Fix stack buffer overflow.
|
|
CVE: CVE-2020-35492
|
Upstream-Status: Backport
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
|
From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
|
From: Heiko Lewin <heiko.lewin@worldiety.de>
|
Date: Tue, 15 Dec 2020 16:48:19 +0100
|
Subject: [PATCH] Fix mask usage in image-compositor
|
|
---
|
src/cairo-image-compositor.c | 8 ++--
|
test/Makefile.sources | 1 +
|
test/bug-image-compositor.c | 39 ++++++++++++++++++++
|
test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes
|
4 files changed, 44 insertions(+), 4 deletions(-)
|
create mode 100644 test/bug-image-compositor.c
|
create mode 100644 test/reference/bug-image-compositor.ref.png
|
|
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
|
index 79ad69f68..4f8aaed99 100644
|
--- a/src/cairo-image-compositor.c
|
+++ b/src/cairo-image-compositor.c
|
@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
|
unsigned num_spans)
|
{
|
cairo_image_span_renderer_t *r = abstract_renderer;
|
- uint8_t *m;
|
+ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
|
int x0;
|
|
if (num_spans == 0)
|
return CAIRO_STATUS_SUCCESS;
|
|
x0 = spans[0].x;
|
- m = r->_buf;
|
+ m = base;
|
do {
|
int len = spans[1].x - spans[0].x;
|
if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
|
@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
|
spans[0].x, y,
|
spans[1].x - spans[0].x, h);
|
|
- m = r->_buf;
|
+ m = base;
|
x0 = spans[1].x;
|
} else if (spans[0].coverage == 0x0) {
|
if (spans[0].x != x0) {
|
@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
|
#endif
|
}
|
|
- m = r->_buf;
|
+ m = base;
|
x0 = spans[1].x;
|
} else {
|
*m++ = spans[0].coverage;
|
--
|
