!45 [sync] PR-44: fix fuzzers

From: @openeuler-sync-bot 
Reviewed-by: @leeffo 
Signed-off-by: @leeffo

0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available.patch

@@ -1,30 +0,0 @@
-From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001
-From: Carlos Garcia Campos <cgarcia@igalia.com>
-Date: Mon, 19 Nov 2018 12:33:07 +0100
-Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in
- cairo_ft_apply_variations
-
-Fixes a crash when using freetype >= 2.9
----
- src/cairo-ft-font.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
-index 325dd61b4..981973f78 100644
---- a/src/cairo-ft-font.c
-+++ b/src/cairo-ft-font.c
-@@ -2393,7 +2393,11 @@ skip:
- done:
-         free (coords);
-         free (current_coords);
-+#if HAVE_FT_DONE_MM_VAR
-+        FT_Done_MM_Var (face->glyph->library, ft_mm_var);
-+#else
-         free (ft_mm_var);
-+#endif
-     }
- }
- 
--- 
-2.19.2
-

0003-cairo-composite_color_glyphs.patch

@@ -1,56 +0,0 @@
-From 79ad01724161502e8d9d2bd384ff1f0174e5df6e Mon Sep 17 00:00:00 2001
-From: Matthias Clasen <mclasen@redhat.com>
-Date: Thu, 30 May 2019 07:30:55 -0400
-Subject: [PATCH] Fix a thinko in composite_color_glyphs
-
-We can't just move around the contents of the
-passed-in string, we need to make a copy. This
-was showing up as memory corruption in pango.
-
-See https://gitlab.gnome.org/GNOME/pango/issues/346
----
- src/cairo-surface.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/cairo-surface.c b/src/cairo-surface.c
-index c30f84087..e112b660a 100644
---- a/src/cairo-surface.c
-+++ b/src/cairo-surface.c
-@@ -2820,6 +2820,7 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
- 				 const cairo_clip_t		*clip)
- {
-     cairo_int_status_t status;
-+    char *utf8_copy = NULL;
- 
-     TRACE ((stderr, "%s\n", __FUNCTION__));
-     if (unlikely (surface->status))
-@@ -2847,6 +2848,10 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
-     status = CAIRO_INT_STATUS_UNSUPPORTED;
- 
-     if (_cairo_scaled_font_has_color_glyphs (scaled_font)) {
-+        utf8_copy = malloc (sizeof (char) * utf8_len);
-+        memcpy (utf8_copy, utf8, sizeof (char) * utf8_len);
-+        utf8 = utf8_copy;
-+
-         status = composite_color_glyphs (surface, op,
-                                          source,
-                                          (char *)utf8, &utf8_len,
-@@ -2861,6 +2866,8 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
-         if (num_glyphs == 0)
-             goto DONE;
-     }
-+    else
-+      utf8_copy = NULL;
- 
-     /* The logic here is duplicated in _cairo_analysis_surface show_glyphs and
-      * show_text_glyphs.  Keep in synch. */
-@@ -2918,6 +2925,9 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
- 	surface->serial++;
-     }
- 
-+    if (utf8_copy)
-+        free (utf8_copy);
-+
-     return _cairo_surface_set_error (surface, status);
- }
- 

