data = cinfo->post->post_process_data; ++ cinfo->post->post_process_data = noop_post_process; ++ } ++ + for (n = 0; n < num_lines; n++) + jpeg_read_scanlines(cinfo, NULL, 1); + +@@ -340,6 +364,9 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + + if (color_quantize) + cinfo->cquantize->color_quantize = color_quantize; ++ ++ if (post_process_data) ++ cinfo->post->post_process_data = post_process_data; + } + + +@@ -382,7 +409,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + { + my_main_ptr main_ptr = (my_main_ptr)cinfo->main; + my_coef_ptr coef = (my_coef_ptr)cinfo->coef; +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_master_ptr master = (my_master_ptr)cinfo->master; + JDIMENSION i, x; + int y; + JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row; +@@ -445,8 +472,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + main_ptr->buffer_full = FALSE; + main_ptr->rowgroup_ctr = 0; + main_ptr->context_state = CTX_PREPARE_FOR_IMCU; +- upsample->next_row_out = cinfo->max_v_samp_factor; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = ++ (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->spare_full = FALSE; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->next_row_out = cinfo->max_v_samp_factor; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + } + + /* Skipping is much simpler when context rows are not required. */ +@@ -458,8 +493,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->output_scanline += lines_left_in_iMCU_row; + main_ptr->buffer_full = FALSE; + main_ptr->rowgroup_ctr = 0; +- upsample->next_row_out = cinfo->max_v_samp_factor; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = ++ (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->spare_full = FALSE; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->next_row_out = cinfo->max_v_samp_factor; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + } + } + +@@ -494,7 +537,14 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row; + increment_simple_rowgroup_ctr(cinfo, lines_to_read); + } +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = ++ (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + return num_lines; + } + +@@ -535,7 +585,13 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + * bit odd, since "rows_to_go" seems to be redundantly keeping track of + * output_scanline. + */ +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + + /* Always skip the requested number of lines. */ + return num_lines; +diff --git a/jdmerge.c b/jdmerge.c +index dff5a35..833ad67 100644 +--- a/jdmerge.c ++++ b/jdmerge.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: + * Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB +- * Copyright (C) 2009, 2011, 2014-2015, D. R. Commander. ++ * Copyright (C) 2009, 2011, 2014-2015, 2020, D. R. Commander. + * Copyright (C) 2013, Linaro Limited. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -40,41 +40,13 @@ + #define JPEG_INTERNALS + #include "jinclude.h" + #include "jpeglib.h" ++#include "jdmerge.h" + #include "jsimd.h" + #include "jconfigint.h" + + #ifdef UPSAMPLE_MERGING_SUPPORTED + + +-/* Private subobject */ +- +-typedef struct { +- struct jpeg_upsampler pub; /* public fields */ +- +- /* Pointer to routine to do actual upsampling/conversion of one row group */ +- void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, +- JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf); +- +- /* Private state for YCC->RGB conversion */ +- int *Cr_r_tab; /* => table for Cr to R conversion */ +- int *Cb_b_tab; /* => table for Cb to B conversion */ +- JLONG *Cr_g_tab; /* => table for Cr to G conversion */ +- JLONG *Cb_g_tab; /* => table for Cb to G conversion */ +- +- /* For 2:1 vertical sampling, we produce two output rows at a time. +- * We need a "spare" row buffer to hold the second output row if the +- * application provides just a one-row buffer; we also use the spare +- * to discard the dummy last row if the image height is odd. +- */ +- JSAMPROW spare_row; +- boolean spare_full; /* T if spare buffer is occupied */ +- +- JDIMENSION out_row_width; /* samples per output row */ +- JDIMENSION rows_to_go; /* counts rows remaining in image */ +-} my_upsampler; +- +-typedef my_upsampler *my_upsample_ptr; +- + #define SCALEBITS 16 /* speediest right-shift on some machines */ + #define ONE_HALF ((JLONG)1 << (SCALEBITS - 1)) + #define FIX(x) ((JLONG)((x) * (1L << SCALEBITS) + 0.5)) +@@ -189,7 +161,7 @@ typedef my_upsampler *my_upsample_ptr; + LOCAL(void) + build_ycc_rgb_table(j_decompress_ptr cinfo) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + int i; + JLONG x; + SHIFT_TEMPS +@@ -232,7 +204,7 @@ build_ycc_rgb_table(j_decompress_ptr cinfo) + METHODDEF(void) + start_pass_merged_upsample(j_decompress_ptr cinfo) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + + /* Mark the spare buffer empty */ + upsample->spare_full = FALSE; +@@ -254,7 +226,7 @@ merged_2v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) + /* 2:1 vertical sampling case: may need a spare row. */ + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + JSAMPROW work_ptrs[2]; + JDIMENSION num_rows; /* number of rows returned to caller */ + +@@ -305,7 +277,7 @@ merged_1v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) + /* 1:1 vertical sampling case: much easier, never need a spare row. */ + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + + /* Just do the upsampling. */ + (*upsample->upmethod) (cinfo, input_buf, *in_row_group_ctr, +@@ -566,11 +538,11 @@ h2v2_merged_upsample_565D(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + GLOBAL(void) + jinit_merged_upsampler(j_decompress_ptr cinfo) + { +- my_upsample_ptr upsample; ++ my_merged_upsample_ptr upsample; + +- upsample = (my_upsample_ptr) ++ upsample = (my_merged_upsample_ptr) + (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, +- sizeof(my_upsampler)); ++ sizeof(my_merged_upsampler)); + cinfo->upsample = (struct jpeg_upsampler *)upsample; + upsample->pub.start_pass = start_pass_merged_upsample; + upsample->pub.need_context_rows = FALSE; +diff --git a/jdmerge.h b/jdmerge.h +new file mode 100644 +index 0000000..b583396 +--- /dev/null ++++ b/jdmerge.h +@@ -0,0 +1,47 @@ ++/* ++ * jdmerge.h ++ * ++ * This file was part of the Independent JPEG Group's software: ++ * Copyright (C) 1994-1996, Thomas G. Lane. ++ * libjpeg-turbo Modifications: ++ * Copyright (C) 2020, D. R. Commander. ++ * For conditions of distribution and use, see the accompanying README.ijg ++ * file. ++ */ ++ ++#define JPEG_INTERNALS ++#include "jpeglib.h" ++ ++#ifdef UPSAMPLE_MERGING_SUPPORTED ++ ++ ++/* Private subobject */ ++ ++typedef struct { ++ struct jpeg_upsampler pub; /* public fields */ ++ ++ /* Pointer to routine to do actual upsampling/conversion of one row group */ ++ void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, ++ JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf); ++ ++ /* Private state for YCC->RGB conversion */ ++ int *Cr_r_tab; /* => table for Cr to R conversion */ ++ int *Cb_b_tab; /* => table for Cb to B conversion */ ++ JLONG *Cr_g_tab; /* => table for Cr to G conversion */ ++ JLONG *Cb_g_tab; /* => table for Cb to G conversion */ ++ ++ /* For 2:1 vertical sampling, we produce two output rows at a time. ++ * We need a "spare" row buffer to hold the second output row if the ++ * application provides just a one-row buffer; we also use the spare ++ * to discard the dummy last row if the image height is odd. ++ */ ++ JSAMPROW spare_row; ++ boolean spare_full; /* T if spare buffer is occupied */ ++ ++ JDIMENSION out_row_width; /* samples per output row */ ++ JDIMENSION rows_to_go; /* counts rows remaining in image */ ++} my_merged_upsampler; ++ ++typedef my_merged_upsampler *my_merged_upsample_ptr; ++ ++#endif /* UPSAMPLE_MERGING_SUPPORTED */ +diff --git a/jdmrg565.c b/jdmrg565.c +index 1b87e37..53f1e16 100644 +--- a/jdmrg565.c ++++ b/jdmrg565.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: + * Copyright (C) 2013, Linaro Limited. +- * Copyright (C) 2014-2015, 2018, D. R. Commander. ++ * Copyright (C) 2014-2015, 2018, 2020, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -19,7 +19,7 @@ h2v1_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr; +@@ -90,7 +90,7 @@ h2v1_merged_upsample_565D_internal(j_decompress_ptr cinfo, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr; +@@ -163,7 +163,7 @@ h2v2_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr0, outptr1; +@@ -259,7 +259,7 @@ h2v2_merged_upsample_565D_internal(j_decompress_ptr cinfo, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr0, outptr1; +diff --git a/jdmrgext.c b/jdmrgext.c +index b1c27df..c9a44d8 100644 +--- a/jdmrgext.c ++++ b/jdmrgext.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2011, 2015, D. R. Commander. ++ * Copyright (C) 2011, 2015, 2020, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -25,7 +25,7 @@ h2v1_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr; +@@ -97,7 +97,7 @@ h2v2_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr0, outptr1; +-- +2.25.1 + diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch new file mode 100644 index 0000000000..f86175dff0 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch @@ -0,0 +1,400 @@ +From a46c111d9f3642f0ef3819e7298846ccc61869e0 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Mon, 27 Jul 2020 14:21:23 -0500 +Subject: [PATCH] Further jpeg_skip_scanlines() fixes + +- Introduce a partial image decompression regression test script that + validates the correctness of jpeg_skip_scanlines() and + jpeg_crop_scanlines() for a variety of cropping regions and libjpeg + settings. + + This regression test catches the following issues: + #182, fixed in 5bc43c7 + #237, fixed in 6e95c08 + #244, fixed in 398c1e9 + #441, fully fixed in this commit + + It does not catch the following issues: + #194, fixed in 773040f + #244 (additional segfault), fixed in + 9120a24 + +- Modify the libjpeg-turbo regression test suite (make test) so that it + checks for the issue reported in #441 (segfault in + jpeg_skip_scanlines() when used with 4:2:0 merged upsampling/color + conversion.) + +- Fix issues in jpeg_skip_scanlines() that caused incorrect output with + h2v2 (4:2:0) merged upsampling/color conversion. The previous commit + fixed the segfault reported in #441, but that was a symptom of a + larger problem. Because merged 4:2:0 upsampling uses a "spare row" + buffer, it is necessary to allow the upsampler to run when skipping + rows (fancy 4:2:0 upsampling, which uses context rows, also requires + this.) Otherwise, if skipping starts at an odd-numbered row, the + output image will be incorrect. + +- Throw an error if jpeg_skip_scanlines() is called with two-pass color + quantization enabled. With two-pass color quantization, the first + pass occurs within jpeg_start_decompress(), so subsequent calls to + jpeg_skip_scanlines() interfere with the multipass state and prevent + the second pass from occurring during subsequent calls to + jpeg_read_scanlines(). + +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a46c111d9f3642f0ef3819e7298846ccc61869e0] +CVE: CVE-2020-35538 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + CMakeLists.txt | 9 +++-- + ChangeLog.md | 15 +++++--- + croptest.in | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++ + jdapistd.c | 70 +++++++++++-------------------------- + libjpeg.txt | 6 ++-- + 5 files changed, 136 insertions(+), 59 deletions(-) + create mode 100755 croptest.in + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index aee74c9..de451f4 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -753,7 +753,7 @@ else() + set(MD5_PPM_3x2_IFAST fd283664b3b49127984af0a7f118fccd) + set(MD5_JPEG_420_ISLOW_ARI e986fb0a637a8d833d96e8a6d6d84ea1) + set(MD5_JPEG_444_ISLOW_PROGARI 0a8f1c8f66e113c3cf635df0a475a617) +- set(MD5_PPM_420M_IFAST_ARI 72b59a99bcf1de24c5b27d151bde2437) ++ set(MD5_PPM_420M_IFAST_ARI 57251da28a35b46eecb7177d82d10e0e) + set(MD5_JPEG_420_ISLOW 9a68f56bc76e466aa7e52f415d0f4a5f) + set(MD5_PPM_420M_ISLOW_2_1 9f9de8c0612f8d06869b960b05abf9c9) + set(MD5_PPM_420M_ISLOW_15_8 b6875bc070720b899566cc06459b63b7) +@@ -1131,7 +1131,7 @@ foreach(libtype ${TEST_LIBTYPES}) + + if(WITH_ARITH_DEC) + # CC: RGB->YCC SAMP: h2v2 merged IDCT: ifast ENT: arith +- add_bittest(djpeg 420m-ifast-ari "-fast;-ppm" ++ add_bittest(djpeg 420m-ifast-ari "-fast;-skip;1,20;-ppm" + testout_420m_ifast_ari.ppm ${TESTIMAGES}/testimgari.jpg + ${MD5_PPM_420M_IFAST_ARI}) + +@@ -1266,6 +1266,11 @@ endforeach() + add_custom_target(testclean COMMAND ${CMAKE_COMMAND} -P + ${CMAKE_CURRENT_SOURCE_DIR}/cmakescripts/testclean.cmake) + ++configure_file(croptest.in croptest @ONLY) ++add_custom_target(croptest ++ COMMAND echo croptest ++ COMMAND ${BASH} ${CMAKE_CURRENT_BINARY_DIR}/croptest) ++ + if(WITH_TURBOJPEG) + configure_file(tjbenchtest.in tjbenchtest @ONLY) + configure_file(tjexampletest.in tjexampletest @ONLY) +diff --git a/ChangeLog.md b/ChangeLog.md +index 19d18fa..4562eff 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -54,11 +54,16 @@ a 16-bit binary PGM file into an RGB image buffer. + generated when using the `tjLoadImage()` function to load a 16-bit binary PPM + file into an extended RGB image buffer. + +-2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors +-in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG +-images using the merged (non-fancy) upsampling algorithms (that is, when +-setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a similar fix, +-but it did not cover all cases. ++2. Fixed or worked around multiple issues with `jpeg_skip_scanlines()`: ++ ++ - Fixed segfaults or "Corrupt JPEG data: premature end of data segment" ++errors in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or ++4:2:0 JPEG images using merged (non-fancy) upsampling/color conversion (that ++is, when setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a ++similar fix, but it did not cover all cases. ++ - `jpeg_skip_scanlines()` now throws an error if two-pass color ++quantization is enabled. Two-pass color quantization never worked properly ++with `jpeg_skip_scanlines()`, and the issues could not readily be fixed. + + + 2.0.3 +diff --git a/croptest.in b/croptest.in +new file mode 100755 +index 0000000..7e3c293 +--- /dev/null ++++ b/croptest.in +@@ -0,0 +1,95 @@ ++#!