From 60be33475c84d4e594b6765663f8354c54fc5fd6 Mon Sep 17 00:00:00 2001
From: Sheila Aman <sheila@vulpine.house>
Date: Thu, 22 Jul 2021 18:05:10 +0000
Subject: user/cairo: relbump for CVEs 2019-6462 and 2020-35492

---
 user/cairo/APKBUILD             | 11 +++++++--
 user/cairo/CVE-2019-6462.patch  | 36 +++++++++++++++++++++++++++
 user/cairo/CVE-2020-35492.patch | 54 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 99 insertions(+), 2 deletions(-)
 create mode 100644 user/cairo/CVE-2019-6462.patch
 create mode 100644 user/cairo/CVE-2020-35492.patch

(limited to 'user/cairo')

diff --git a/user/cairo/APKBUILD b/user/cairo/APKBUILD
index 84ef072a3..eba0c4ef9 100644
--- a/user/cairo/APKBUILD
+++ b/user/cairo/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: 
 pkgname=cairo
 pkgver=1.16.0
-pkgrel=1
+pkgrel=2
 pkgdesc="A vector graphics library"
 url="https://cairographics.org/"
 arch="all"
@@ -19,9 +19,14 @@ source="https://cairographics.org/releases/$pkgname-$pkgver.tar.xz
 	fontconfig-ultimate-$_ultver.tar.gz::https://github.com/bohoomil/fontconfig-ultimate/archive/$_ultver.tar.gz
 	musl-stacksize.patch
 	CVE-2018-19876.patch
+	CVE-2019-6462.patch
+	CVE-2020-35492.patch
 	"
 
 # secfixes:
+#   1.16.0-r2:
+#     - CVE-2019-6462
+#     - CVE-2020-35492
 #   1.16.0-r1:
 #     - CVE-2018-19876
 
@@ -81,4 +86,6 @@ tools() {
 sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f  cairo-1.16.0.tar.xz
 d8185f4ec74f44c4746acf7e79bba7ff7ffd9d35bdabeb25e10b4e12825942d910931aa857f1645e5c8185bcb40a1f1ffe1e7e647428e9ea66618b2aec52fac3  fontconfig-ultimate-2016-04-23.tar.gz
 86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0  musl-stacksize.patch
-9020c596caa54a2ac435d5dae0f121d36d3c3f34d487b9c1032665b1bd15813506adf31984e34b5dd328ee0e068de0627e1d061230758328cae4fa993c3a9209  CVE-2018-19876.patch"
+9020c596caa54a2ac435d5dae0f121d36d3c3f34d487b9c1032665b1bd15813506adf31984e34b5dd328ee0e068de0627e1d061230758328cae4fa993c3a9209  CVE-2018-19876.patch
+ebe5d71b18aa9eefe1e0a6c150761bb7abef41f144f37eb0bfa8a01947aacb1292ac131cf815dcaaaa6478c0aac07ca5428fba28ad346a00c5aaa5fa64f6ff5b  CVE-2019-6462.patch
+8dcb95b6a8e023ad5675f81f9a87a087868dc74113cd0ab96568d525582266c366064cc7cc168738dc75968385ab0444911f54754d31962dfe1235526afbd72c  CVE-2020-35492.patch"
diff --git a/user/cairo/CVE-2019-6462.patch b/user/cairo/CVE-2019-6462.patch
new file mode 100644
index 000000000..2a26876c3
--- /dev/null
+++ b/user/cairo/CVE-2019-6462.patch
@@ -0,0 +1,36 @@
+From bbeaf08190d3006a80b80a77724801cd477a37b8 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@worldiety.de>
+Date: Sat, 17 Apr 2021 19:15:03 +0200
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1c891d1a0 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ 	{ M_PI / 11.0,  9.81410988043554039085e-09 },
+     };
+     int table_size = ARRAY_LENGTH (table);
++    const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
+ 
+     for (i = 0; i < table_size; i++)
+ 	if (table[i].error < tolerance)
+ 	    return table[i].angle;
+ 
+     ++i;
++
+     do {
+ 	angle = M_PI / i++;
+ 	error = _arc_error_normalized (angle);
+-    } while (error > tolerance);
++    } while (error > tolerance && i < max_segments);
+ 
+     return angle;
+ }
+-- 
+GitLab
+
diff --git a/user/cairo/CVE-2020-35492.patch b/user/cairo/CVE-2020-35492.patch
new file mode 100644
index 000000000..d7369b3d6
--- /dev/null
+++ b/user/cairo/CVE-2020-35492.patch
@@ -0,0 +1,54 @@
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+
+---
+ src/cairo-image-compositor.c                |   8 ++--
+ test/Makefile.sources                       |   1 +
+ test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
+ test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes
+ 4 files changed, 44 insertions(+), 4 deletions(-)
+ create mode 100644 test/bug-image-compositor.c
+ create mode 100644 test/reference/bug-image-compositor.ref.png
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 79ad69f68..4f8aaed99 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 		    unsigned num_spans)
+ {
+     cairo_image_span_renderer_t *r = abstract_renderer;
+-    uint8_t *m;
++    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+     int x0;
+ 
+     if (num_spans == 0)
+ 	return CAIRO_STATUS_SUCCESS;
+ 
+     x0 = spans[0].x;
+-    m = r->_buf;
++    m = base;
+     do {
+ 	int len = spans[1].x - spans[0].x;
+ 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 				      spans[0].x, y,
+ 				      spans[1].x - spans[0].x, h);
+ 
+-	    m = r->_buf;
++	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else if (spans[0].coverage == 0x0) {
+ 	    if (spans[0].x != x0) {
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+ 	    }
+ 
+-	    m = r->_buf;
++	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else {
+ 	    *m++ = spans[0].coverage;
+
-- 
cgit v1.2.3-70-g09d2