Hello community,
here is the log from the commit of package efl for openSUSE:Factory checked in at 2016-04-12 19:40:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/efl (Old)
and /work/SRC/openSUSE:Factory/.efl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "efl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/efl/efl.changes 2016-03-04 19:30:28.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.efl.new/efl.changes 2016-04-12 19:40:05.000000000 +0200
@@ -1,0 +2,10 @@
+Thu Apr 7 01:48:46 UTC 2016 - sflees@suse.de
+- Fix crash due to threadsafty issue fix-evas-sw-cutout-rects-threads.patch T3348
+- Fix spinlock handling leading to deadlock (fix-evas-sw-spinlock-free.patch)
+- Fix mulitple possible crashes in gif loader that could lead to DOS attacks
+(CVE-2014-9762 boo#963796, boo#963797, boo#973759)
+ * fix-evas-gif-loader-CVE-2014-9762.patch
+ * fix-evas-gif-loader-pixel-lookup-decode.patch
+ * fix-evas-gif-loader-cmap-null.patch
+
+-------------------------------------------------------------------
New:
----
fix-evas-gif-loader-CVE-2014-9762.patch
fix-evas-gif-loader-cmap-null.patch
fix-evas-gif-loader-pixel-lookup-decode.patch
fix-evas-sw-cutout-rects-threads.patch
fix-evas-sw-spinlock-free.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ efl.spec ++++++
--- /var/tmp/diff_new_pack.tO14gj/_old 2016-04-12 19:40:06.000000000 +0200
+++ /var/tmp/diff_new_pack.tO14gj/_new 2016-04-12 19:40:06.000000000 +0200
@@ -59,6 +59,12 @@
Url: http://enlightenment.org
Source: http://download.enlightenment.org/rel/libs/efl/%{name}-%{version}.tar.xz
Patch1: efl-1.11.3-fix-bashisms.patch
+Patch2: fix-evas-sw-cutout-rects-threads.patch
+Patch3: fix-evas-sw-spinlock-free.patch
+Patch4: fix-evas-gif-loader-CVE-2014-9762.patch
+Patch5: fix-evas-gif-loader-pixel-lookup-decode.patch
+Patch6: fix-evas-gif-loader-cmap-null.patch
+
BuildRequires: autoconf >= 2.5
BuildRequires: automake
%if %build_doc
@@ -645,6 +651,11 @@
%prep
%setup -q
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
%build
# fedora has the wrong autoconf version
++++++ fix-evas-gif-loader-CVE-2014-9762.patch ++++++
commit dd90b6afadf706aafec9e53a6b1efa8f899ab277
Author: Carsten Haitzler (Rasterman)
Date: Sat Apr 2 12:25:52 2016 +0900
evas: gif loader - fix out of bounds access on cmap of invalid pixels
if gif has example 4 colors in colormap, pixels provided still can
hold values higher than 3 (4, 8, 255 etc.) ass a pixel is still a
byte. it should not, but it could. technically it'd be nice for gitlib
to pad its palette out to 256 entires to ensure this cant be a
problem, but it doesn't have to , so make a local copy of the cmap
when decoding pixels and pad out to 256 entires (using color 0 as any
value > pallette ize is invalid anyway so any color will do).
this fixes a possible security attack vector in reading memory out of
bounds of an allocated array. not very far out of bounds - but enough
to cause a crash - ie a dos attack, (not to inject code though).
@fix
diff --git a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
index a9f67f7..5110158 100644
--- a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
+++ b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
@@ -46,7 +46,7 @@ do { \
goto on_error; \
} while (0)
#define PIX(_x, _y) rows[yin + _y][xin + _x]
-#define CMAP(_v) cmap->Colors[_v]
+#define CMAP(_v) colors[_v]
#define PIXLK(_p) ARGB_JOIN(0xff, CMAP(_p).Red, CMAP(_p).Green, CMAP(_p).Blue)
// utility funcs...
