aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch')
-rw-r--r--meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch139
1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
new file mode 100644
index 0000000000..a3ba41f505
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
@@ -0,0 +1,139 @@
+From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 05:31:08 +0200
+Subject: [PATCH] state: Store mask as reference
+
+Instead of immediately looking up the mask, store the reference and look
+it up on use.
+
+Upstream-status: Backport
+
+supporting patch
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2
+
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ rsvg-cairo-draw.c | 6 +++++-
+ rsvg-mask.c | 17 -----------------
+ rsvg-mask.h | 2 --
+ rsvg-styles.c | 12 ++++++++----
+ rsvg-styles.h | 2 +-
+ 5 files changed, 14 insertions(+), 25 deletions(-)
+
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
++++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ cairo_set_operator (render->cr, state->comp_op);
+
+ if (state->mask) {
+- rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
++ RsvgNode *mask;
++
++ mask = rsvg_defs_lookup (ctx->defs, state->mask);
++ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
++ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
+ } else if (state->opacity != 0xFF)
+ cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
+ else
+Index: librsvg-2.40.10/rsvg-mask.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.c
++++ librsvg-2.40.10/rsvg-mask.c
+@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
+ }
+
+ RsvgNode *
+-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
+-{
+- char *name;
+-
+- name = rsvg_get_url_string (str);
+- if (name) {
+- RsvgNode *val;
+- val = rsvg_defs_lookup (defs, name);
+- g_free (name);
+-
+- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
+- return val;
+- }
+- return NULL;
+-}
+-
+-RsvgNode *
+ rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
+ {
+ char *name;
+Index: librsvg-2.40.10/rsvg-mask.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.h
++++ librsvg-2.40.10/rsvg-mask.h
+@@ -48,8 +48,6 @@ struct _RsvgMask {
+
+ G_GNUC_INTERNAL
+ RsvgNode *rsvg_new_mask (void);
+-G_GNUC_INTERNAL
+-RsvgNode *rsvg_mask_parse (const RsvgDefs * defs, const char *str);
+
+ typedef struct _RsvgClipPath RsvgClipPath;
+
+Index: librsvg-2.40.10/rsvg-styles.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.c
++++ librsvg-2.40.10/rsvg-styles.c
+@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const
+
+ *dst = *src;
+ dst->parent = parent;
++ dst->mask = g_strdup (src->mask);
+ dst->font_family = g_strdup (src->font_family);
+ dst->lang = g_strdup (src->lang);
+ rsvg_paint_server_ref (dst->fill);
+@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
+
+ if (inherituninheritables) {
+ dst->clip_path_ref = src->clip_path_ref;
+- dst->mask = src->mask;
++ g_free (dst->mask);
++ dst->mask = g_strdup (src->mask);
+ dst->enable_background = src->enable_background;
+ dst->adobe_blend = src->adobe_blend;
+ dst->opacity = src->opacity;
+@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
+ void
+ rsvg_state_finalize (RsvgState * state)
+ {
++ g_free (state->mask);
+ g_free (state->font_family);
+ g_free (state->lang);
+ rsvg_paint_server_unref (state->fill);
+@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
+ state->adobe_blend = 11;
+ else
+ state->adobe_blend = 0;
+- } else if (g_str_equal (name, "mask"))
+- state->mask = rsvg_mask_parse (ctx->priv->defs, value);
+- else if (g_str_equal (name, "clip-path")) {
++ } else if (g_str_equal (name, "mask")) {
++ g_free (state->mask);
++ state->mask = rsvg_get_url_string (value);
++ } else if (g_str_equal (name, "clip-path")) {
+ state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
+ } else if (g_str_equal (name, "overflow")) {
+ if (!g_str_equal (value, "inherit")) {
+Index: librsvg-2.40.10/rsvg-styles.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.h
++++ librsvg-2.40.10/rsvg-styles.h
+@@ -80,7 +80,7 @@ struct _RsvgState {
+ cairo_matrix_t personal_affine;
+
+ RsvgFilter *filter;
+- void *mask;
++ char *mask;
+ void *clip_path_ref;
+ guint8 adobe_blend; /* 0..11 */
+ guint8 opacity; /* 0..255 */
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-19 16:19:37 +0000