/bin/bash ++ ++set -u ++set -e ++trap onexit INT ++trap onexit TERM ++trap onexit EXIT ++ ++onexit() ++{ ++ if [ -d $OUTDIR ]; then ++ rm -rf $OUTDIR ++ fi ++} ++ ++runme() ++{ ++ echo \*\*\* $* ++ $* ++} ++ ++IMAGE=vgl_6548_0026a.bmp ++WIDTH=128 ++HEIGHT=95 ++IMGDIR=@CMAKE_CURRENT_SOURCE_DIR@/testimages ++OUTDIR=`mktemp -d /tmp/__croptest_output.XXXXXX` ++EXEDIR=@CMAKE_CURRENT_BINARY_DIR@ ++ ++if [ -d $OUTDIR ]; then ++ rm -rf $OUTDIR ++fi ++mkdir -p $OUTDIR ++ ++exec >$EXEDIR/croptest.log ++ ++echo "============================================================" ++echo "$IMAGE ($WIDTH x $HEIGHT)" ++echo "============================================================" ++echo ++ ++for PROGARG in "" -progressive; do ++ ++ cp $IMGDIR/$IMAGE $OUTDIR ++ basename=`basename $IMAGE .bmp` ++ echo "------------------------------------------------------------" ++ echo "Generating test images" ++ echo "------------------------------------------------------------" ++ echo ++ runme $EXEDIR/cjpeg $PROGARG -grayscale -outfile $OUTDIR/${basename}_GRAY.jpg $IMGDIR/${basename}.bmp ++ runme $EXEDIR/cjpeg $PROGARG -sample 2x2 -outfile $OUTDIR/${basename}_420.jpg $IMGDIR/${basename}.bmp ++ runme $EXEDIR/cjpeg $PROGARG -sample 2x1 -outfile $OUTDIR/${basename}_422.jpg $IMGDIR/${basename}.bmp ++ runme $EXEDIR/cjpeg $PROGARG -sample 1x2 -outfile $OUTDIR/${basename}_440.jpg $IMGDIR/${basename}.bmp ++ runme $EXEDIR/cjpeg $PROGARG -sample 1x1 -outfile $OUTDIR/${basename}_444.jpg $IMGDIR/${basename}.bmp ++ echo ++ ++ for NSARG in "" -nosmooth; do ++ ++ for COLORSARG in "" "-colors 256 -dither none -onepass"; do ++ ++ for Y in {0..16}; do ++ ++ for H in {1..16}; do ++ ++ X=$(( (Y*16)%128 )) ++ W=$(( WIDTH-X-7 )) ++ if [ $Y -le 15 ]; then ++ CROPSPEC="${W}x${H}+${X}+${Y}" ++ else ++ Y2=$(( HEIGHT-H )); ++ CROPSPEC="${W}x${H}+${X}+${Y2}" ++ fi ++ ++ echo "------------------------------------------------------------" ++ echo $PROGARG $NSARG $COLORSARG -crop $CROPSPEC ++ echo "------------------------------------------------------------" ++ echo ++ for samp in GRAY 420 422 440 444; do ++ $EXEDIR/djpeg $NSARG $COLORSARG -rgb -outfile $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}.jpg ++ convert -crop $CROPSPEC $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}_ref.ppm ++ runme $EXEDIR/djpeg $NSARG $COLORSARG -crop $CROPSPEC -rgb -outfile $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}.jpg ++ runme cmp $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}_ref.ppm ++ done ++ echo ++ ++ done ++ ++ done ++ ++ done ++ ++ done ++ ++done ++ ++echo SUCCESS! +diff --git a/jdapistd.c b/jdapistd.c +index 91da642..c502909 100644 +--- a/jdapistd.c ++++ b/jdapistd.c +@@ -306,16 +306,6 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf, + } + + +-/* Dummy postprocessing function used by jpeg_skip_scanlines() */ +-LOCAL(void) +-noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, +- JDIMENSION *in_row_group_ctr, +- JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf, +- JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) +-{ +-} +- +- + /* + * In some cases, it is best to call jpeg_read_scanlines() and discard the + * output, rather than skipping the scanlines, because this allows us to +@@ -329,16 +319,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + { + JDIMENSION n; + my_master_ptr master = (my_master_ptr)cinfo->master; ++ JSAMPARRAY scanlines = NULL; + void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION input_row, JSAMPARRAY output_buf, + int num_rows) = NULL; + void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf, + JSAMPARRAY output_buf, int num_rows) = NULL; +- void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, +- JDIMENSION *in_row_group_ctr, +- JDIMENSION in_row_groups_avail, +- JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, +- JDIMENSION out_rows_avail) = NULL; + + if (cinfo->cconvert && cinfo->cconvert->color_convert) { + color_convert = cinfo->cconvert->color_convert; +@@ -350,23 +336,19 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->cquantize->color_quantize = noop_quantize; + } + +- if (master->using_merged_upsample && cinfo->post && +- cinfo->post->post_process_data) { +- post_process_data = cinfo->post->post_process_data; +- cinfo->post->post_process_data = noop_post_process; ++ if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) { ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; ++ scanlines = &upsample->spare_row; + } + + for (n = 0; n < num_lines; n++) +- jpeg_read_scanlines(cinfo, NULL, 1); ++ jpeg_read_scanlines(cinfo, scanlines, 1); + + if (color_convert) + cinfo->cconvert->color_convert = color_convert; + + if (color_quantize) + cinfo->cquantize->color_quantize = color_quantize; +- +- if (post_process_data) +- cinfo->post->post_process_data = post_process_data; + } + + +@@ -380,6 +362,12 @@ increment_simple_rowgroup_ctr(j_decompress_ptr cinfo, JDIMENSION rows) + { + JDIMENSION rows_left; + my_main_ptr main_ptr = (my_main_ptr)cinfo->main; ++ my_master_ptr master = (my_master_ptr)cinfo->master; ++ ++ if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) { ++ read_and_discard_scanlines(cinfo, rows); ++ return; ++ } + + /* Increment the counter to the next row group after the skipped rows. */ + main_ptr->rowgroup_ctr += rows / cinfo->max_v_samp_factor; +@@ -410,11 +398,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + my_main_ptr main_ptr = (my_main_ptr)cinfo->main; + my_coef_ptr coef = (my_coef_ptr)cinfo->coef; + my_master_ptr master = (my_master_ptr)cinfo->master; ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; + JDIMENSION i, x; + int y; + JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row; + JDIMENSION lines_to_skip, lines_to_read; + ++ /* Two-pass color quantization is not supported. */ ++ if (cinfo->quantize_colors && cinfo->two_pass_quantize) ++ ERREXIT(cinfo, JERR_NOTIMPL); ++ + if (cinfo->global_state != DSTATE_SCANNING) + ERREXIT1(cinfo, JERR_BAD_STATE, cinfo->global_state); + +@@ -472,13 +465,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + main_ptr->buffer_full = FALSE; + main_ptr->rowgroup_ctr = 0; + main_ptr->context_state = CTX_PREPARE_FOR_IMCU; +- if (master->using_merged_upsample) { +- my_merged_upsample_ptr upsample = +- (my_merged_upsample_ptr)cinfo->upsample; +- upsample->spare_full = FALSE; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; +- } else { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ if (!master->using_merged_upsample) { + upsample->next_row_out = cinfo->max_v_samp_factor; + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; + } +@@ -493,13 +480,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->output_scanline += lines_left_in_iMCU_row; + main_ptr->buffer_full = FALSE; + main_ptr->rowgroup_ctr = 0; +- if (master->using_merged_upsample) { +- my_merged_upsample_ptr upsample = +- (my_merged_upsample_ptr)cinfo->upsample; +- upsample->spare_full = FALSE; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; +- } else { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ if (!master->using_merged_upsample) { + upsample->next_row_out = cinfo->max_v_samp_factor; + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; + } +@@ -537,14 +518,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row; + increment_simple_rowgroup_ctr(cinfo, lines_to_read); + } +- if (master->using_merged_upsample) { +- my_merged_upsample_ptr upsample = +- (my_merged_upsample_ptr)cinfo->upsample; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; +- } else { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ if (!master->using_merged_upsample) + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; +- } + return num_lines; + } + +@@ -585,13 +560,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + * bit odd, since "rows_to_go" seems to be redundantly keeping track of + * output_scanline. + */ +- if (master->using_merged_upsample) { +- my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; ++ if (!master->using_merged_upsample) + upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; +- } else { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; +- } + + /* Always skip the requested number of lines. */ + return num_lines; +diff --git a/libjpeg.txt b/libjpeg.txt +index c50cf90..c233ecb 100644 +--- a/libjpeg.txt ++++ b/libjpeg.txt +@@ -3,7 +3,7 @@ USING THE IJG JPEG LIBRARY + This file was part of the Independent JPEG Group's software: + Copyright (C) 1994-2013, Thomas G. Lane, Guido Vollbeding. + libjpeg-turbo Modifications: +-Copyright (C) 2010, 2014-2018, D. R. Commander. ++Copyright (C) 2010, 2014-2018, 2020, D. R. Commander. + Copyright (C) 2015, Google, Inc. + For conditions of distribution and use, see the accompanying README.ijg file. + +@@ -750,7 +750,9 @@ multiple rows in the JPEG image. + + Suspending data sources are not supported by this function. Calling + jpeg_skip_scanlines() with a suspending data source will result in undefined +-behavior. ++behavior. Two-pass color quantization is also not supported by this function. ++Calling jpeg_skip_scanlines() with two-pass color quantization enabled will ++result in an error. + + jpeg_skip_scanlines() will not allow skipping past the bottom of the image. If + the value of num_lines is large enough to skip past the bottom of the image, +-- +2.25.1 + diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..6668f6e41d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch @@ -0,0 +1,97 @@ +From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Tue, 4 Apr 2023 19:06:20 -0500 +Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565 + +The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565 +is the only 3-component colorspace that doesn't have 3-sample pixels, so +we need to treat it as a special case when determining whether to enable +2-pass color quantization. Otherwise, attempting to initialize 2-pass +color quantization with an RGB565 output buffer could cause +prescan_quantize() to read from uninitialized memory and subsequently +underflow/overflow the histogram array. + +djpeg is supposed to fail gracefully if both -rgb565 and -colors are +specified, because none of its destination managers (image writers) +support color quantization with RGB565. However, prescan_quantize() was +called before that could occur. It is possible but very unlikely that +these issues could have been reproduced in applications other than +djpeg. The issues involve the use of two features (12-bit precision and +RGB565) that are incompatible, and they also involve the use of two +rarely-used legacy features (RGB565 and color quantization) that don't +make much sense when combined. + +Fixes #668 +Fixes #671 +Fixes #680 + +CVE: CVE-2023-2804 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + ChangeLog.md | 6 ++++++ + jdmaster.c | 5 +++-- + jquant2.c | 5 +++-- + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index e605abe73..de0c4d0dd 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -1,3 +1,9 @@ quality values. ++9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer ++overruns when attempting to decompress various specially-crafted malformed ++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg ++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion ++enabled. ++ + 2.0.4 + ===== + +diff --git a/jdmaster.c b/jdmaster.c +index b20906438..8d8ef9956 100644 +--- a/jdmaster.c ++++ b/jdmaster.