@@ -120,11 +120,19 @@ _fill_frame(DATA32 *data, int rowpix, GifFileType *gif, Frame_Info *finfo,
{
ColorMapObject *cmap;
int bg;
-
+ GifColorType colors[256];
+ int cnum;
+
// work out color to use from cmap
if (gif->Image.ColorMap) cmap = gif->Image.ColorMap;
else cmap = gif->SColorMap;
bg = gif->SBackGroundColor;
+
+ // fill in local color table of guaranteed 256 entires with cmap & pad
+ for (cnum = 0; cnum < cmap->ColorCount; cnum++)
+ colors[cnum] = cmap->Colors[cnum];
+ for (cnum = cmap->ColorCount; cnum < 256; cnum++)
+ colors[cnum] = cmap->Colors[0];
// and do the fill
_fill_image
(data, rowpix,
@@ -208,6 +216,8 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin,
Eina_Bool ret = EINA_FALSE;
ColorMapObject *cmap;
DATA32 *p;
+ GifColorType colors[256];
+ int cnum;
// build a blob of memory to have pointers to rows of pixels
// AND store the decoded gif pixels (1 byte per pixel) as welll
@@ -247,6 +257,11 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin,
if (gif->Image.ColorMap) cmap = gif->Image.ColorMap;
else cmap = gif->SColorMap;
+ // fill in local color table of guaranteed 256 entires with cmap & pad
+ for (cnum = 0; cnum < cmap->ColorCount; cnum++)
+ colors[cnum] = cmap->Colors[cnum];
+ for (cnum = cmap->ColorCount; cnum < 256; cnum++)
+ colors[cnum] = cmap->Colors[0];
// if we need to deal with transparent pixels at all...
if (transparent >= 0)
{
++++++ fix-evas-gif-loader-cmap-null.patch ++++++
commit db4ff548d356243638f5fa0898b2ee4ff1be55f5
Author: Carsten Haitzler (Rasterman)
Date: Mon Apr 4 09:51:12 2016 +0900
evas - gif loader - handle missing colormap
follow on from dd90b6afadf706aafec9e53a6b1efa8f899ab277 - this handled
if a gif file has no colormap (it'll decode as blank now as a colormap
of all 0's is used instead).
@fix
diff --git a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
index 09d3b27..ac40352 100644
--- a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
+++ b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
@@ -128,11 +128,16 @@ _fill_frame(DATA32 *data, int rowpix, GifFileType *gif, Frame_Info *finfo,
else cmap = gif->SColorMap;
bg = gif->SBackGroundColor;
- // fill in local color table of guaranteed 256 entires with cmap & pad
- for (cnum = 0; cnum < cmap->ColorCount; cnum++)
- colors[cnum] = cmap->Colors[cnum];
- for (cnum = cmap->ColorCount; cnum < 256; cnum++)
- colors[cnum] = cmap->Colors[0];
+ if (cmap)
+ {
+ // fill in local color table of guaranteed 256 with cmap & pad
+ for (cnum = 0; cnum < cmap->ColorCount; cnum++)
+ colors[cnum] = cmap->Colors[cnum];
+ for (cnum = cmap->ColorCount; cnum < 256; cnum++)
+ colors[cnum] = cmap->Colors[0];
+ }
+ else
+ memset(colors, 0, sizeof(colors));
// and do the fill
_fill_image
(data, rowpix,
@@ -258,11 +263,16 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin,
if (gif->Image.ColorMap) cmap = gif->Image.ColorMap;
else cmap = gif->SColorMap;
- // fill in local color table of guaranteed 256 entires with cmap & pad
- for (cnum = 0; cnum < cmap->ColorCount; cnum++)
- colors[cnum] = cmap->Colors[cnum];
- for (cnum = cmap->ColorCount; cnum < 256; cnum++)
- colors[cnum] = cmap->Colors[0];
+ if (cmap)
+ {
+ // fill in local color table of guaranteed 256 entires with cmap & pad
+ for (cnum = 0; cnum < cmap->ColorCount; cnum++)
+ colors[cnum] = cmap->Colors[cnum];
+ for (cnum = cmap->ColorCount; cnum < 256; cnum++)
+ colors[cnum] = cmap->Colors[0];
+ }
+ else
+ memset(colors, 0, sizeof(colors));
// if we need to deal with transparent pixels at all...