0004-cff-Allow-empty-array-of-operands-for-certain-operat.patch

@@ -1,116 +0,0 @@
-From ef959bc76e65ea0b0d4ba3ee50dfbce31c3484ad Mon Sep 17 00:00:00 2001
-From: Marek Kasik <mkasik@redhat.com>
-Date: Fri, 27 Mar 2020 19:39:46 +0100
-Subject: [PATCH] cff: Allow empty array of operands for certain operators
-
-Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues,
-StemSnapH and StemSnapV have operands of type delta which can be
-a number or an array of delta-encoded numbers. This array can be
-empty according to freetype developers.
-This commit checks whether current operator is among those listed
-and permits empty operand in such case.
----
- src/cairo-cff-subset.c | 78 ++++++++++++++++++++++++++----------------
- 1 file changed, 49 insertions(+), 29 deletions(-)
-
-diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
-index 37727eddb..fce4195e9 100644
---- a/src/cairo-cff-subset.c
-+++ b/src/cairo-cff-subset.c
-@@ -56,30 +56,36 @@
- 
- /* CFF Dict Operators. If the high byte is 0 the command is encoded
-  * with a single byte. */
--#define BASEFONTNAME_OP  0x0c16
--#define CIDCOUNT_OP      0x0c22
--#define CHARSET_OP       0x000f
--#define CHARSTRINGS_OP   0x0011
--#define COPYRIGHT_OP     0x0c00
--#define DEFAULTWIDTH_OP  0x0014
--#define ENCODING_OP      0x0010
--#define FAMILYNAME_OP    0x0003
--#define FDARRAY_OP       0x0c24
--#define FDSELECT_OP      0x0c25
--#define FONTBBOX_OP      0x0005
--#define FONTMATRIX_OP    0x0c07
--#define FONTNAME_OP      0x0c26
--#define FULLNAME_OP      0x0002
--#define LOCAL_SUB_OP     0x0013
--#define NOMINALWIDTH_OP  0x0015
--#define NOTICE_OP        0x0001
--#define POSTSCRIPT_OP    0x0c15
--#define PRIVATE_OP       0x0012
--#define ROS_OP           0x0c1e
--#define UNIQUEID_OP      0x000d
--#define VERSION_OP       0x0000
--#define WEIGHT_OP        0x0004
--#define XUID_OP          0x000e
-+#define BASEFONTNAME_OP     0x0c16
-+#define CIDCOUNT_OP         0x0c22
-+#define CHARSET_OP          0x000f
-+#define CHARSTRINGS_OP      0x0011
-+#define COPYRIGHT_OP        0x0c00
-+#define DEFAULTWIDTH_OP     0x0014
-+#define ENCODING_OP         0x0010
-+#define FAMILYNAME_OP       0x0003
-+#define FDARRAY_OP          0x0c24
-+#define FDSELECT_OP         0x0c25
-+#define FONTBBOX_OP         0x0005
-+#define FONTMATRIX_OP       0x0c07
-+#define FONTNAME_OP         0x0c26
-+#define FULLNAME_OP         0x0002
-+#define LOCAL_SUB_OP        0x0013
-+#define NOMINALWIDTH_OP     0x0015
-+#define NOTICE_OP           0x0001
-+#define POSTSCRIPT_OP       0x0c15
-+#define PRIVATE_OP          0x0012
-+#define ROS_OP              0x0c1e
-+#define UNIQUEID_OP         0x000d
-+#define VERSION_OP          0x0000
-+#define WEIGHT_OP           0x0004
-+#define XUID_OP             0x000e
-+#define BLUEVALUES_OP       0x0006
-+#define OTHERBLUES_OP       0x0007
-+#define FAMILYBLUES_OP      0x0008
-+#define FAMILYOTHERBLUES_OP 0x0009
-+#define STEMSNAPH_OP        0x0c0c
-+#define STEMSNAPV_OP        0x0c0d
- 
- #define NUM_STD_STRINGS 391
- 
-@@ -615,13 +621,27 @@ cff_dict_create_operator (int            operator,
- 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
- 
-     _cairo_dict_init_key (op, operator);
--    op->operand = _cairo_malloc (size);
--    if (unlikely (op->operand == NULL)) {
--        free (op);
--	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
-+    if (size != 0) {
-+	op->operand = _cairo_malloc (size);
-+	if (unlikely (op->operand == NULL)) {
-+	    free (op);
-+	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
-+	}
-+	memcpy (op->operand, operand, size);
-+    } else {
-+	op->operand = NULL;
-+	/* Delta-encoded arrays can be empty. */
-+	if (operator != BLUEVALUES_OP &&
-+	    operator != OTHERBLUES_OP &&
-+	    operator != FAMILYBLUES_OP &&
-+	    operator != FAMILYOTHERBLUES_OP &&
-+	    operator != STEMSNAPH_OP &&
-+	    operator != STEMSNAPV_OP) {
-+	    free (op);
-+	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
-+	}
-     }
- 
--    memcpy (op->operand, operand, size);
-     op->operand_length = size;
-     op->operand_offset = -1;
- 
--- 
-2.26.0
-

