yocto-poky/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch - openbmc/openbmc - Gitiles

 From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
 From: Benjamin Otte <otte@redhat.com>
 Date: Wed, 7 Oct 2015 05:31:08 +0200
 Subject: [PATCH] state: Store mask as reference

 Instead of immediately looking up the mask, store the reference and look
 it up on use.

 Upstream-status: Backport

 supporting patch
 https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2

 CVE: CVE-2015-7558
 Signed-off-by: Armin Kuster <akuster@mvista.com>

 ---
  rsvg-cairo-draw.c |  6 +++++-
  rsvg-mask.c       | 17 -----------------
  rsvg-mask.h       |  2 --
  rsvg-styles.c     | 12 ++++++++----
  rsvg-styles.h     |  2 +-
  5 files changed, 14 insertions(+), 25 deletions(-)

 Index: librsvg-2.40.10/rsvg-cairo-draw.c
 ===================================================================
 --- librsvg-2.40.10.orig/rsvg-cairo-draw.c
 +++ librsvg-2.40.10/rsvg-cairo-draw.c
 @@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
      cairo_set_operator (render->cr, state->comp_op);

      if (state->mask) {
 -        rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
 +        RsvgNode *mask;
 +
 +        mask = rsvg_defs_lookup (ctx->defs, state->mask);
 +        if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
 +          rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
      } else if (state->opacity != 0xFF)
          cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
      else
 Index: librsvg-2.40.10/rsvg-mask.c
 ===================================================================
 --- librsvg-2.40.10.orig/rsvg-mask.c
 +++ librsvg-2.40.10/rsvg-mask.c
 @@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
  }

  RsvgNode *
 -rsvg_mask_parse (const RsvgDefs * defs, const char *str)
 -{
 -    char *name;
 -
 -    name = rsvg_get_url_string (str);
 -    if (name) {
 -        RsvgNode *val;
 -        val = rsvg_defs_lookup (defs, name);
 -        g_free (name);
 -
 -        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
 -            return val;
 -    }
 -    return NULL;
 -}
 -
 -RsvgNode *
  rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
  {
      char *name;
 Index: librsvg-2.40.10/rsvg-mask.h
 ===================================================================
 --- librsvg-2.40.10.orig/rsvg-mask.h
 +++ librsvg-2.40.10/rsvg-mask.h
 @@ -48,8 +48,6 @@ struct _RsvgMask {

  G_GNUC_INTERNAL
  RsvgNode *rsvg_new_mask	    (void);
 -G_GNUC_INTERNAL
 -RsvgNode *rsvg_mask_parse   (const RsvgDefs * defs, const char *str);

  typedef struct _RsvgClipPath RsvgClipPath;

 Index: librsvg-2.40.10/rsvg-styles.c
 ===================================================================
 --- librsvg-2.40.10.orig/rsvg-styles.c
 +++ librsvg-2.40.10/rsvg-styles.c
 @@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const

      *dst = *src;
      dst->parent = parent;
 +    dst->mask = g_strdup (src->mask);
      dst->font_family = g_strdup (src->font_family);
      dst->lang = g_strdup (src->lang);
      rsvg_paint_server_ref (dst->fill);
 @@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,

      if (inherituninheritables) {
          dst->clip_path_ref = src->clip_path_ref;
 -        dst->mask = src->mask;
 +        g_free (dst->mask);
 +        dst->mask = g_strdup (src->mask);
          dst->enable_background = src->enable_background;
          dst->adobe_blend = src->adobe_blend;
          dst->opacity = src->opacity;
 @@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
  void
  rsvg_state_finalize (RsvgState * state)
  {
 +    g_free (state->mask);
      g_free (state->font_family);
      g_free (state->lang);
      rsvg_paint_server_unref (state->fill);
 @@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
              state->adobe_blend = 11;
          else
              state->adobe_blend = 0;
 -    } else if (g_str_equal (name, "mask"))
 -        state->mask = rsvg_mask_parse (ctx->priv->defs, value);
 -    else if (g_str_equal (name, "clip-path")) {
 +    } else if (g_str_equal (name, "mask")) {
 +        g_free (state->mask);
 +        state->mask = rsvg_get_url_string (value);
 +    } else if (g_str_equal (name, "clip-path")) {
          state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
      } else if (g_str_equal (name, "overflow")) {
          if (!g_str_equal (value, "inherit")) {
 Index: librsvg-2.40.10/rsvg-styles.h
 ===================================================================
 --- librsvg-2.40.10.orig/rsvg-styles.h
 +++ librsvg-2.40.10/rsvg-styles.h
 @@ -80,7 +80,7 @@ struct _RsvgState {
      cairo_matrix_t personal_affine;

      RsvgFilter *filter;
 -    void *mask;
 +    char *mask;
      void *clip_path_ref;
      guint8 adobe_blend;         /* 0..11 */
      guint8 opacity;             /* 0..255 */
	From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
	From: Benjamin Otte <otte@redhat.com>
	Date: Wed, 7 Oct 2015 05:31:08 +0200
	Subject: [PATCH] state: Store mask as reference

	Instead of immediately looking up the mask, store the reference and look
	it up on use.