if (transparent >= 0)
{
++++++ fix-evas-gif-loader-pixel-lookup-decode.patch ++++++
commit f56e33f429cfc165a5a7e7c75c5b2271ba8b58d8
Author: Carsten Haitzler (Rasterman)
Date: Sat Apr 2 13:22:11 2016 +0900
evas - gif loader - be a little more optimal in pixel lookups on decode
diff --git a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
index 5110158..09d3b27 100644
--- a/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
+++ b/src/modules/evas/image_loaders/gif/evas_image_load_gif.c
@@ -213,6 +213,7 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin,
int intjump[] = { 8, 8, 4, 2 };
int i, xx, yy, pix;
GifRowType *rows;
+ GifPixelType *pixels;
Eina_Bool ret = EINA_FALSE;
ColorMapObject *cmap;
DATA32 *p;
@@ -270,10 +271,12 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin,
{
for (yy = 0; yy < h; yy++)
{
+ pixels = &(PIX(0, yy));
p = data + ((y + yy) * rowpix) + x;
for (xx = 0; xx < w; xx++)
{
- pix = PIX(xx, yy);
+ pix = *pixels;
+ pixels++;
if (pix != transparent) *p = PIXLK(pix);
else *p = 0;
p++;
@@ -285,10 +288,12 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin,
{
for (yy = 0; yy < h; yy++)
{
+ pixels = &(PIX(0, yy));
p = data + ((y + yy) * rowpix) + x;
for (xx = 0; xx < w; xx++)
{
- pix = PIX(xx, yy);
+ pix = *pixels;
+ pixels++;
if (pix != transparent) *p = PIXLK(pix);
p++;
}
@@ -300,10 +305,12 @@ _decode_image(GifFileType *gif, DATA32 *data, int rowpix, int xin, int yin,
// walk pixels without worring about transparency at all
for (yy = 0; yy < h; yy++)
{
+ pixels = &(PIX(0, yy));
p = data + ((y + yy) * rowpix) + x;
for (xx = 0; xx < w; xx++)
{
- pix = PIX(xx, yy);
+ pix = *pixels;
+ pixels++;
*p = PIXLK(pix);
p++;
}
++++++ fix-evas-sw-cutout-rects-threads.patch ++++++
commit 4d6a8a7fce51b5654404226668a27d52d1e30eb3
Author: Carsten Haitzler (Rasterman)
Date: Sat Mar 26 10:49:20 2016 +0900
evas sw render: cutout rects may be used in multiple threads
several draw funcs keep a static Cutout_Rect *rects = NULL; variable
to cache cutout rects to avoid re-allocating them a lot etc. this is
fast and handy but we may use these from multiple threads. thats bad
.... mmmkay. so this fixes it the dirty way - makes them thread local.
