fix fuzzers

2023-06-14 16:56:38 +08:00 · 2023-06-14 16:56:38 +08:00 · aec9fd7771
commit aec9fd7771
parent 7951331583
5 changed files with 149 additions and 1 deletions
--- a/bugfix-cairo-truetype-reverse-cmap-detected-memory-leaks.patch
+++ b/bugfix-cairo-truetype-reverse-cmap-detected-memory-leaks.patch
@ -0,0 +1,29 @@
+From 1f39cb2e344ddaac89da743a926d06c60e08614b Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 15:37:22 +0800
+Subject: [PATCH] cairo truetype reverse cmap detected memory leaks
+
+---
+ src/cairo-truetype-subset.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
+index 6cef4ee..472294f 100644
+--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
+@@ -1311,8 +1311,10 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
+ 
+     /* A Format 4 cmap contains 8 uint16_t numbers and 4 arrays of
+      * uint16_t each num_segments long. */
+-    if (size < (8 + 4*num_segments)*sizeof(uint16_t))
+-	return CAIRO_INT_STATUS_UNSUPPORTED;
+    if (size < (8 + 4*num_segments)*sizeof(uint16_t)) {
+	status = CAIRO_INT_STATUS_UNSUPPORTED;
+        goto fail;
+    }
+ 
+     end_code = map->endCount;
+     start_code = &(end_code[num_segments + 1]);
+-- 
+2.23.0
+
--- a/bugfix-fix-call-get_unaligned_be32-heap-buffer-overflow.patch
+++ b/bugfix-fix-call-get_unaligned_be32-heap-buffer-overflow.patch
@ -0,0 +1,35 @@
+From 53738879bd6bc400d27b96cf0fe759dadc9f4fb0 Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 16:00:24 +0800
+Subject: [PATCH] fix call get_unaligned_be32 heap buffer overflow
+
+---
+ src/cairo-image-info.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-image-info.c b/src/cairo-image-info.c
+index d147e37..0310c4b 100644
+--- a/src/cairo-image-info.c
+++ b/src/cairo-image-info.c
+@@ -190,7 +190,7 @@ _jpx_match_box (const unsigned char *p, const unsigned char *end, uint32_t type)
+ static const unsigned char *
+ _jpx_find_box (const unsigned char *p, const unsigned char *end, uint32_t type)
+ {
+-    while (p < end) {
+    while ((p < end) && (p + 4 < end)) {
+ 	if (_jpx_match_box (p, end, type))
+ 	    return p;
+ 	p = _jpx_next_box (p);
+@@ -346,6 +346,9 @@ _jbig2_get_next_segment (const unsigned char  *p,
+     big_page_size = (p[4] & 0x40) != 0;
+     p += 5;
+ 
+    if (p + 4 >= end)
+        return NULL;
+
+     num_segs = p[0] >> 5;
+     if (num_segs == 7) {
+ 	num_segs = get_unaligned_be32 (p) & 0x1fffffff;
+-- 
+2.23.0
+
--- a/bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch
+++ b/bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch
@ -0,0 +1,31 @@
+From 4e515dd14a67b9069610e4a10baee300fb08421a Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 16:44:30 +0800
+Subject: [PATCH] fix heap buffer overflow in cairo_cff_parse_charstring
+
+---
+ src/cairo-cff-subset.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index 64fc69e..c94a4d0 100644
+--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
+@@ -1789,7 +1789,13 @@ cairo_cff_font_subset_charstrings_and_subroutines (cairo_cff_font_t  *font)
+ 	} else {
+ 	    glyph = font->scaled_font_subset->glyphs[i];
+ 	}
+-        element = _cairo_array_index (&font->charstrings_index, glyph);
+
+        cairo_array_t *array = &font->charstrings_index;
+        element = _cairo_array_index (array, glyph);
+        if (element == NULL)
+            return CAIRO_INT_STATUS_NO_MEMORY;
+        if (array->element_size < element->length)
+            return CAIRO_INT_STATUS_UNSUPPORTED;
+         status = cff_index_append (&font->charstrings_subset_index,
+                                    element->data,
+                                    element->length);
+-- 
+2.23.0
+
--- a/bugfix-fix-read-memory-access.patch
+++ b/bugfix-fix-read-memory-access.patch
@ -0,0 +1,39 @@
+From e8fef3b8f84afb1a0ae7a9ae81f43c91ac7b3b79 Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 15:52:58 +0800
+Subject: [PATCH] fix read memory access
+
+---
+ src/cairo-cff-subset.c   | 2 ++
+ src/cairo-type1-subset.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index fce4195..64fc69e 100644
+--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
+@@ -1412,6 +1412,8 @@ cairo_cff_font_subset_dict_string(cairo_cff_font_t   *font,
+         return CAIRO_STATUS_SUCCESS;
+ 
+     element = _cairo_array_index (&font->strings_index, sid - NUM_STD_STRINGS);
+    if (element == NULL)
+        return CAIRO_STATUS_NO_MEMORY;
+     sid = NUM_STD_STRINGS + _cairo_array_num_elements (&font->strings_subset_index);
+     status = cff_index_append (&font->strings_subset_index, element->data, element->length);
+     if (unlikely (status))
+diff --git a/src/cairo-type1-subset.c b/src/cairo-type1-subset.c
+index 068b59e..22182af 100644
+--- a/src/cairo-type1-subset.c
+++ b/src/cairo-type1-subset.c
+@@ -1229,6 +1229,8 @@ cairo_type1_font_subset_for_each_glyph (cairo_type1_font_subset_t *font,
+ 
+ 	/* Skip binary data and |- or ND token. */
+ 	p = skip_token (charstring + charstring_length, dict_end);
+        if (p == NULL)
+            return CAIRO_INT_STATUS_NO_MEMORY;
+ 	while (p < dict_end && _cairo_isspace(*p))
+ 	    p++;
+ 
+-- 
+2.23.0
+
--- a/cairo.spec
+++ b/cairo.spec
@ -2,7 +2,7 @@

 Name:           cairo
 Version:        1.17.4
-Release:        3
+Release:        4
 Summary:        A 2D graphics library
 License:        LGPLv2 or MPLv1.1
 URL:            http://cairographics.org
@ -13,6 +13,11 @@ Patch6000:	CVE-2019-6461.patch
 Patch6001:	CVE-2019-6462.patch
 Patch6002:	backport-CVE-2020-35492.patch

+Patch9002:  bugfix-cairo-truetype-reverse-cmap-detected-memory-leaks.patch
+Patch9003:  bugfix-fix-read-memory-access.patch
+Patch9004:  bugfix-fix-call-get_unaligned_be32-heap-buffer-overflow.patch
+Patch9005:  bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch
+
 BuildRequires:  gcc make
 BuildRequires:  pkgconfig glib2-devel librsvg2-devel
 BuildRequires:  libXrender-devel libX11-devel libpng-devel libxml2-devel
@ -137,6 +142,15 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 %{_libdir}/cairo/

 %changelog
+* Wed Jun 14 2023 sunhai<sunhai10@huawei.com> - 1.17.4-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:cairo_truetype_reverse_cmap detected memory leaks
+       fix read memory access
+       fix call get_unaligned_be32 heap buffer overflow
+       fix heap buffer overflow in cairo_cff_parse_charstring
+
 * Thu Dec  1 2022 pengyi<pengyi37@huawei.com> - 1.17.4-3
 - DESC:correct source URL