	Upstream-status: Backport

	supporting patch
	https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2

	CVE: CVE-2015-7558
	Signed-off-by: Armin Kuster <akuster@mvista.com>

	---
	rsvg-cairo-draw.c \| 6 +++++-
	rsvg-mask.c \| 17 -----------------
	rsvg-mask.h \| 2 --
	rsvg-styles.c \| 12 ++++++++----
	rsvg-styles.h \| 2 +-
	5 files changed, 14 insertions(+), 25 deletions(-)

	Index: librsvg-2.40.10/rsvg-cairo-draw.c
	===================================================================
	--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
	+++ librsvg-2.40.10/rsvg-cairo-draw.c
	@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
	cairo_set_operator (render->cr, state->comp_op);

	if (state->mask) {
	- rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
	+ RsvgNode *mask;
	+
	+ mask = rsvg_defs_lookup (ctx->defs, state->mask);
	+ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
	+ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
	} else if (state->opacity != 0xFF)
	cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
	else
	Index: librsvg-2.40.10/rsvg-mask.c
	===================================================================
	--- librsvg-2.40.10.orig/rsvg-mask.c
	+++ librsvg-2.40.10/rsvg-mask.c
	@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
	}

	RsvgNode *
	-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
	-{
	- char *name;
	-
	- name = rsvg_get_url_string (str);
	- if (name) {
	- RsvgNode *val;
	- val = rsvg_defs_lookup (defs, name);
	- g_free (name);
	-
	- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
	- return val;
	- }
	- return NULL;
	-}
	-
	-RsvgNode *
	rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
	{
	char *name;
	Index: librsvg-2.40.10/rsvg-mask.h
	===================================================================
	--- librsvg-2.40.10.orig/rsvg-mask.h
	+++ librsvg-2.40.10/rsvg-mask.h
	@@ -48,8 +48,6 @@ struct _RsvgMask {

	G_GNUC_INTERNAL
	RsvgNode *rsvg_new_mask (void);
	-G_GNUC_INTERNAL
	-RsvgNode rsvg_mask_parse (const RsvgDefs defs, const char *str);

	typedef struct _RsvgClipPath RsvgClipPath;

	Index: librsvg-2.40.10/rsvg-styles.c
	===================================================================
	--- librsvg-2.40.10.orig/rsvg-styles.c
	+++ librsvg-2.40.10/rsvg-styles.c
	@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const

	dst = src;
	dst->parent = parent;
	+ dst->mask = g_strdup (src->mask);
	dst->font_family = g_strdup (src->font_family);
	dst->lang = g_strdup (src->lang);
	rsvg_paint_server_ref (dst->fill);
	@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,

	if (inherituninheritables) {
	dst->clip_path_ref = src->clip_path_ref;
	- dst->mask = src->mask;
	+ g_free (dst->mask);
	+ dst->mask = g_strdup (src->mask);
	dst->enable_background = src->enable_background;
	dst->adobe_blend = src->adobe_blend;
	dst->opacity = src->opacity;
	@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
	void
	rsvg_state_finalize (RsvgState * state)
	{
	+ g_free (state->mask);
	g_free (state->font_family);
	g_free (state->lang);
	rsvg_paint_server_unref (state->fill);
	@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
	state->adobe_blend = 11;
	else
	state->adobe_blend = 0;
	- } else if (g_str_equal (name, "mask"))
	- state->mask = rsvg_mask_parse (ctx->priv->defs, value);
	- else if (g_str_equal (name, "clip-path")) {
	+ } else if (g_str_equal (name, "mask")) {
	+ g_free (state->mask);
	+ state->mask = rsvg_get_url_string (value);
	+ } else if (g_str_equal (name, "clip-path")) {
	state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
	} else if (g_str_equal (name, "overflow")) {
	if (!g_str_equal (value, "inherit")) {
	Index: librsvg-2.40.10/rsvg-styles.h
	===================================================================
	--- librsvg-2.40.10.orig/rsvg-styles.h
	+++ librsvg-2.40.10/rsvg-styles.h
	@@ -80,7 +80,7 @@ struct _RsvgState {
	cairo_matrix_t personal_affine;

	RsvgFilter *filter;
	- void *mask;
	+ char *mask;
	void *clip_path_ref;
	guint8 adobe_blend; /* 0..11 */
	guint8 opacity; /* 0..255 */