:)
this fixes T3348 - the crash mentioned by @zmike
@fix
diff --git a/src/lib/evas/common/evas_font_draw.c b/src/lib/evas/common/evas_font_draw.c
index bbeecf6..bf5141b 100644
--- a/src/lib/evas/common/evas_font_draw.c
+++ b/src/lib/evas/common/evas_font_draw.c
@@ -348,7 +348,7 @@ error:
EAPI Eina_Bool
evas_common_font_draw_cb(RGBA_Image *dst, RGBA_Draw_Context *dc, int x, int y, Evas_Glyph_Array *glyphs, Evas_Common_Font_Draw_Cb cb)
{
- static Cutout_Rects *rects = NULL;
+ static __thread Cutout_Rects *rects = NULL;
int ext_x, ext_y, ext_w, ext_h;
int im_w, im_h;
RGBA_Gfx_Func func;
diff --git a/src/lib/evas/common/evas_map_image.c b/src/lib/evas/common/evas_map_image.c
index cec21f6..eb94ada 100644
--- a/src/lib/evas/common/evas_map_image.c
+++ b/src/lib/evas/common/evas_map_image.c
@@ -745,7 +745,7 @@ evas_common_map_rgba_cb(RGBA_Image *src, RGBA_Image *dst,
int smooth, int level,
Evas_Common_Map_RGBA_Cb cb)
{
- static Cutout_Rects *rects = NULL;
+ static __thread Cutout_Rects *rects = NULL;
Cutout_Rect *r;
int c, cx, cy, cw, ch;
int i;
@@ -791,7 +791,7 @@ evas_common_map_rgba_cb(RGBA_Image *src, RGBA_Image *dst,
EAPI Eina_Bool
evas_common_map_thread_rgba_cb(RGBA_Image *src, RGBA_Image *dst, RGBA_Draw_Context *dc, RGBA_Map *map, int smooth, int level, int offset, Evas_Common_Map_Thread_RGBA_Cb cb)
{
- static Cutout_Rects *rects = NULL;
+ static __thread Cutout_Rects *rects = NULL;
Cutout_Rect *r;
int c, cx, cy, cw, ch;
int i;
diff --git a/src/lib/evas/common/evas_rectangle_main.c b/src/lib/evas/common/evas_rectangle_main.c
index 220fd0f..bd4649b 100644
--- a/src/lib/evas/common/evas_rectangle_main.c
+++ b/src/lib/evas/common/evas_rectangle_main.c
@@ -12,7 +12,7 @@ evas_common_rectangle_init(void)
EAPI void
evas_common_rectangle_draw_cb(RGBA_Image *dst, RGBA_Draw_Context *dc, int x, int y, int w, int h, Evas_Common_Rectangle_Draw_Cb cb)
{
- static Cutout_Rects *rects = NULL;
+ static __thread Cutout_Rects *rects = NULL;
Cutout_Rect *r;
int c, cx, cy, cw, ch;
int i;
diff --git a/src/lib/evas/common/evas_scale_main.c b/src/lib/evas/common/evas_scale_main.c
index cf34c31..bd30a47 100644
--- a/src/lib/evas/common/evas_scale_main.c
+++ b/src/lib/evas/common/evas_scale_main.c
@@ -40,7 +40,7 @@ evas_common_scale_rgba_in_to_out_clip_cb(RGBA_Image *src, RGBA_Image *dst,
int dst_region_w, int dst_region_h,
Evas_Common_Scale_In_To_Out_Clip_Cb cb)
{
- static Cutout_Rects *rects = NULL;
+ static __thread Cutout_Rects *rects = NULL;
Cutout_Rect *r;
int c, cx, cy, cw, ch;
int i;
++++++ fix-evas-sw-spinlock-free.patch ++++++
commit 5f307809b1d2ba2204bf073a06b4bc2fe1b205bb
Author: Carsten Haitzler (Rasterman)
Date: Tue Mar 29 12:09:40 2016 +0900
efl - evas - sw engine - donmt free spinlock because cache always needed
never free the shm pool cache spinlock as it is alwasy needed once
initiialized. this likely fixes a bsd hardlock issues
@fix
diff --git a/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c b/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c
index d556595..52dffd6 100644
--- a/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c
+++ b/src/modules/evas/engines/software_x11/evas_xlib_outbuf.c
@@ -26,6 +26,7 @@ struct _Outbuf_Region
int h;
};
+static Eina_Bool shmpool_initted = EINA_FALSE;
static Eina_List *shmpool = NULL;
static int shmsize = 0;
static int shmmemlimit = 20 * 1024 * 1024;
@@ -150,7 +151,11 @@ _clear_xob(int psync)
void
evas_software_xlib_outbuf_init(void)
{
- eina_spinlock_new(&shmpool_lock);
+ if (!shmpool_initted)
+ {
+ shmpool_initted = EINA_TRUE;
+ eina_spinlock_new(&shmpool_lock);
+ }
}
void
@@ -192,7 +197,6 @@ evas_software_xlib_outbuf_free(Outbuf *buf)
eina_array_flush(&buf->priv.onebuf_regions);
free(buf);
_clear_xob(0);
- eina_spinlock_free(&shmpool_lock);
}
Outbuf *