From d1ec2e050c6913534b014d64e1c6484361d34e8b02b4fe8273a9ec5b4c49bbeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Lie?= <zaitor@opensuse.org>
Date: Tue, 20 Jun 2017 16:43:46 +0000
Subject: [PATCH 1/2] Accepting request 505069 from
 home:alarrosa:branches:GNOME:Factory

- Add 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch to
  fix a segfault when using >4GB images since int values were used
  for pointer operations (bsc#1007255, fdo#98165, CVE-2016-9082).

OBS-URL: https://build.opensuse.org/request/show/505069
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/cairo?expand=0&rev=121
---
 ...nt-invalid-ptr-access-for-4GB-images.patch | 122 ++++++++++++++++++
 cairo.changes                                 |   7 +
 cairo.spec                                    |   3 +
 3 files changed, 132 insertions(+)
 create mode 100644 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch

diff --git a/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch b/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
new file mode 100644
index 0000000..ae4804b
--- /dev/null
+++ b/0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
@@ -0,0 +1,122 @@
+From c812d1c1935cccf096a60ad904e640fdc83bd41c Mon Sep 17 00:00:00 2001
+From: Adrian Johnson <ajohnson@redneon.com>
+Date: Thu, 20 Oct 2016 21:12:30 +1030
+Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
+
+Image data is often accessed using:
+
+  image->data + y * image->stride
+
+On 64-bit achitectures if the image data is > 4GB, this computation
+will overflow since both y and stride are 32-bit types.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98165
+---
+ boilerplate/cairo-boilerplate.c     | 4 +++-
+ src/cairo-image-compositor.c        | 4 ++--
+ src/cairo-image-surface-private.h   | 2 +-
+ src/cairo-mesh-pattern-rasterizer.c | 2 +-
+ src/cairo-png.c                     | 2 +-
+ src/cairo-script-surface.c          | 3 ++-
+ 6 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c
+index 7fdbf79..4804dea 100644
+--- a/boilerplate/cairo-boilerplate.c
++++ b/boilerplate/cairo-boilerplate.c
+@@ -42,6 +42,7 @@
+ #undef CAIRO_VERSION_H
+ #include "../cairo-version.h"
+ 
++#include <stddef.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+ #include <assert.h>
+@@ -976,7 +977,8 @@ cairo_surface_t *
+ cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
+ {
+     char format;
+-    int width, height, stride;
++    int width, height;
++    ptrdiff_t stride;
+     int x, y;
+     unsigned char *data;
+     cairo_surface_t *image = NULL;
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 48072f8..3ca0006 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
+     pixman_image_t *src, *mask;
+     union {
+ 	struct fill {
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	    uint32_t pixel;
+ 	} fill;
+@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
+ 	struct finish {
+ 	    cairo_rectangle_int_t extents;
+ 	    int src_x, src_y;
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	} mask;
+     } u;
+diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h
+index 8ca694c..7e78d61 100644
+--- a/src/cairo-image-surface-private.h
++++ b/src/cairo-image-surface-private.h
+@@ -71,7 +71,7 @@ struct _cairo_image_surface {
+ 
+     int width;
+     int height;
+-    int stride;
++    ptrdiff_t stride;
+     int depth;
+ 
+     unsigned owns_data : 1;
+diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
+index 1b63ca8..e7f0db6 100644
+--- a/src/cairo-mesh-pattern-rasterizer.c
++++ b/src/cairo-mesh-pattern-rasterizer.c
+@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
+ 	tg += tg >> 16;
+ 	tb += tb >> 16;
+ 
+-	*((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
++	*((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
+ 	    ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
+     }
+ }
+diff --git a/src/cairo-png.c b/src/cairo-png.c
+index 562b743..aa8c227 100644
+--- a/src/cairo-png.c
++++ b/src/cairo-png.c
+@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
+     }
+ 
+     for (i = 0; i < png_height; i++)
+-        row_pointers[i] = &data[i * stride];
++        row_pointers[i] = &data[i * (ptrdiff_t)stride];
+ 
+     png_read_image (png, row_pointers);
+     png_read_end (png, info);
+diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
+index ea0117d..91e4baa 100644
+--- a/src/cairo-script-surface.c
++++ b/src/cairo-script-surface.c
+@@ -1202,7 +1202,8 @@ static cairo_status_t
+ _write_image_surface (cairo_output_stream_t *output,
+ 		      const cairo_image_surface_t *image)
+ {
+-    int stride, row, width;
++    int row, width;
++    ptrdiff_t stride;
+     uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
+     uint8_t *rowdata;
+     uint8_t *data;
+-- 
+2.1.4
+
diff --git a/cairo.changes b/cairo.changes
index b4a3e5c..2f99ffd 100644
--- a/cairo.changes
+++ b/cairo.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jun 20 11:20:29 UTC 2017 - alarrosa@suse.com
+
+- Add 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch to
+  fix a segfault when using >4GB images since int values were used
+  for pointer operations (bsc#1007255, fdo#98165, CVE-2016-9082).
+
 -------------------------------------------------------------------
 Fri Jun 16 19:11:41 UTC 2017 - zaitor@opensuse.org
 
diff --git a/cairo.spec b/cairo.spec
index c8cf745..4bf5f74 100644
--- a/cairo.spec
+++ b/cairo.spec
@@ -33,6 +33,8 @@ Patch0:         cairo-xlib-endianness.patch
 Patch1:         cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff
 # PATCH-FIX-UPSTREAM cairo-fix-off-by-one-check.patch fdo#101427 zaitor@opensuse.org -- Fix off by one check in cairo-image-info.c
 Patch2:         cairo-fix-off-by-one-check.patch
+# PATCH-FIX-UPSTREAM 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch alarrosa@suse.com -- Fix segfault when using >4GB images
+Patch3:         0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
 BuildRequires:  gtk-doc
 BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(fontconfig)
@@ -141,6 +143,7 @@ cairo.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 %configure \

From a58058947d09cfdbbccbc2397afb2bf9b23c0229fa04a27ee3770b34cea8f687 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Lie?= <zaitor@opensuse.org>
Date: Tue, 20 Jun 2017 16:44:33 +0000
Subject: [PATCH 2/2] OBS-URL:
 https://build.opensuse.org/package/show/GNOME:Factory/cairo?expand=0&rev=122

---
 cairo.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cairo.spec b/cairo.spec
index 4bf5f74..c2a1ede 100644
--- a/cairo.spec
+++ b/cairo.spec
@@ -33,7 +33,7 @@ Patch0:         cairo-xlib-endianness.patch
 Patch1:         cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff
 # PATCH-FIX-UPSTREAM cairo-fix-off-by-one-check.patch fdo#101427 zaitor@opensuse.org -- Fix off by one check in cairo-image-info.c
 Patch2:         cairo-fix-off-by-one-check.patch
-# PATCH-FIX-UPSTREAM 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch alarrosa@suse.com -- Fix segfault when using >4GB images
+# PATCH-FIX-UPSTREAM 0001-image-prevent-invalid-ptr-access-for-4GB-images.patch bsc#1007255 fdo#98165 CVE-2016-9082 alarrosa@suse.com -- Fix segfault when using >4GB images
 Patch3:         0001-image-prevent-invalid-ptr-access-for-4GB-images.patch
 BuildRequires:  gtk-doc
 BuildRequires:  pkg-config