summaryrefslogtreecommitdiffstats
path: root/external/poky/meta/recipes-graphics/cairo/cairo
diff options
context:
space:
mode:
Diffstat (limited to 'external/poky/meta/recipes-graphics/cairo/cairo')
-rw-r--r--external/poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch45
-rw-r--r--external/poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch34
2 files changed, 34 insertions, 45 deletions
diff --git a/external/poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch b/external/poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch
deleted file mode 100644
index 7d02ab94..00000000
--- a/external/poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 042421e9e3d266ad0bb7805132041ef51ad3234d Mon Sep 17 00:00:00 2001
-From: Adrian Johnson <ajohnson@redneon.com>
-Date: Wed, 16 Aug 2017 22:52:35 -0400
-Subject: [PATCH] cairo: Fix CVE-2017-9814
-
-The bug happens because in some scenarios the variable size can
-have a value of 0 at line 1288. And malloc(0) is not returning
-NULL as some people could expect:
-
- https://stackoverflow.com/questions/1073157/zero-size-malloc
-
-malloc(0) returns the smallest chunk possible. So the line 1290
-with the return is not execute. And the execution continues with
-an invalid map.
-
-Since the size is 0 the variable map is not initialized correctly
-at load_trutype_table. So, later when the variable map is accessed
-previous values from a freed chunk are used. This could allows an
-attacker to control the variable map.
-
-This patch have not merge in upstream now.
-
-Upstream-Status: Backport [https://bugs.freedesktop.org/show_bug.cgi?id=101547]
-CVE: CVE-2017-9814
-Signed-off-by: Dengke Du <dengke.du@windriver.com>
----
- src/cairo-truetype-subset.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
-index e3449a0..f77d11c 100644
---- a/src/cairo-truetype-subset.c
-+++ b/src/cairo-truetype-subset.c
-@@ -1285,7 +1285,7 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
- return CAIRO_INT_STATUS_UNSUPPORTED;
-
- size = be16_to_cpu (map->length);
-- map = malloc (size);
-+ map = _cairo_malloc (size);
- if (unlikely (map == NULL))
- return _cairo_error (CAIRO_STATUS_NO_MEMORY);
-
---
-2.8.1
-
diff --git a/external/poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch b/external/poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch
new file mode 100644
index 00000000..4252a566
--- /dev/null
+++ b/external/poky/meta/recipes-graphics/cairo/cairo/CVE-2018-19876.patch
@@ -0,0 +1,34 @@
+CVE: CVE-2018-19876
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Mon, 19 Nov 2018 12:33:07 +0100
+Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in
+ cairo_ft_apply_variations
+
+Fixes a crash when using freetype >= 2.9
+---
+ src/cairo-ft-font.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
+index 325dd61b4..981973f78 100644
+--- a/src/cairo-ft-font.c
++++ b/src/cairo-ft-font.c
+@@ -2393,7 +2393,11 @@ skip:
+ done:
+ free (coords);
+ free (current_coords);
++#if HAVE_FT_DONE_MM_VAR
++ FT_Done_MM_Var (face->glyph->library, ft_mm_var);
++#else
+ free (ft_mm_var);
++#endif
+ }
+ }
+
+--
+2.11.0
+