bugfix-cairo-truetype-reverse-cmap-detected-memory-leaks.patch

@@ -0,0 +1,29 @@
+From 1f39cb2e344ddaac89da743a926d06c60e08614b Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 15:37:22 +0800
+Subject: [PATCH] cairo truetype reverse cmap detected memory leaks
+
+---
+ src/cairo-truetype-subset.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
+index 6cef4ee..472294f 100644
+--- a/src/cairo-truetype-subset.c
++++ b/src/cairo-truetype-subset.c
+@@ -1311,8 +1311,10 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
+ 
+     /* A Format 4 cmap contains 8 uint16_t numbers and 4 arrays of
+      * uint16_t each num_segments long. */
+-    if (size < (8 + 4*num_segments)*sizeof(uint16_t))
+-	return CAIRO_INT_STATUS_UNSUPPORTED;
++    if (size < (8 + 4*num_segments)*sizeof(uint16_t)) {
++	status = CAIRO_INT_STATUS_UNSUPPORTED;
++        goto fail;
++    }
+ 
+     end_code = map->endCount;
+     start_code = &(end_code[num_segments + 1]);
+-- 
+2.23.0
+

bugfix-fix-call-get_unaligned_be32-heap-buffer-overflow.patch

@@ -0,0 +1,35 @@
+From 53738879bd6bc400d27b96cf0fe759dadc9f4fb0 Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 16:00:24 +0800
+Subject: [PATCH] fix call get_unaligned_be32 heap buffer overflow
+
+---
+ src/cairo-image-info.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-image-info.c b/src/cairo-image-info.c
+index d147e37..0310c4b 100644
+--- a/src/cairo-image-info.c
++++ b/src/cairo-image-info.c
+@@ -190,7 +190,7 @@ _jpx_match_box (const unsigned char *p, const unsigned char *end, uint32_t type)
+ static const unsigned char *
+ _jpx_find_box (const unsigned char *p, const unsigned char *end, uint32_t type)
+ {
+-    while (p < end) {
++    while ((p < end) && (p + 4 < end)) {
+ 	if (_jpx_match_box (p, end, type))
+ 	    return p;
+ 	p = _jpx_next_box (p);
+@@ -346,6 +346,9 @@ _jbig2_get_next_segment (const unsigned char  *p,
+     big_page_size = (p[4] & 0x40) != 0;
+     p += 5;
+ 
++    if (p + 4 >= end)
++        return NULL;
++
+     num_segs = p[0] >> 5;
+     if (num_segs == 7) {
+ 	num_segs = get_unaligned_be32 (p) & 0x1fffffff;
+-- 
+2.23.0
+

bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch

@@ -0,0 +1,31 @@
+From 4e515dd14a67b9069610e4a10baee300fb08421a Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 16:44:30 +0800
+Subject: [PATCH] fix heap buffer overflow in cairo_cff_parse_charstring
+
+---
+ src/cairo-cff-subset.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index 64fc69e..c94a4d0 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -1789,7 +1789,13 @@ cairo_cff_font_subset_charstrings_and_subroutines (cairo_cff_font_t  *font)
+ 	} else {
+ 	    glyph = font->scaled_font_subset->glyphs[i];
+ 	}
+-        element = _cairo_array_index (&font->charstrings_index, glyph);
++
++        cairo_array_t *array = &font->charstrings_index;
++        element = _cairo_array_index (array, glyph);
++        if (element == NULL)
++            return CAIRO_INT_STATUS_NO_MEMORY;
++        if (array->element_size < element->length)
++            return CAIRO_INT_STATUS_UNSUPPORTED;
+         status = cff_index_append (&font->charstrings_subset_index,
+                                    element->data,
+                                    element->length);
+-- 
+2.23.0
+

bugfix-fix-read-memory-access.patch

@@ -0,0 +1,39 @@
+From e8fef3b8f84afb1a0ae7a9ae81f43c91ac7b3b79 Mon Sep 17 00:00:00 2001
+From: sun_hai_10 <sunhai10@huawei.com>
+Date: Wed, 14 Jun 2023 15:52:58 +0800
+Subject: [PATCH] fix read memory access
+
+---
+ src/cairo-cff-subset.c   | 2 ++
+ src/cairo-type1-subset.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index fce4195..64fc69e 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -1412,6 +1412,8 @@ cairo_cff_font_subset_dict_string(cairo_cff_font_t   *font,
+         return CAIRO_STATUS_SUCCESS;
+ 
+     element = _cairo_array_index (&font->strings_index, sid - NUM_STD_STRINGS);
++    if (element == NULL)
++        return CAIRO_STATUS_NO_MEMORY;
+     sid = NUM_STD_STRINGS + _cairo_array_num_elements (&font->strings_subset_index);
+     status = cff_index_append (&font->strings_subset_index, element->data, element->length);
+     if (unlikely (status))
+diff --git a/src/cairo-type1-subset.c b/src/cairo-type1-subset.c
+index 068b59e..22182af 100644
+--- a/src/cairo-type1-subset.c
++++ b/src/cairo-type1-subset.c
+@@ -1229,6 +1229,8 @@ cairo_type1_font_subset_for_each_glyph (cairo_type1_font_subset_t *font,
+ 
+ 	/* Skip binary data and |- or ND token. */
+ 	p = skip_token (charstring + charstring_length, dict_end);
++        if (p == NULL)
++            return CAIRO_INT_STATUS_NO_MEMORY;
+ 	while (p < dict_end && _cairo_isspace(*p))
+ 	    p++;
+ 
+-- 
+2.23.0
+