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1991-1997, Thomas G. Lane. + * Modified 2002-2009 by Guido Vollbeding. + * libjpeg-turbo Modifications: +- * Copyright (C) 2009-2011, 2016, D. R. Commander. ++ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander. + * Copyright (C) 2013, Linaro Limited. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg +@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo) + if (cinfo->raw_data_out) + ERREXIT(cinfo, JERR_NOTIMPL); + /* 2-pass quantizer only works in 3-component color space. */ +- if (cinfo->out_color_components != 3) { ++ if (cinfo->out_color_components != 3 || ++ cinfo->out_color_space == JCS_RGB565) { + cinfo->enable_1pass_quant = TRUE; + cinfo->enable_external_quant = FALSE; + cinfo->enable_2pass_quant = FALSE; +diff --git a/jquant2.c b/jquant2.c +index 6570613bb..c760380fb 100644 +--- a/jquant2.c ++++ b/jquant2.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1991-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2009, 2014-2015, D. R. Commander. ++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo) + cquantize->error_limiter = NULL; + + /* Make sure jdmaster didn't give me a case I can't handle */ +- if (cinfo->out_color_components != 3) ++ if (cinfo->out_color_components != 3 || ++ cinfo->out_color_space == JCS_RGB565) + ERREXIT(cinfo, JERR_NOTIMPL); + + /* Allocate the histogram/inverse colormap storage */ diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..bcba0b513d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch @@ -0,0 +1,75 @@ +From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Thu, 6 Apr 2023 18:33:41 -0500 +Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp + +When computing the downsampled width for a particular component, +jpeg_crop_scanline() needs to take into account the fact that the +libjpeg code uses a combination of IDCT scaling and upsampling to +implement 4x2 and 2x4 upsampling with certain decompression scaling +factors. Failing to account for that led to incomplete upsampling of +4x2- or 2x4-subsampled components, which caused the color converter to +read from uninitialized memory. With 12-bit data precision, this caused +a buffer overrun or underrun and subsequent segfault if the +uninitialized memory contained a value that was outside of the valid +sample range (because the color converter uses the value as an array +index.) + +Fixes #669 + +CVE: CVE-2023-2804 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + ChangeLog.md | 8 ++++++++ + jdapistd.c | 10 ++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index de0c4d0dd..159bd1610 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed + (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion + enabled. + ++10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the ++downsampled width for components with 4x2 or 2x4 subsampling factors if ++decompression scaling was enabled. This caused the components to be upsampled ++incompletely, which caused the color converter to read from uninitialized ++memory. With 12-bit data precision, this caused a buffer overrun or underrun ++and subsequent segfault if the sample value read from unitialized memory was ++outside of the valid sample range. ++ + 2.0.4 + ===== + +diff --git a/jdapistd.c b/jdapistd.c +index 628626254..eb577928c 100644 +--- a/jdapistd.c ++++ b/jdapistd.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander. ++ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset, + /* Set downsampled_width to the new output width. */ + orig_downsampled_width = compptr->downsampled_width; + compptr->downsampled_width = +- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width * +- compptr->h_samp_factor), +- (long)cinfo->max_h_samp_factor); ++ (JDIMENSION)jdiv_round_up((long)cinfo->output_width * ++ (long)(compptr->h_samp_factor * ++ compptr->_DCT_scaled_size), ++ (long)(cinfo->max_h_samp_factor * ++ cinfo->_min_DCT_scaled_size)); + if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2) + reinit_upsampler = TRUE; + diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 6575582b0c..fda425c219 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb @@ -14,6 +14,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ file://0001-libjpeg-turbo-fix-package_qa-error.patch \ file://CVE-2020-13790.patch \ file://CVE-2021-46822.patch \ + file://CVE-2020-35538-1.patch \ + file://CVE-2020-35538-2.patch \ + file://CVE-2023-2804-1.patch \ + file://CVE-2023-2804-2.patch \ " SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch new file mode 100644 index 0000000000..b02a2169a6 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch @@ -0,0 +1,38 @@ +From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001 +From: zhailiangliang <zhailiangliang@loongson.cn> +Date: Wed, 21 Sep 2022 10:30:38 +0800 +Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture + + +CVE: CVE-2022-4743 +Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/render/opengles/SDL_render_gles.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c +index a5fbab309eda..ba08a46e2805 100644 +--- a/src/render/opengles/SDL_render_gles.c ++++ b/src/render/opengles/SDL_render_gles.c +@@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) + renderdata->glGenTextures(1, &data->texture); + result = renderdata->glGetError(); + if (result != GL_NO_ERROR) { ++ if (texture->access == SDL_TEXTUREACCESS_STREAMING) { ++ SDL_free(data->pixels); ++ } + SDL_free(data); + return GLES_SetError("glGenTextures()", result); + } +@@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) + + result = renderdata->glGetError(); + if (result != GL_NO_ERROR) { ++ if (texture->access == SDL_TEXTUREACCESS_STREAMING) { ++ SDL_free(data->pixels); ++ } + SDL_free(data); + return GLES_SetError("glTexImage2D()", result); + } diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb index 44d36fca22..fa29bc99ac 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb @@ -22,6 +22,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \ file://directfb-renderfillrect-fix.patch \ file://CVE-2020-14409-14410.patch \ file://CVE-2021-33657.patch \ + file://CVE-2022-4743.patch \ " S = "${WORKDIR}/SDL2-${PV}" diff --git a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb index 295ac12fc5..0774f37e31 100644 --- a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb +++ b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2119edef0916b0bd511cb3c731076271" DEPENDS = "zlib" -SRC_URI = "git://github.com/assimp/assimp.git;branch=assimp_5.0_release;protocol=https \ +SRC_URI = "git://github.com/assimp/assimp.git;nobranch=1;protocol=https \ file://0001-closes-https-github.com-assimp-assimp-issues-2733-up.patch \ file://0001-Use-ASSIMP_LIB_INSTALL_DIR-to-search-library.patch \ " diff --git a/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch new file mode 100644 index 0000000000..df204508e9 --- /dev/null +++ b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch @@ -0,0 +1,111 @@ +From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001 +From: Derek Foreman <derek.foreman@collabora.com> +Date: Fri, 28 Jan 2022 13:18:37 -0600 +Subject: [PATCH] util: Limit size of wl_map + +Since server IDs are basically indistinguishable from really big client +IDs at many points in the source, it's theoretically possible to overflow +a map and either overflow server IDs into the client ID space, or grow +client IDs into the server ID space. This would currently take a massive +amount of RAM, but the definition of massive changes yearly. + +Prevent this by placing a ridiculous but arbitrary upper bound on the +number of items we can put in a map: 0xF00000, somewhere over 15 million. +This should satisfy pathological clients without restriction, but stays +well clear of the 0xFF000000 transition point between server and client +IDs. It will still take an improbable amount of RAM to hit this, and a +client could still exhaust all RAM in this way, but our goal is to prevent +overflow and undefined behaviour. + +Fixes #224 + +Signed-off-by: Derek Foreman <derek.foreman@collabora.com> + +Upstream-Status: Backport +CVE: CVE-2021-3782 + +Reference to upstream patch: +https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2 + +[DP: adjust context for wayland version 1.20.0] +Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com> +--- + src/wayland-private.h | 1 + + src/wayland-util.c | 25 +++++++++++++++++++++++-- + 2 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/wayland-private.h b/src/wayland-private.h +index 9bf8cb7..35dc40e 100644 +--- a/src/wayland-private.h ++++ b/src/wayland-private.h +@@ -45,6 +45,7 @@ + #define WL_MAP_SERVER_SIDE 0 + #define WL_MAP_CLIENT_SIDE 1 + #define WL_SERVER_ID_START 0xff000000 ++#define WL_MAP_MAX_OBJECTS 0x00f00000 + #define WL_CLOSURE_MAX_ARGS 20 + + struct wl_object { +diff --git a/src/wayland-util.c b/src/wayland-util.c +index d5973bf..3e45d19 100644 +--- a/src/wayland-util.c ++++ b/src/wayland-util.c +@@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) + union map_entry *start, *entry; + struct wl_array *entries; + uint32_t base; ++ uint32_t count; + + if (map->side == WL_MAP_CLIENT_SIDE) { + entries = &map->client_entries; +@@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) + start = entries->data; + } + ++ /* wl_array only grows, so if we have too many objects at ++ * this point there's no way to clean up. We could be more ++ * pro-active about trying to avoid this allocation, but ++ * it doesn't really matter because at this point there is ++ * nothing to be done but disconnect the client and delete ++ * the whole array either way. ++ */ ++ count = entry - start; ++ if (count > WL_MAP_MAX_OBJECTS) { ++ /* entry->data is freshly malloced garbage, so we'd ++ * better make it a NULL so wl_map_for_each doesn't ++ * dereference it later. */ ++ entry->data = NULL; ++ return 0; ++ } + entry->data = data; + entry->next |= (flags & 0x1) << 1; + +- return (entry - start) + base; ++ return count + base; + } + + int +@@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data) + i -= WL_SERVER_ID_START; + } + ++ if (i > WL_MAP_MAX_OBJECTS) ++ return -1; ++ + count = entries->size / sizeof *start; + if (count < i) + return -1; +@@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i) + i -= WL_SERVER_ID_START; + } + +- count = entries->size / sizeof *start; ++ if (i > WL_MAP_MAX_OBJECTS) ++ return -1; + ++ count = entries->size / sizeof *start; + if (count < i) + return -1; + +-- +2.37.3 diff --git a/meta/recipes-graphics/wayland/wayland_1.18.0.bb b/meta/recipes-graphics/wayland/wayland_1.18.0.bb index 00be3aac27..e621abddbf 100644 --- a/meta/recipes-graphics/wayland/wayland_1.18.0.bb +++ b/meta/recipes-graphics/wayland/wayland_1.18.0.bb @@ -18,6 +18,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ file://0001-build-Fix-strndup-detection-on-MinGW.patch \ file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \ + file://CVE-2021-3782.patch \ " SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65" SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d" diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch new file mode 100644 index 0000000000..855ce80e77 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch @@ -0,0 +1,38 @@ +From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001 +From: Hodong <hodong@yozmos.com> +Date: Thu, 20 Jan 2022 00:57:41 +0900 +Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure() + +Even when XCloseDisplay() was called, some memory was leaked. + +XCloseDisplay() calls _XFreeDisplayStructure(), which calls +_XFreeX11XCBStructure(). + +However, _XFreeX11XCBStructure() did not destroy the condition variables, +resulting in the leaking of some 40 bytes. + +Signed-off-by: Hodong <hodong@yozmos.com> + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af] +CVE:CVE-2022-3555 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/xcb_disp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/xcb_disp.c b/src/xcb_disp.c +index 70a602f4..e9becee3 100644 +--- a/src/xcb_disp.c ++++ b/src/xcb_disp.c +@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy) + dpy->xcb->pending_requests = tmp->next; + free(tmp); + } ++ xcondition_clear(dpy->xcb->event_notify); ++ xcondition_clear(dpy->xcb->reply_notify); + xcondition_free(dpy->xcb->event_notify); + xcondition_free(dpy->xcb->reply_notify); + Xfree(dpy->xcb); +-- +2.18.2 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch new file mode 100644 index 0000000000..c724cf8fdd --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch @@ -0,0 +1,111 @@ +From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 10 Jun 2023 16:30:07 -0700 +Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & + error codes + +Fixes CVE-2023-3138: X servers could return values from XQueryExtension +that would cause Xlib to write entries out-of-bounds of the arrays to +store them, though this would only overwrite other parts of the Display +struct, not outside the bounds allocated for that structure. + +Reported-by: Gregory James DUCK <gjduck@gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +CVE: CVE-2023-3138 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch] +Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> +--- + src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/src/InitExt.c b/src/InitExt.c +index 4de46f15..afc00a6b 100644 +--- a/src/InitExt.c ++++ b/src/InitExt.c +@@ -33,6 +33,18 @@ from The Open Group. + #include <X11/Xos.h> + #include <stdio.h> + ++/* The X11 protocol spec reserves events 64 through 127 for extensions */ ++#ifndef LastExtensionEvent ++#define LastExtensionEvent 127 ++#endif ++ ++/* The X11 protocol spec reserves requests 128 through 255 for extensions */ ++#ifndef LastExtensionRequest ++#define FirstExtensionRequest 128 ++#define LastExtensionRequest 255 ++#endif ++ ++ + /* + * This routine is used to link a extension in so it will be called + * at appropriate times. +@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( + WireToEventType proc) /* routine to call when converting event */ + { + register WireToEventType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (WireToEventType)_XUnknownWireEvent; ++ } + if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; + LockDisplay (dpy); + oldproc = dpy->event_vec[event_number]; +@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( + ) + { + WireToEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (WireToEventCookieType)_XUnknownWireEventCookie; ++ } + if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_vec[extension & 0x7F]; +@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( + ) + { + CopyEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (CopyEventCookieType)_XUnknownCopyEventCookie; ++ } + if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; +@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( + EventToWireType proc) /* routine to call when converting event */ + { + register EventToWireType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (EventToWireType)_XUnknownNativeEvent; ++ } + if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; + LockDisplay (dpy); + oldproc = dpy->wire_vec[event_number]; +@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( + WireToErrorType proc) /* routine to call when converting error */ + { + register WireToErrorType oldproc = NULL; ++ if (error_number < 0 || ++ error_number > LastExtensionError) { ++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", ++ error_number); ++ return (WireToErrorType)_XDefaultWireError; ++ } + if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; + LockDisplay (dpy); + if (!dpy->error_vec) { +-- +GitLab diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch @@ -0,0 +1,63 @@ +From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 17 Sep 2023 14:19:40 -0700 +Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in + _XkbReadKeySyms() + +Make sure we allocate enough memory in the first place, and +also handle error returns from _XkbReadBufferCopyKeySyms() when +it detects out-of-bounds issues. + +Reported-by: Gregory James DUCK <gjduck@gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] +CVE: CVE-2023-43785 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/xkb/XKBGetMap.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +index 2891d21e..31199e4a 100644 +--- a/src/xkb/XKBGetMap.c ++++ b/src/xkb/XKBGetMap.c +@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + if (offset + newMap->nSyms >= map->size_syms) { + register int sz; + +- sz = map->size_syms + 128; ++ sz = offset + newMap->nSyms; ++ sz = ((sz + (unsigned) 128) / 128) * 128; + _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); + if (map->syms == NULL) { + map->size_syms = 0; +@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + map->size_syms = sz; + } + if (newMap->nSyms > 0) { +- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], +- newMap->nSyms); ++ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], ++ newMap->nSyms) == 0) ++ return BadLength; + offset += newMap->nSyms; + } + else { +@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); + if (newSyms == NULL) + return BadAlloc; +- if (newMap->nSyms > 0) +- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); ++ if (newMap->nSyms > 0) { ++ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) ++ return BadLength; ++ } + else + newSyms[0] = NoSymbol; + oldMap->kt_index[0] = newMap->ktIndex[0]; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch new file mode 100644 index 0000000000..31a99eb4ac --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch @@ -0,0 +1,42 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite + recursion in PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small enough +chunk to fix. + +Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] +CVE: CVE-2023-43786 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/PutImage.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/PutImage.c b/src/PutImage.c +index 857ee916..a6db7b42 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -914,8 +914,9 @@ PutSubImage ( + req_width, req_height - SubImageHeight, + dest_bits_per_pixel, dest_scanline_pad); + } else { +- int SubImageWidth = (((Available << 3) / dest_scanline_pad) +- * dest_scanline_pad) - left_pad; ++ int SubImageWidth = ((((Available << 3) / dest_scanline_pad) ++ * dest_scanline_pad) - left_pad) ++ / dest_bits_per_pixel; + + PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, + (unsigned int) SubImageWidth, 1, +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch new file mode 100644 index 0000000000..4800bedf41 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch @@ -0,0 +1,46 @@ +From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Thu, 7 Sep 2023 15:55:04 -0700 +Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width + allowed by protocol + +The PutImage request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), same as the maximum dimensions of an X11 +Drawable, which the image is being copied to. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a] +CVE: CVE-2023-43786 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/PutImage.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/PutImage.c b/src/PutImage.c +index a6db7b42..ba411e36 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include "Xlibint.h" + #include "Xutil.h" + #include <stdio.h> ++#include <limits.h> + #include "Cr.h" + #include "ImUtil.h" + #include "reallocarray.h" +@@ -962,6 +963,10 @@ XPutImage ( + height = image->height - req_yoffset; + if ((width <= 0) || (height <= 0)) + return 0; ++ if (width > USHRT_MAX) ++ width = USHRT_MAX; ++ if (height > USHRT_MAX) ++ height = USHRT_MAX; + + if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { + dest_bits_per_pixel = 1; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch @@ -0,0 +1,52 @@ +From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Thu, 7 Sep 2023 16:12:27 -0700 +Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for + out-of-range dimensions + +The CreatePixmap request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), so if either is larger than that, set it to 0 +so the X server returns a BadValue error as the protocol requires. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b] +CVE: CVE-2023-43787 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/CrPixmap.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/CrPixmap.c b/src/CrPixmap.c +index cdf31207..3cb2ca6d 100644 +--- a/src/CrPixmap.c ++++ b/src/CrPixmap.c +@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. + #include <config.h> + #endif + #include "Xlibint.h" ++#include <limits.h> + + #ifdef USE_DYNAMIC_XCURSOR + void +@@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( + Pixmap pid; + register xCreatePixmapReq *req; + ++ /* ++ * Force a BadValue X Error if the requested dimensions are larger ++ * than the X11 protocol has room for, since that's how callers expect ++ * to get notified of errors. ++ */ ++ if (width > USHRT_MAX) ++ width = 0; ++ if (height > USHRT_MAX) ++ height = 0; ++ + LockDisplay(dpy); + GetReq(CreatePixmap, req); + req->drawable = d; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch @@ -0,0 +1,64 @@ +From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi <yairm@jfrog.com> +Date: Thu, 7 Sep 2023 16:15:32 -0700 +Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage() + leading to a heap overflow + +When the format is `Pixmap` it calculates the size of the image data as: + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +There is no validation on the `width` of the image, and so this +calculation exceeds the capacity of a 4-byte integer, causing an overflow. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] +CVE: CVE-2023-43787 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ImUtil.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/ImUtil.c b/src/ImUtil.c +index 36f08a03..fbfad33e 100644 +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include <X11/Xlibint.h> + #include <X11/Xutil.h> + #include <stdio.h> ++#include <limits.h> + #include "ImUtil.h" + + static int _XDestroyImage(XImage *); +@@ -361,13 +362,22 @@ XImage *XCreateImage ( + /* + * compute per line accelerator. + */ +- { +- if (format == ZPixmap) ++ if (format == ZPixmap) { ++ if ((INT_MAX / bits_per_pixel) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +- else ++ ROUNDUP((bits_per_pixel * width), image->bitmap_pad); ++ } else { ++ if ((INT_MAX - offset) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((width + offset), image->bitmap_pad); ++ ROUNDUP((width + offset), image->bitmap_pad); + } + if (image_bytes_per_line == 0) { + image->bytes_per_line = min_bytes_per_line; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index 72ab1d4150..248889a1d4 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb @@ -17,6 +17,13 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ file://CVE-2020-14363.patch \ file://CVE-2021-31535.patch \ file://CVE-2022-3554.patch \ + file://CVE-2022-3555.patch \ + file://CVE-2023-3138.patch \ + file://CVE-2023-43785.patch \ + file://CVE-2023-43786-1.patch \ + file://CVE-2023-43786-2.patch \ + file://CVE-2023-43787-1.patch \ + file://CVE-2023-43787-2.patch \ " SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index fda8e32d2c..4694f911be 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb @@ -11,17 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \ protocol." LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7" +LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff" DEPENDS += "libxext libsm libxt gettext-native" PE = "1" XORG_PN = "libXpm" +XORG_EXT = "tar.xz" +EXTRA_OECONF += "--disable-open-zfile" PACKAGES =+ "sxpm cxpm" FILES_cxpm = "${bindir}/cxpm" FILES_sxpm = "${bindir}/sxpm" -SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" -SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" +SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" BBCLASSEXTEND = "native" diff --git a/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch new file mode 100644 index 0000000000..d54ae16b33 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch @@ -0,0 +1,34 @@ +CVE: CVE-2022-44638 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +Signed-off-by:Bhabu Bindu <bhabu.bindu@kpit.com> + +From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001 +From: Matt Turner <mattst88@gmail.com> +Date: Wed, 2 Nov 2022 12:07:32 -0400 +Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write + +Thanks to Maddie Stone and Google's Project Zero for discovering this +issue, providing a proof-of-concept, and a great analysis. + +Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 +--- + pixman/pixman-trap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c +index 91766fd..7560405 100644 +--- a/pixman/pixman-trap.c ++++ b/pixman/pixman-trap.c +@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y, + + if (f < Y_FRAC_FIRST (n)) + { +- if (pixman_fixed_to_int (i) == 0x8000) ++ if (pixman_fixed_to_int (i) == 0xffff8000) + { + f = 0; /* saturate */ + } +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb index 22e19ba069..5873c19bab 100644 --- a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb +++ b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb @@ -10,6 +10,7 @@ DEPENDS = "zlib" SRC_URI = "https://www.cairographics.org/releases/${BP}.tar.gz \ file://0001-ARM-qemu-related-workarounds-in-cpu-features-detecti.patch \ file://0001-test-utils-Check-for-FE_INVALID-definition-before-us.patch \ + file://CVE-2022-44638.patch \ " SRC_URI[md5sum] = "267a7af290f93f643a1bc74490d9fdd1" SRC_URI[sha256sum] = "da66d6fd6e40aee70f7bd02e4f8f76fc3f006ec879d346bae6a723025cfbdde7" diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc index a566eaa45e..1e8525d874 100644 --- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc +++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc @@ -6,8 +6,9 @@ LICENSE = "MIT-X" DEPENDS = "util-macros" XORG_PN = "${BPN}" +XORG_EXT ?