From 4945643bab1ee6b844115cc747e5c67d874d5fe6 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 30 Jan 2016 20:45:31 -0800 Subject: librsvg: Security fix CVE-2015-7558 CVE-2015-7558 librsvg2: Stack exhaustion causing DoS including two supporting patches. Signed-off-by: Armin Kuster --- .../librsvg/librsvg/CVE-2015-7558_1.patch | 139 +++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch (limited to 'meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch') diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch new file mode 100644 index 0000000000..a3ba41f505 --- /dev/null +++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch @@ -0,0 +1,139 @@ +From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001 +From: Benjamin Otte +Date: Wed, 7 Oct 2015 05:31:08 +0200 +Subject: [PATCH] state: Store mask as reference + +Instead of immediately looking up the mask, store the reference and look +it up on use. + +Upstream-status: Backport + +supporting patch +https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2 + +CVE: CVE-2015-7558 +Signed-off-by: Armin Kuster + +--- + rsvg-cairo-draw.c | 6 +++++- + rsvg-mask.c | 17 ----------------- + rsvg-mask.h | 2 -- + rsvg-styles.c | 12 ++++++++---- + rsvg-styles.h | 2 +- + 5 files changed, 14 insertions(+), 25 deletions(-) + +Index: librsvg-2.40.10/rsvg-cairo-draw.c +=================================================================== +--- librsvg-2.40.10.orig/rsvg-cairo-draw.c ++++ librsvg-2.40.10/rsvg-cairo-draw.c +@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing + cairo_set_operator (render->cr, state->comp_op); + + if (state->mask) { +- rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox); ++ RsvgNode *mask; ++ ++ mask = rsvg_defs_lookup (ctx->defs, state->mask); ++ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK) ++ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox); + } else if (state->opacity != 0xFF) + cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0); + else +Index: librsvg-2.40.10/rsvg-mask.c +=================================================================== +--- librsvg-2.40.10.orig/rsvg-mask.c ++++ librsvg-2.40.10/rsvg-mask.c +@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str) + } + + RsvgNode * +-rsvg_mask_parse (const RsvgDefs * defs, const char *str) +-{ +- char *name; +- +- name = rsvg_get_url_string (str); +- if (name) { +- RsvgNode *val; +- val = rsvg_defs_lookup (defs, name); +- g_free (name); +- +- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK) +- return val; +- } +- return NULL; +-} +- +-RsvgNode * + rsvg_clip_path_parse (const RsvgDefs * defs, const char *str) + { + char *name; +Index: librsvg-2.40.10/rsvg-mask.h +=================================================================== +--- librsvg-2.40.10.orig/rsvg-mask.h ++++ librsvg-2.40.10/rsvg-mask.h +@@ -48,8 +48,6 @@ struct _RsvgMask { + + G_GNUC_INTERNAL + RsvgNode *rsvg_new_mask (void); +-G_GNUC_INTERNAL +-RsvgNode *rsvg_mask_parse (const RsvgDefs * defs, const char *str); + + typedef struct _RsvgClipPath RsvgClipPath; + +Index: librsvg-2.40.10/rsvg-styles.c +=================================================================== +--- librsvg-2.40.10.orig/rsvg-styles.c ++++ librsvg-2.40.10/rsvg-styles.c +@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const + + *dst = *src; + dst->parent = parent; ++ dst->mask = g_strdup (src->mask); + dst->font_family = g_strdup (src->font_family); + dst->lang = g_strdup (src->lang); + rsvg_paint_server_ref (dst->fill); +@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst, + + if (inherituninheritables) { + dst->clip_path_ref = src->clip_path_ref; +- dst->mask = src->mask; ++ g_free (dst->mask); ++ dst->mask = g_strdup (src->mask); + dst->enable_background = src->enable_background; + dst->adobe_blend = src->adobe_blend; + dst->opacity = src->opacity; +@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con + void + rsvg_state_finalize (RsvgState * state) + { ++ g_free (state->mask); + g_free (state->font_family); + g_free (state->lang); + rsvg_paint_server_unref (state->fill); +@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx, + state->adobe_blend = 11; + else + state->adobe_blend = 0; +- } else if (g_str_equal (name, "mask")) +- state->mask = rsvg_mask_parse (ctx->priv->defs, value); +- else if (g_str_equal (name, "clip-path")) { ++ } else if (g_str_equal (name, "mask")) { ++ g_free (state->mask); ++ state->mask = rsvg_get_url_string (value); ++ } else if (g_str_equal (name, "clip-path")) { + state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value); + } else if (g_str_equal (name, "overflow")) { + if (!g_str_equal (value, "inherit")) { +Index: librsvg-2.40.10/rsvg-styles.h +=================================================================== +--- librsvg-2.40.10.orig/rsvg-styles.h ++++ librsvg-2.40.10/rsvg-styles.h +@@ -80,7 +80,7 @@ struct _RsvgState { + cairo_matrix_t personal_affine; + + RsvgFilter *filter; +- void *mask; ++ char *mask; + void *clip_path_ref; + guint8 adobe_blend; /* 0..11 */ + guint8 opacity; /* 0..255 */ -- cgit 1.2.3-korg