cairo.spec

@@ -1,28 +1,29 @@
 %global cairogl --disable-gl
 
 Name:           cairo
-Version:        1.16.0
+Version:        1.17.4
 Release:        4
 Summary:        A 2D graphics library
 License:        LGPLv2 or MPLv1.1
 URL:            http://cairographics.org
-Source0:        http://cairographics.org/releases/%{name}-%{version}.tar.xz
+Source0:        http://cairographics.org/snapshots/%{name}-%{version}.tar.xz
 
 Patch0001:	0001-Set-default-LCD-filter-to-FreeType-s-default.patch
-Patch0002:	0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available.patch
-Patch0003:	0003-cairo-composite_color_glyphs.patch
-Patch0004:	0004-cff-Allow-empty-array-of-operands-for-certain-operat.patch
 Patch6000:	CVE-2019-6461.patch
 Patch6001:	CVE-2019-6462.patch
 Patch6002:	backport-CVE-2020-35492.patch
 
+Patch9002:  bugfix-cairo-truetype-reverse-cmap-detected-memory-leaks.patch
+Patch9003:  bugfix-fix-read-memory-access.patch
+Patch9004:  bugfix-fix-call-get_unaligned_be32-heap-buffer-overflow.patch
+Patch9005:  bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch
+
+BuildRequires:  gcc make
 BuildRequires:  pkgconfig glib2-devel librsvg2-devel
 BuildRequires:  libXrender-devel libX11-devel libpng-devel libxml2-devel
-BuildRequires:  pixman-devel >= 0.30.0
+BuildRequires:  pixman-devel >= 0.36.0
 BuildRequires:  freetype-devel >= 2.1.9
 BuildRequires:  fontconfig-devel >= 2.2.95
-Provides:       cairo-gobject
-Obsoletes:      cairo-gobject
 
 %description
 Cairo is a 2D graphics libarary with support for multiple output devices.
@@ -33,8 +34,6 @@ GObject used by GNOME.
 %package        devel
 Summary: Development files for cairo
 Requires: %{name}%{?_isa} = %{version}-%{release}
-Provides: cairo-gobject-devel cairo-tools
-Obsoletes: cairo-gobject-devel cairo-tools
 
 %description    devel
 This package contains libraries, header files and developer documentation
@@ -42,13 +41,46 @@ needed for developing software which uses the cairo graphics library and
 cairo GObject library and contains tools for working with the cairo graphics
 library as well.
 
+%package gobject
+Summary: GObject bindings for cairo
+Requires: %{name}%{?_isa} = %{version}-%{release}
+ 
+%description gobject
+Cairo is a 2D graphics library designed to provide high-quality display
+and print output.
+ 
+This package contains functionality to make cairo graphics library
+integrate well with the GObject object system used by GNOME.
+ 
+%package gobject-devel
+Summary: Development files for cairo-gobject
+Requires: %{name}-devel%{?_isa} = %{version}-%{release}
+Requires: %{name}-gobject%{?_isa} = %{version}-%{release}
+ 
+%description gobject-devel
+Cairo is a 2D graphics library designed to provide high-quality display
+and print output.
+ 
+This package contains libraries, header files and developer documentation
+needed for developing software which uses the cairo Gobject library.
+ 
+%package tools
+Summary: Development tools for cairo
+ 
+%description tools
+Cairo is a 2D graphics library designed to provide high-quality display
+and print output.
+ 
+This package contains tools for working with the cairo graphics library.
+ * cairo-trace: Record cairo library calls for later playback
+
 %prep
 %autosetup -p1
 