= "tar.bz2" -SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.bz2" +SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.${XORG_EXT}" S = "${WORKDIR}/${XORG_PN}-${PV}" diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch new file mode 100644 index 0000000000..efec7b6b4e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch @@ -0,0 +1,40 @@ +From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Sun, 4 Dec 2022 17:40:21 +0000 +Subject: [PATCH 1/3] xkb: proof GetCountedString against request length + attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] +CVE: CVE-2022-3550 +Signed-off-by:Minjae Kim <flowergom@gmail.com> + +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 68c59df..bf8aaa3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch new file mode 100644 index 0000000000..a3b977aac9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch @@ -0,0 +1,64 @@ +From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Sun, 4 Dec 2022 17:44:00 +0000 +Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2] +CVE: CVE-2022-3551 +Signed-off-by:Minjae Kim <flowergom@gmail.com> + +--- + xkb/xkb.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index bf8aaa3..f79d306 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) +- return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } + ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); ++ } + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); + +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch new file mode 100644 index 0000000000..94cea77edc --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch @@ -0,0 +1,49 @@ +From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001 +From: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +Date: Sun, 4 Dec 2022 17:46:18 +0000 +Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the + Application menu due to mutaing immutable arrays + +Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object + +Application Specific Backtrace 0: +0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 +1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 +2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 +3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0 +4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119 +5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169 + +Fixes: https://github.com/XQuartz/XQuartz/issues/267 +Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> + +Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3] +CVE: CVE-2022-3553 +Signed-off-by:Minjae Kim <flowergom@gmail.com> + +--- + hw/xquartz/X11Controller.m | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m +index 3efda50..9870ff2 100644 +--- a/hw/xquartz/X11Controller.m ++++ b/hw/xquartz/X11Controller.m +@@ -467,8 +467,12 @@ extern char *bundle_id_prefix; + self.table_apps = table_apps; + + NSArray * const apps = self.apps; +- if (apps != nil) +- [table_apps addObjectsFromArray:apps]; ++ ++ if (apps != nil) { ++ for (NSArray <NSString *> * row in apps) { ++ [table_apps addObject:row.mutableCopy]; ++ } ++ } + + columns = [apps_table tableColumns]; + [[columns objectAtIndex:0] setIdentifier:@"0"]; +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch new file mode 100644 index 0000000000..3f6b68fea8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch @@ -0,0 +1,39 @@ +From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 5 Dec 2022 15:55:54 +1000 +Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it + +Unlike other elements of the keymap, this pointer was freed but not +reset. On a subsequent XkbGetKbdByName request, the server may access +already freed memory. + +CVE-2022-4283, ZDI-CAN-19530 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c] +CVE: CVE-2022-4283 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + xkb/xkbUtils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c +index 8975ade..9bc51fc 100644 +--- a/xkb/xkbUtils.c ++++ b/xkb/xkbUtils.c +@@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) + } + else { + free(dst->names->radio_groups); ++ dst->names->radio_groups = NULL; + } + dst->names->num_rg = src->names->num_rg; + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch new file mode 100644 index 0000000000..a6c97485cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch @@ -0,0 +1,55 @@ +From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 12:55:45 +1000 +Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput + +XTestSwapFakeInput assumes all events in this request are +sizeof(xEvent) and iterates through these in 32-byte increments. +However, a GenericEvent may be of arbitrary length longer than 32 bytes, +so any GenericEvent in this list would result in subsequent events to be +misparsed. + +Additional, the swapped event is written into a stack-allocated struct +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, +swapping the event may thus smash the stack like an avocado on toast. + +Catch this case early and return BadValue for any GenericEvent. +Which is what would happen in unswapped setups anyway since XTest +doesn't support GenericEvent. + +CVE-2022-46340, ZDI-CAN 19265 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63] +CVE: CVE-2022-46340 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Xext/xtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Xext/xtest.c b/Xext/xtest.c +index 38b8012..bf11789 100644 +--- a/Xext/xtest.c ++++ b/Xext/xtest.c +@@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) + + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); + for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { ++ int evtype = ev->u.u.type & 0x177; + /* Swap event */ +- proc = EventSwapVector[ev->u.u.type & 0177]; ++ proc = EventSwapVector[evtype]; + /* no swapping proc; invalid event type? */ +- if (!proc || proc == NotImplemented) { ++ if (!proc || proc == NotImplemented || evtype == GenericEvent) { + client->errorValue = ev->u.u.type; + return BadValue; + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch new file mode 100644 index 0000000000..0ef6e5fc9f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch @@ -0,0 +1,86 @@ +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 13:55:32 +1000 +Subject: [PATCH] Xi: disallow passive grabs with a detail > 255 + +The XKB protocol effectively prevents us from ever using keycodes above +255. For buttons it's theoretically possible but realistically too niche +to worry about. For all other passive grabs, the detail must be zero +anyway. + +This fixes an OOB write: + +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a +temporary grab struct which contains tempGrab->detail.exact = stuff->detail. +For matching existing grabs, DeleteDetailFromMask is called with the +stuff->detail value. This function creates a new mask with the one bit +representing stuff->detail cleared. + +However, the array size for the new mask is 8 * sizeof(CARD32) bits, +thus any detail above 255 results in an OOB array write. + +CVE-2022-46341, ZDI-CAN 19381 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b] +CVE: CVE-2022-46341 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Xi/xipassivegrab.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index d30f51f..89a5910 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) + return BadValue; + } + ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never ++ * implement this. Just return an error for all keycodes that ++ * cannot work anyway, same for buttons > 255. */ ++ if (stuff->detail > 255) ++ return XIAlreadyGrabbed; ++ + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], + stuff->mask_len * 4) != Success) + return BadValue; +@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) + ¶m, XI2, &mask); + break; + case XIGrabtypeKeycode: +- /* XI2 allows 32-bit keycodes but thanks to XKB we can never +- * implement this. Just return an error for all keycodes that +- * cannot work anyway */ +- if (stuff->detail > 255) +- status = XIAlreadyGrabbed; +- else +- status = GrabKey(client, dev, mod_dev, stuff->detail, +- ¶m, XI2, &mask); ++ status = GrabKey(client, dev, mod_dev, stuff->detail, ++ ¶m, XI2, &mask); + break; + case XIGrabtypeEnter: + case XIGrabtypeFocusIn: +@@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) + return BadValue; + } + ++ /* We don't allow passive grabs for details > 255 anyway */ ++ if (stuff->detail > 255) { ++ client->errorValue = stuff->detail; ++ return BadValue; ++ } ++ + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); + if (rc != Success) + return rc; +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch new file mode 100644 index 0000000000..23fef3f321 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch @@ -0,0 +1,78 @@ +From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 30 Nov 2022 11:20:40 +1000 +Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same + client + +This fixes a use-after-free bug: + +When a client first calls XvdiSelectVideoNotify() on a drawable with a +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct +is added twice to the resources: + - as the drawable's XvRTVideoNotifyList. This happens only once per + drawable, subsequent calls append to this list. + - as the client's XvRTVideoNotify. This happens for every client. + +The struct keeps the ClientPtr around once it has been added for a +client. The idea, presumably, is that if the client disconnects we can remove +all structs from the drawable's list that match the client (by resetting +the ClientPtr to NULL), but if the drawable is destroyed we can remove +and free the whole list. + +However, if the same client then calls XvdiSelectVideoNotify() on the +same drawable with a FALSE onoff argument, only the ClientPtr on the +existing struct was set to NULL. The struct itself remained in the +client's resources. + +If the drawable is now destroyed, the resource system invokes +XvdiDestroyVideoNotifyList which frees the whole list for this drawable +- including our struct. This function however does not free the resource +for the client since our ClientPtr is NULL. + +Later, when the client is destroyed and the resource system invokes +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On +a struct that has been freed previously. This is generally frowned upon. + +Fix this by calling FreeResource() on the second call instead of merely +setting the ClientPtr to NULL. This removes the struct from the client +resources (but not from the list), ensuring that it won't be accessed +again when the client quits. + +Note that the assignment tpn->client = NULL; is superfluous since the +XvdiDestroyVideoNotify function will do this anyway. But it's left for +clarity and to match a similar invocation in XvdiSelectPortNotify. + +CVE-2022-46342, ZDI-CAN 19400 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b] +CVE: CVE-2022-46342 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Xext/xvmain.