From 205885d0e9640095830d0baf84fc38dfbc38a071 Mon Sep 17 00:00:00 2001 From: Quentin Schulz Date: Wed, 14 Dec 2022 12:16:01 +0100 Subject: [PATCH] package/cairo: fix CVE-2019-6462 Add an upstream patch to fix CVE-2019-6462: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized. Cc: Quentin Schulz Signed-off-by: Quentin Schulz Signed-off-by: Peter Korsgaard (cherry picked from commit b38286d7e5919693cad2dc5b19024b1c03d29c18) Signed-off-by: Peter Korsgaard --- ...or_tolerance_normalized-fix-infinite.patch | 39 +++++++++++++++++++ package/cairo/cairo.mk | 2 + 2 files changed, 41 insertions(+) create mode 100644 package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch diff --git a/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch b/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch new file mode 100644 index 0000000000..078e90fa42 --- /dev/null +++ b/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch @@ -0,0 +1,39 @@ +From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin +Date: Sun, 1 Aug 2021 11:16:03 +0000 +Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop + +[Retrieved from: +https://gitlab.freedesktop.org/cairo/cairo/-/commit/ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0] +Signed-off-by: Quentin Schulz +--- + src/cairo-arc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/cairo-arc.c b/src/cairo-arc.c +index 390397bae..1c891d1a0 100644 +--- a/src/cairo-arc.c ++++ b/src/cairo-arc.c +@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) + { M_PI / 11.0, 9.81410988043554039085e-09 }, + }; + int table_size = ARRAY_LENGTH (table); ++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */ + + for (i = 0; i < table_size; i++) + if (table[i].error < tolerance) + return table[i].angle; + + ++i; ++ + do { + angle = M_PI / i++; + error = _arc_error_normalized (angle); +- } while (error > tolerance); ++ } while (error > tolerance && i < max_segments); + + return angle; + } +-- +2.38.1 + diff --git a/package/cairo/cairo.mk b/package/cairo/cairo.mk index f479aa252a..8bb7ca121d 100644 --- a/package/cairo/cairo.mk +++ b/package/cairo/cairo.mk @@ -14,6 +14,8 @@ CAIRO_INSTALL_STAGING = YES # 0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available-in-cairo_ft_apply_variation.patch CAIRO_IGNORE_CVES += CVE-2018-19876 +# 0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch +CAIRO_IGNORE_CVES += CVE-2019-6462 CAIRO_CONF_ENV = LIBS="$(CAIRO_LIBS)"