William A. Kennington III | ac69b48 | 2021-06-02 12:28:27 -0700 | [diff] [blame] | 1 | Fix stack buffer overflow. |
| 2 | |
| 3 | CVE: CVE-2020-35492 |
| 4 | Upstream-Status: Backport |
| 5 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 6 | |
| 7 | From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 |
| 8 | From: Heiko Lewin <heiko.lewin@worldiety.de> |
| 9 | Date: Tue, 15 Dec 2020 16:48:19 +0100 |
| 10 | Subject: [PATCH] Fix mask usage in image-compositor |
| 11 | |
| 12 | --- |
| 13 | src/cairo-image-compositor.c | 8 ++-- |
| 14 | test/Makefile.sources | 1 + |
| 15 | test/bug-image-compositor.c | 39 ++++++++++++++++++++ |
| 16 | test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes |
| 17 | 4 files changed, 44 insertions(+), 4 deletions(-) |
| 18 | create mode 100644 test/bug-image-compositor.c |
| 19 | create mode 100644 test/reference/bug-image-compositor.ref.png |
| 20 | |
| 21 | diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c |
| 22 | index 79ad69f68..4f8aaed99 100644 |
| 23 | --- a/src/cairo-image-compositor.c |
| 24 | +++ b/src/cairo-image-compositor.c |
| 25 | @@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, |
| 26 | unsigned num_spans) |
| 27 | { |
| 28 | cairo_image_span_renderer_t *r = abstract_renderer; |
| 29 | - uint8_t *m; |
| 30 | + uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); |
| 31 | int x0; |
| 32 | |
| 33 | if (num_spans == 0) |
| 34 | return CAIRO_STATUS_SUCCESS; |
| 35 | |
| 36 | x0 = spans[0].x; |
| 37 | - m = r->_buf; |
| 38 | + m = base; |
| 39 | do { |
| 40 | int len = spans[1].x - spans[0].x; |
| 41 | if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { |
| 42 | @@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, |
| 43 | spans[0].x, y, |
| 44 | spans[1].x - spans[0].x, h); |
| 45 | |
| 46 | - m = r->_buf; |
| 47 | + m = base; |
| 48 | x0 = spans[1].x; |
| 49 | } else if (spans[0].coverage == 0x0) { |
| 50 | if (spans[0].x != x0) { |
| 51 | @@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, |
| 52 | #endif |
| 53 | } |
| 54 | |
| 55 | - m = r->_buf; |
| 56 | + m = base; |
| 57 | x0 = spans[1].x; |
| 58 | } else { |
| 59 | *m++ = spans[0].coverage; |
| 60 | -- |