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xext/xvmain.c b/Xext/xvmain.c +index c520c7d..5f4c174 100644 +--- a/Xext/xvmain.c ++++ b/Xext/xvmain.c +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) + tpn = pn; + while (tpn) { + if (tpn->client == client) { +- if (!onoff) ++ if (!onoff) { + tpn->client = NULL; ++ FreeResource(tpn->id, XvRTVideoNotify); ++ } + return Success; + } + if (!tpn->client) +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch new file mode 100644 index 0000000000..838f7d3726 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch @@ -0,0 +1,51 @@ +From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 14:53:07 +1000 +Subject: [PATCH] Xext: free the screen saver resource when replacing it + +This fixes a use-after-free bug: + +When a client first calls ScreenSaverSetAttributes(), a struct +ScreenSaverAttrRec is allocated and added to the client's +resources. + +When the same client calls ScreenSaverSetAttributes() again, a new +struct ScreenSaverAttrRec is allocated, replacing the old struct. The +old struct was freed but not removed from the clients resources. + +Later, when the client is destroyed the resource system invokes +ScreenSaverFreeAttr and attempts to clean up the already freed struct. + +Fix this by letting the resource system free the old attrs instead. + +CVE-2022-46343, ZDI-CAN 19404 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900] +CVE: CVE-2022-46343 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Xext/saver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xext/saver.c b/Xext/saver.c +index c23907d..05b9ca3 100644 +--- a/Xext/saver.c ++++ b/Xext/saver.c +@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) + pVlist++; + } + if (pPriv->attr) +- FreeScreenAttr(pPriv->attr); ++ FreeResource(pPriv->attr->resource, AttrType); + pPriv->attr = pAttr; + pAttr->resource = FakeClientID(client->index); + if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch new file mode 100644 index 0000000000..e25afa0d16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch @@ -0,0 +1,75 @@ +From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 13:26:57 +1000 +Subject: [PATCH] Xi: avoid integer truncation in length check of + ProcXIChangeProperty + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->num_items value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->num_items bytes, i.e. 4GB. + +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, +so let's fix that too. + +CVE-2022-46344, ZDI-CAN 19405 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8] +CVE: CVE-2022-46344 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Xi/xiproperty.c | 4 ++-- + dix/property.c | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 6ec419e..0cfa6e3 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) + REQUEST(xChangeDevicePropertyReq); + DeviceIntPtr dev; + unsigned long len; +- int totalSize; ++ uint64_t totalSize; + int rc; + + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); +@@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client) + { + int rc; + DeviceIntPtr dev; +- int totalSize; ++ uint64_t totalSize; + unsigned long len; + + REQUEST(xXIChangePropertyReq); +diff --git a/dix/property.c b/dix/property.c +index ff1d669..6fdb74a 100644 +--- a/dix/property.c ++++ b/dix/property.c +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) + WindowPtr pWin; + char format, mode; + unsigned long len; +- int sizeInBytes, totalSize, err; ++ int sizeInBytes, err; ++ uint64_t totalSize; + + REQUEST(xChangePropertyReq); + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch new file mode 100644 index 0000000000..ef2ee5d55e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch @@ -0,0 +1,38 @@ +From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 25 Jan 2023 11:41:40 +1000 +Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses + +CVE-2023-0494, ZDI-CAN-19596 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec] +CVE: CVE-2023-0494 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 217baa9561..dcd4efb3bc 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch new file mode 100644 index 0000000000..51d0e0cab6 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch @@ -0,0 +1,46 @@ +From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Mon, 13 Mar 2023 11:08:47 +0100 +Subject: [PATCH] composite: Fix use-after-free of the COW + +ZDI-CAN-19866/CVE-2023-1393 + +If a client explicitly destroys the compositor overlay window (aka COW), +we would leave a dangling pointer to that window in the CompScreen +structure, which will trigger a use-after-free later. + +Make sure to clear the CompScreen pointer to the COW when the latter gets +destroyed explicitly by the client. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Reviewed-by: Adam Jackson <ajax@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110] +CVE: CVE-2023-1393 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + composite/compwindow.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/composite/compwindow.c b/composite/compwindow.c +index 4e2494b86b..b30da589e9 100644 +--- a/composite/compwindow.c ++++ b/composite/compwindow.c +@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) + ret = (*pScreen->DestroyWindow) (pWin); + cs->DestroyWindow = pScreen->DestroyWindow; + pScreen->DestroyWindow = compDestroyWindow; ++ ++ /* Did we just destroy the overlay window? */ ++ if (pWin == cs->pOverlayWin) ++ cs->pOverlayWin = NULL; ++ + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ + return ret; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch new file mode 100644 index 0000000000..508588481e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch @@ -0,0 +1,84 @@ +From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 3 Oct 2023 11:53:05 +1000 +Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend + +The handling of appending/prepending properties was incorrect, with at +least two bugs: the property length was set to the length of the new +part only, i.e. appending or prepending N elements to a property with P +existing elements always resulted in the property having N elements +instead of N + P. + +Second, when pre-pending a value to a property, the offset for the old +values was incorrect, leaving the new property with potentially +uninitalized values and/or resulting in OOB memory writes. +For example, prepending a 3 element value to a 5 element property would +result in this 8 value array: + [N, N, N, ?, ?, P, P, P ] P, P + ^OOB write + +The XI2 code is a copy/paste of the RandR code, so the bug exists in +both. + +CVE-2023-5367, ZDI-CAN-22153 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a] +CVE: CVE-2023-5367 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/xiproperty.c | 4 ++-- + randr/rrproperty.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 066ba21fba..d315f04d0e 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + XIDestroyDeviceProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c6..25469f57b2 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + RRDestroyOutputProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..720340d83b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch @@ -0,0 +1,102 @@ +From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 5 Oct 2023 12:19:45 +1000 +Subject: [PATCH] mi: reset the PointerWindows reference on screen switch + +PointerWindows[] keeps a reference to the last window our sprite +entered - changes are usually handled by CheckMotion(). + +If we switch between screens via XWarpPointer our +dev->spriteInfo->sprite->win is set to the new screen's root window. +If there's another window at the cursor location CheckMotion() will +trigger the right enter/leave events later. If there is not, it skips +that process and we never trigger LeaveWindow() - PointerWindows[] for +the device still refers to the previous window. + +If that window is destroyed we have a dangling reference that will +eventually cause a use-after-free bug when checking the window hierarchy +later. + +To trigger this, we require: +- two protocol screens +- XWarpPointer to the other screen's root window +- XDestroyWindow before entering any other window + +This is a niche bug so we hack around it by making sure we reset the +PointerWindows[] entry so we cannot have a dangling pointer. This +doesn't handle Enter/Leave events correctly but the previous code didn't +either. + +CVE-2023-5380, ZDI-CAN-21608 + +This vulnerability was discovered by: +Sri working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Adam Jackson <ajax@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] +CVE: CVE-2023-5380 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + dix/enterleave.h | 2 -- + include/eventstr.h | 3 +++ + mi/mipointer.c | 17 +++++++++++++++-- + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/dix/enterleave.h b/dix/enterleave.h +index 4b833d8..e8af924 100644 +--- a/dix/enterleave.h ++++ b/dix/enterleave.h +@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, + + extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); + +-extern void LeaveWindow(DeviceIntPtr dev); +- + extern void CoreFocusEvent(DeviceIntPtr kbd, + int type, int mode, int detail, WindowPtr pWin); + +diff --git a/include/eventstr.h b/include/eventstr.h +index bf3b95f..2bae3b0 100644 +--- a/include/eventstr.h ++++ b/include/eventstr.h +@@ -296,4 +296,7 @@ union _InternalEvent { + #endif + }; + ++extern void ++LeaveWindow(DeviceIntPtr dev); ++ + #endif +diff --git a/mi/mipointer.c b/mi/mipointer.c +index 75be1ae..b12ae9b 100644 +--- a/mi/mipointer.c ++++ b/mi/mipointer.c +@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) + #ifdef PANORAMIX + && noPanoramiXExtension + #endif +- ) +- UpdateSpriteForScreen(pDev, pScreen); ++ ) { ++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); ++ /* Hack for CVE-2023-5380: if we're moving ++ * screens PointerWindows[] keeps referring to the ++ * old window. If that gets destroyed we have a UAF ++ * bug later. Only happens when jumping from a window ++ * to the root window on the other screen. ++ * Enter/Leave events are incorrect for that case but ++ * too niche to fix. ++ */ ++ LeaveWindow(pDev); ++ if (master) ++ LeaveWindow(master); ++ UpdateSpriteForScreen(pDev, pScreen); ++ } + } + + /** +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch new file mode 100644 index 0000000000..0abd5914fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch @@ -0,0 +1,79 @@ +From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 28 Nov 2023 15:19:04 +1000 +Subject: [PATCH] Xi: allocate enough XkbActions for our buttons + +button->xkb_acts is supposed to be an array sufficiently large for all +our buttons, not just a single XkbActions struct. Allocating +insufficient memory here means when we memcpy() later in +XkbSetDeviceInfo we write into memory that wasn't ours to begin with, +leading to the usual security ooopsiedaisies. + +CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd] +CVE: CVE-2023-6377 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/exevents.c | 12 ++++++------ + dix/devices.c | 10 ++++++++++ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index dcd4efb3bc..54ea11a938 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + } + + if (from->button->xkb_acts) { +- if (!to->button->xkb_acts) { +- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); +- if (!to->button->xkb_acts) +- FatalError("[Xi] not enough memory for xkb_acts.