blob 21942326ae99854b1038c56c8b01ed618d13d396 729 bytes (raw)
name: patches/pixman-CVE-2016-5296.patch # note: path name is non-authoritative(*)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| | Fix CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
Adapted for upstream pixman based on:
https://hg.mozilla.org/releases/mozilla-esr45/rev/5e39c1c2fded
--- pixman-0.34.0/pixman/pixman-edge-imp.h.orig 2015-06-30 05:48:31.000000000 -0400
+++ pixman-0.34.0/pixman/pixman-edge-imp.h 2016-11-16 01:09:34.046335106 -0500
@@ -55,8 +55,9 @@
*
* (The AA case does a similar adjustment in RENDER_SAMPLES_X)
*/
- lx += X_FRAC_FIRST(1) - pixman_fixed_e;
- rx += X_FRAC_FIRST(1) - pixman_fixed_e;
+ /* we cast to unsigned to get defined behaviour for overflow */
+ lx = (unsigned)lx + X_FRAC_FIRST(1) - pixman_fixed_e;
+ rx = (unsigned)rx + X_FRAC_FIRST(1) - pixman_fixed_e;
#endif
/* clip X */
if (lx < 0)
|
debug log:
solving 21942326ae99854b1038c56c8b01ed618d13d396 ...
found 21942326ae99854b1038c56c8b01ed618d13d396 in https://git.savannah.gnu.org/cgit/guix.git
(*) Git path names are given by the tree(s) the blob belongs to.
Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).