\n"); +- } ++ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); ++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); + memcpy(to->button->xkb_acts, from->button->xkb_acts, +- sizeof(XkbAction)); ++ from->button->numButtons * sizeof(XkbAction)); + } + else { + free(to->button->xkb_acts); +diff --git a/dix/devices.c b/dix/devices.c +index b063128df0..3f3224d626 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) + + if (master->button && master->button->numButtons != maxbuttons) { + int i; ++ int last_num_buttons = master->button->numButtons; ++ + DeviceChangedEvent event = { + .header = ET_Internal, + .type = ET_DeviceChanged, +@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) + }; + + master->button->numButtons = maxbuttons; ++ if (last_num_buttons < maxbuttons) { ++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(&master->button->xkb_acts[last_num_buttons], ++ 0, ++ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); ++ } + + memcpy(&event.buttons.names, master->button->labels, maxbuttons * + sizeof(Atom)); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch @@ -0,0 +1,63 @@ +From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH] randr: avoid integer truncation in length check of + ProcRRChange*Property + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-6478, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] +CVE: CVE-2023-6478 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index 25469f57b2..c4fef8a1f6 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9bf..90c5a9a933 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch new file mode 100644 index 0000000000..0bfff268e7 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch @@ -0,0 +1,55 @@ +From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 14 Dec 2023 11:29:49 +1000 +Subject: [PATCH] dix: allocate enough space for logical button maps + +Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for +each logical button currently down. Since buttons can be arbitrarily mapped +to anything up to 255 make sure we have enough bits for the maximum mapping. + +CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3] +CVE: CVE-2023-6816 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/xiquerypointer.c | 3 +-- + dix/enterleave.c | 5 +++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index 5b77b1a444..2b05ac5f39 100644 +--- a/Xi/xiquerypointer.c ++++ b/Xi/xiquerypointer.c +@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) + if (pDev->button) { + int i; + +- rep.buttons_len = +- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); ++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ + rep.length += rep.buttons_len; + buttons = calloc(rep.buttons_len, 4); + if (!buttons) +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 867ec74363..ded8679d76 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, + + mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); + +- /* XI 2 event */ +- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; ++ /* XI 2 event contains the logical button map - maps are CARD8 ++ * so we need 256 bits for the possibly maximum mapping */ ++ btlen = (mouse->button) ? bits_to_bytes(256) : 0; + btlen = bytes_to_int32(btlen); + len = sizeof(xXIFocusInEvent) + btlen * 4; + +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..80ebc64e59 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch @@ -0,0 +1,87 @@ +From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 18 Dec 2023 14:27:50 +1000 +Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify + +If a device has both a button class and a key class and numButtons is +zero, we can get an OOB write due to event under-allocation. + +This function seems to assume a device has either keys or buttons, not +both. It has two virtually identical code paths, both of which assume +they're applying to the first event in the sequence. + +A device with both a key and button class triggered a logic bug - only +one xEvent was allocated but the deviceStateNotify pointer was pushed on +once per type. So effectively this logic code: + + int count = 1; + if (button && nbuttons > 32) count++; + if (key && nbuttons > 0) count++; + if (key && nkeys > 32) count++; // this is basically always true + // count is at 2 for our keys + zero button device + + ev = alloc(count * sizeof(xEvent)); + FixDeviceStateNotify(ev); + if (button) + FixDeviceStateNotify(ev++); + if (key) + FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here + +If the device has more than 3 valuators, the OOB is pushed back - we're +off by one so it will happen when the last deviceValuator event is +written instead. + +Fix this by allocating the maximum number of events we may allocate. +Note that the current behavior is not protocol-correct anyway, this +patch fixes only the allocation issue. + +Note that this issue does not trigger if the device has at least one +button. While the server does not prevent a button class with zero +buttons, it is very unlikely. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index ded8679d76..17964b00a4 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -675,7 +675,8 @@ static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { + int evcount = 1; +- deviceStateNotify *ev, *sev; ++ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; ++ deviceStateNotify *ev; + deviceKeyStateNotify *kev; + deviceButtonStateNotify *bev; + +@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + } + } + +- sev = ev = xallocarray(evcount, sizeof(xEvent)); ++ ev = sev; + FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); + + if (b != NULL) { +@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, + DeviceStateNotifyMask, NullGrab); +- free(sev); + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch new file mode 100644 index 0000000000..65df74376b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch @@ -0,0 +1,221 @@ +From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 18 Dec 2023 12:26:20 +1000 +Subject: [PATCH] dix: fix DeviceStateNotify event calculation + +The previous code only made sense if one considers buttons and keys to +be mutually exclusive on a device. That is not necessarily true, causing +a number of issues. + +This function allocates and fills in the number of xEvents we need to +send the device state down the wire. This is split across multiple +32-byte devices including one deviceStateNotify event and optional +deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) +deviceValuator events. + +The previous behavior would instead compose a sequence +of [state, buttonstate, state, keystate, valuator...]. This is not +protocol correct, and on top of that made the code extremely convoluted. + +Fix this by streamlining: add both button and key into the deviceStateNotify +and then append the key state and button state, followed by the +valuators. Finally, the deviceValuator events contain up to 6 valuators +per event but we only ever sent through 3 at a time. Let's double that +troughput. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- + 1 file changed, 52 insertions(+), 69 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 17964b00a4..7b7ba1098b 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + + ev->type = DeviceValuator; + ev->deviceid = dev->id; +- ev->num_valuators = nval < 3 ? nval : 3; ++ ev->num_valuators = nval < 6 ? nval : 6; + ev->first_valuator = first; + switch (ev->num_valuators) { ++ case 6: ++ ev->valuator2 = v->axisVal[first + 5]; ++ case 5: ++ ev->valuator2 = v->axisVal[first + 4]; ++ case 4: ++ ev->valuator2 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->valuator0 = v->axisVal[first]; + break; + } +- first += ev->num_valuators; + } + + static void +@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + ev->num_buttons = b->numButtons; + memcpy((char *) ev->buttons, (char *) b->down, 4); + } +- else if (k) { ++ if (k) { + ev->classes_reported |= (1 << KeyClass); + ev->num_keys = k->xkbInfo->desc->max_key_code - + k->xkbInfo->desc->min_key_code; +@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + } + } + +- ++/** ++ * The device state notify event is split across multiple 32-byte events. ++ * The first one contains the first 32 button state bits, the first 32 ++ * key state bits, and the first 3 valuator values. ++ * ++ * If a device has more than that, the server sends out: ++ * - one deviceButtonStateNotify for buttons 32 and above ++ * - one deviceKeyStateNotify for keys 32 and above ++ * - one deviceValuator event per 6 valuators above valuator 4 ++ * ++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS, ++ */ + static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { ++ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify ++ * and one deviceValuator for each 6 valuators */ ++ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; + int evcount = 1; +- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; +- deviceStateNotify *ev; +- deviceKeyStateNotify *kev; +- deviceButtonStateNotify *bev; ++ deviceStateNotify *ev = sev; + + KeyClassPtr k; + ButtonClassPtr b; +@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + if ((b = dev->button) != NULL) { + nbuttons = b->numButtons; +- if (nbuttons > 32) ++ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; + } + if ((k = dev->key) != NULL) { + nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; +- if (nkeys > 32) ++ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; +- if (nbuttons > 0) { +- evcount++; +- } + } + if ((v = dev->valuator) != NULL) { + nval = v->numAxes; +- +- if (nval > 3) +- evcount++; +- if (nval > 6) { +- if (!(k && b)) +- evcount++; +- if (nval > 9) +- evcount += ((nval - 7) / 3); +- } ++ /* first three are encoded in deviceStateNotify, then ++ * it's 6 per deviceValuator event */ ++ evcount += ((nval - 3) + 6)/6; + } + +- ev = sev; +- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); +- +- if (b != NULL) { +- FixDeviceStateNotify(dev, ev++, NULL, b, v, first); +- first += 3; +- nval -= 3; +- if (nbuttons > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- bev = (deviceButtonStateNotify *) ev++; +- bev->type = DeviceButtonStateNotify; +- bev->deviceid = dev->id; +- memcpy((char *) &bev->buttons[4], (char *) &b->down[4], +- DOWN_LENGTH - 4); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ BUG_RETURN(evcount <= ARRAY_SIZE(sev)); ++ ++ FixDeviceStateNotify(dev, ev, k, b, v, first); ++ ++ if (b != NULL && nbuttons > 32) { ++ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ bev->type = DeviceButtonStateNotify; ++ bev->deviceid = dev->id; ++ memcpy((char *) &bev->buttons[4], (char *) &b->down[4], ++ DOWN_LENGTH - 4); + } + +- if (k != NULL) { +- FixDeviceStateNotify(dev, ev++, k, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nkeys > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- kev = (deviceKeyStateNotify *) ev++; +- kev->type = DeviceKeyStateNotify; +- kev->deviceid = dev->id; +- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ if (k != NULL && nkeys > 32) { ++ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ kev->type = DeviceKeyStateNotify; ++ kev->deviceid = dev->id; ++ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); + } + ++ first = 3; ++ nval -= 3; + while (nval > 0) { +- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ ev->deviceid |= MORE_EVENTS; ++ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); ++ first += 6; ++ nval -= 6; + } + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..742c122fa8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch @@ -0,0 +1,41 @@ +From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 21 Dec 2023 13:48:10 +1000 +Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of + buttons + +There's a racy sequence where a master device may copy the button class +from the slave, without ever initializing numButtons. This leads to a +device with zero buttons but a button class which is invalid. + +Let's copy the numButtons value from the source - by definition if we +don't have a button class yet we do not have any other slave devices +with more than this number of buttons anyway. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/exevents.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 54ea11a938..e161714682 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + to->button = calloc(1, sizeof(ButtonClassRec)); + if (!to->button) + FatalError("[Xi] no memory for class shift.\n"); ++ to->button->numButtons = from->button->numButtons; + } + else + classes->button = NULL; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch new file mode 100644 index 0000000000..d1a6214793 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch @@ -0,0 +1,45 @@ +From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 21 Dec 2023 14:10:11 +1000 +Subject: [PATCH] Xi: require a pointer and keyboard device for + XIAttachToMaster + +If we remove a master device and specify which other master devices +attached slaves should be returned to, enforce that those two are +indeeed a pointer and a keyboard. + +Otherwise we can try to attach the keyboards to pointers and vice versa, +leading to possible crashes later. + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/xichangehierarchy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index 504defe566..d2d985848d 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) + if (rc != Success) + goto unwind; + +- if (!IsMaster(newptr)) { ++ if (!IsMaster(newptr) || !IsPointerDevice(newptr)) { + client->errorValue = r->return_pointer; + rc = BadDevice; + goto unwind; +@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) + if (rc != Success) + goto unwind; + +- if (!IsMaster(newkeybd)) { ++ if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) { + client->errorValue = r->return_keyboard; + rc = BadDevice; + goto unwind; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch new file mode 100644 index 0000000000..c8f75d8a7e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch @@ -0,0 +1,64 @@ +From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 6 Dec 2023 12:09:41 +0100 +Subject: [PATCH] glx: Call XACE hooks on the GLX buffer + +The XSELINUX code will label resources at creation by checking the +access mode. When the access mode is DixCreateAccess, it will call the +function to label the new resource SELinuxLabelResource(). + +However, GLX buffers do not go through the XACE hooks when created, +hence leaving the resource actually unlabeled. + +When, later, the client tries to create another resource using that +drawable (like a GC for example), the XSELINUX code would try to use +the security ID of that object which has never been labeled, get a NULL +pointer and crash when checking whether the requested permissions are +granted for subject security ID. + +To avoid the issue, make sure to call the XACE hooks when creating the +GLX buffers. + +Credit goes to Donn Seeley <donn@xmission.com> for providing the patch. + +CVE-2024-0408 + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3] +CVE: CVE-2024-0408 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + glx/glxcmds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index fc26a2e345..1e46d0c723 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -48,6 +48,7 @@ + #include "indirect_util.h" + #include "protocol-versions.h" + #include "glxvndabi.h" ++#include "xace.h" + + static char GLXServerVendorName[] = "SGI"; + +@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, + if (!pPixmap) + return BadAlloc; + ++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, ++ pPixmap, RT_NONE, NULL, DixCreateAccess); ++ if (err != Success) { ++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); ++ return err; ++ } ++ + /* Assign the pixmap the same id as the pbuffer and add it as a + * resource so it and the DRI2 drawable will be reclaimed when the + * pbuffer is destroyed. */ +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch new file mode 100644 index 0000000000..9763e0b562 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch @@ -0,0 +1,46 @@ +From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Wed, 6 Dec 2023 11:51:56 +0100 +Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor + +The cursor in DIX is actually split in two parts, the cursor itself and +the cursor bits, each with their own devPrivates. + +The cursor itself includes the cursor bits, meaning that the cursor bits +devPrivates in within structure of the cursor. + +Both Xephyr and Xwayland were using the private key for the cursor bits +to store the data for the cursor, and when using XSELINUX which comes +with its own special devPrivates, the data stored in that cursor bits' +devPrivates would interfere with the XSELINUX devPrivates data and the +SELINUX security ID would point to some other unrelated data, causing a +crash in the XSELINUX code when trying to (re)use the security ID. + +CVE-2024-0409 + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7] +CVE: CVE-2024-0409 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/kdrive/ephyr/ephyrcursor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c +index f991899..3f192d0 100644 +--- a/hw/kdrive/ephyr/ephyrcursor.c ++++ b/hw/kdrive/ephyr/ephyrcursor.c +@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { + Bool + ephyrCursorInit(ScreenPtr screen) + { +- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, ++ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, + sizeof(ephyrCursorRec))) + return FALSE; + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch @@ -0,0 +1,113 @@ +From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 4 Jan 2024 10:01:24 +1000 +Subject: [PATCH] Xi: flush hierarchy events after adding/removing master + devices + +The `XISendDeviceHierarchyEvent()` function allocates space to store up +to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. + +If a device with a given ID was removed and a new device with the same +ID added both in the same operation, the single device ID will lead to +two info structures being written to `info`. + +Since this case can occur for every device ID at once, a total of two +times `MAXDEVICES` info structures might be written to the allocation. + +To avoid it, once one add/remove master is processed, send out the +device hierarchy event for the current state and continue. That event +thus only ever has exactly one of either added/removed in it (and +optionally slave attached/detached). + +CVE-2024-21885, ZDI-CAN-22744 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1] +CVE: CVE-2024-21885 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index d2d985848d..72d00451e3 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) + size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; ++ enum { ++ NO_CHANGE, ++ FLUSH, ++ CHANGED, ++ } changes = NO_CHANGE; + + REQUEST(xXIChangeHierarchyReq); + REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = add_master(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIRemoveMaster: + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIDetachSlave: + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = CHANGED; + break; ++ } + case XIAttachSlave: + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; +@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; ++ changes = CHANGED; ++ break; + } ++ default: + break; + } + ++ if (changes == FLUSH) { ++ XISendDeviceHierarchyEvent(flags); ++ memset(flags, 0, sizeof(flags)); ++ changes = NO_CHANGE; ++ } ++ + len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + + unwind: +- +- XISendDeviceHierarchyEvent(flags); ++ if (changes != NO_CHANGE) ++ XISendDeviceHierarchyEvent(flags); + return rc; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch @@ -0,0 +1,74 @@ +From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com> +Date: Fri, 22 Dec 2023 18:28:31 +0100 +Subject: [PATCH] Xi: do not keep linked list pointer during recursion + +The `DisableDevice()` function is called whenever an enabled device +is disabled and it moves the device from the `inputInfo.devices` linked +list to the `inputInfo.off_devices` linked list. + +However, its link/unlink operation has an issue during the recursive +call to `DisableDevice()` due to the `prev` pointer pointing to a +removed device. + +This issue leads to a length mismatch between the total number of +devices and the number of device in the list, leading to a heap +overflow and, possibly, to local privilege escalation. + +Simplify the code that checked whether the device passed to +`DisableDevice()` was in `inputInfo.devices` or not and find the +previous device after the recursion. + +CVE-2024-21886, ZDI-CAN-22840 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + dix/devices.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/dix/devices.c b/dix/devices.c +index dca98c8d1b..389d28a23c 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + { + DeviceIntPtr *prev, other; + BOOL enabled; ++ BOOL dev_in_devices_list = FALSE; + int flags[MAXDEVICES] = { 0 }; + + if (!dev->enabled) + return TRUE; + +- for (prev = &inputInfo.devices; +- *prev && (*prev != dev); prev = &(*prev)->next); +- if (*prev != dev) ++ for (other = inputInfo.devices; other; other = other->next) { ++ if (other == dev) { ++ dev_in_devices_list = TRUE; ++ break; ++ } ++ } ++ ++ if (!dev_in_devices_list) + return FALSE; + + TouchEndPhysicallyActiveTouches(dev); +@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + LeaveWindow(dev); + SetFocusOut(dev); + ++ for (prev = &inputInfo.devices; ++ *prev && (*prev != dev); prev = &(*prev)->next); ++ + *prev = dev->next; + dev->next = inputInfo.off_devices; + inputInfo.off_devices = dev; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch @@ -0,0 +1,57 @@ +From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Fri, 5 Jan 2024 09:40:27 +1000 +Subject: [PATCH] dix: when disabling a master, float disabled slaved devices + too + +Disabling a master device floats all slave devices but we didn't do this +to already-disabled slave devices. As a result those devices kept their +reference to the master device resulting in access to already freed +memory if the master device was removed before the corresponding slave +device. + +And to match this behavior, also forcibly reset that pointer during +CloseDownDevices(). + +Related to CVE-2024-21886, ZDI-CAN-22840 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + dix/devices.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 389d28a23c..84a6406d13 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + flags[other->id] |= XISlaveDetached; + } + } ++ ++ for (other = inputInfo.off_devices; other; other = other->next) { ++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { ++ AttachDevice(NULL, other, NULL); ++ flags[other->id] |= XISlaveDetached; ++ } ++ } + } + else { + for (other = inputInfo.devices; other; other = other->next) { +@@ -1088,6 +1095,11 @@ CloseDownDevices(void) + dev->master = NULL; + } + ++ for (dev = inputInfo.off_devices; dev; dev = dev->next) { ++ if (!IsMaster(dev) && !IsFloating(dev)) ++ dev->master = NULL; ++ } ++ + CloseDeviceList(&inputInfo.devices); + CloseDeviceList(&inputInfo.off_devices); + +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..da735efb2b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch @@ -0,0 +1,49 @@ +From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 22 Mar 2024 18:51:45 -0700 +Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to + send reply + +CVE-2024-31080 + +Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 +Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] +CVE: CVE-2024-31080 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + Xi/xiselectev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c +index edcb8a0d36..ac14949871 100644 +--- a/Xi/xiselectev.c ++++ b/Xi/xiselectev.c +@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) + InputClientsPtr others = NULL; + xXIEventMask *evmask = NULL; + DeviceIntPtr dev; ++ uint32_t length; + + REQUEST(xXIGetSelectedEventsReq); + REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); +@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) + } + } + ++ /* save the value before SRepXIGetSelectedEvents swaps it */ ++ length = reply.length; + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (reply.num_masks) +- WriteToClient(client, reply.length * 4, buffer); ++ WriteToClient(client, length * 4, buffer); + + free(buffer); + return Success; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch new file mode 100644 index 0000000000..d2c551a0e5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch @@ -0,0 +1,47 @@ +From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 22 Mar 2024 18:56:27 -0700 +Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to + send reply + +CVE-2024-31081 + +Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] +CVE: CVE-2024-31081 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + Xi/xipassivegrab.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index c9ac2f8553..896233bec2 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) + GrabParameters param; + void *tmp; + int mask_len; ++ uint32_t length; + + REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, +@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) + } + } + ++ /* save the value before SRepXIPassiveGrabDevice swaps it */ ++ length = rep.length; + WriteReplyToClient(client, sizeof(rep), &rep); + if (rep.num_modifiers) +- WriteToClient(client, rep.length * 4, modifiers_failed); ++ WriteToClient(client, length * 4, modifiers_failed); + + out: + free(modifiers_failed); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index d176f390a4..04a6e734ef 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb @@ -5,7 +5,34 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0001-test-xtest-Initialize-array-with-braces.patch \ file://sdksyms-no-build-path.patch \ file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ - " + file://CVE-2022-3550.patch \ + file://CVE-2022-3551.patch \ + file://CVE-2022-3553.patch \ + file://CVE-2022-4283.patch \ + file://CVE-2022-46340.patch \ + file://CVE-2022-46341.patch \ + file://CVE-2022-46342.patch \ + file://CVE-2022-46343.patch \ + file://CVE-2022-46344.patch \ + file://CVE-2023-0494.patch \ + file://CVE-2023-1393.patch \ + file://CVE-2023-5367.patch \ + file://CVE-2023-5380.patch \ + file://CVE-2023-6377.patch \ + file://CVE-2023-6478.patch \ + file://CVE-2023-6816.patch \ + file://CVE-2024-0229-1.patch \ + file://CVE-2024-0229-2.patch \ + file://CVE-2024-0229-3.patch \ + file://CVE-2024-0229-4.patch \ + file://CVE-2024-21885.patch \ + file://CVE-2024-21886-1.patch \ + file://CVE-2024-21886-2.patch \ + file://CVE-2024-0408.patch \ + file://CVE-2024-0409.patch \ + file://CVE-2024-31081.patch \ + file://CVE-2024-31080.patch \ +" SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" |