 %build
 %configure --disable-static --enable-xlib --enable-ft --enable-ps  \
            --enable-pdf --enable-svg --enable-tee --enable-gobject \
-           %{cairogl} --disable-gtk-doc
+           %{cairogl} --disable-gtk-doc --disable-symbol-lookup
 sed -i -e 's/^hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=""/g' \
 -e 's/^runpath_var=LD_RUN_PATH/runpath_var=DIE_RPATH_DIE/g' libtool
 %make_build V=1
@@ -60,30 +92,77 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 %files
 %license COPYING COPYING-LGPL-2.1 COPYING-MPL-1.1
 %doc AUTHORS BIBLIOGRAPHY BUGS NEWS README
-%{_libdir}/libcairo.so.*
-%{_libdir}/libcairo-script-interpreter.so.*
-%{_bindir}/cairo-sphinx
-# This is GObject relative lib file
-%{_libdir}/libcairo-gobject.so.*
-
-%files          devel
+%{_libdir}/libcairo.so.2*
+%{_libdir}/libcairo-script-interpreter.so.2*
+ 
+%files devel
 %doc ChangeLog PORTING_GUIDE
 %dir %{_includedir}/cairo/
-%exclude %{_includedir}/cairo/cairo-gl.h
-%{_includedir}/cairo/*.h
-%{_libdir}/*.so
-%exclude %{_libdir}/pkgconfig/cairo-glx.pc
-%exclude %{_libdir}/pkgconfig/cairo-gl.pc
-%exclude %{_libdir}/pkgconfig/cairo-egl.pc
-%{_libdir}/pkgconfig/*.pc
-# These two files are development tools related
-%{_libdir}/cairo/
+%{_includedir}/cairo/cairo-deprecated.h
+%{_includedir}/cairo/cairo-features.h
+%{_includedir}/cairo/cairo-ft.h
+%{_includedir}/cairo/cairo.h
+%{_includedir}/cairo/cairo-pdf.h
+%{_includedir}/cairo/cairo-ps.h
+%{_includedir}/cairo/cairo-script-interpreter.h
+%{_includedir}/cairo/cairo-svg.h
+%{_includedir}/cairo/cairo-tee.h
+%{_includedir}/cairo/cairo-version.h
+%{_includedir}/cairo/cairo-xlib-xrender.h
+%{_includedir}/cairo/cairo-xlib.h
+%{_includedir}/cairo/cairo-script.h
+%{_includedir}/cairo/cairo-xcb.h
+%{_libdir}/libcairo.so
+%{_libdir}/libcairo-script-interpreter.so
+%{_libdir}/pkgconfig/cairo-fc.pc
+%{_libdir}/pkgconfig/cairo-ft.pc
+%{_libdir}/pkgconfig/cairo.pc
+%{_libdir}/pkgconfig/cairo-pdf.pc
+%{_libdir}/pkgconfig/cairo-png.pc
+%{_libdir}/pkgconfig/cairo-ps.pc
+%{_libdir}/pkgconfig/cairo-svg.pc
+%{_libdir}/pkgconfig/cairo-tee.pc
+%{_libdir}/pkgconfig/cairo-xlib.pc
+%{_libdir}/pkgconfig/cairo-xlib-xrender.pc
+%{_libdir}/pkgconfig/cairo-script.pc
+%{_libdir}/pkgconfig/cairo-xcb-shm.pc
+%{_libdir}/pkgconfig/cairo-xcb.pc
 %{_datadir}/gtk-doc/html/cairo
-# This file is development tools related
-# cairo-trace: Record cairo library calls for later playback
+ 
+%files gobject
+%{_libdir}/libcairo-gobject.so.2*
+ 
+%files gobject-devel
+%{_includedir}/cairo/cairo-gobject.h
+%{_libdir}/libcairo-gobject.so
+%{_libdir}/pkgconfig/cairo-gobject.pc
+ 
+%files tools
 %{_bindir}/cairo-trace
+%{_libdir}/cairo/
 
 %changelog
+* Wed Jun 14 2023 sunhai<sunhai10@huawei.com> - 1.17.4-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:cairo_truetype_reverse_cmap detected memory leaks
+       fix read memory access
+       fix call get_unaligned_be32 heap buffer overflow
+       fix heap buffer overflow in cairo_cff_parse_charstring
+
+* Thu Dec  1 2022 pengyi<pengyi37@huawei.com> - 1.17.4-3
+- DESC:correct source URL
+
+* Mon May 09 2022 wangkerong<wangkerong@h-partners.com> - 1.17.4-2
+- DESC:disable symbol-lookup,fix build failure after install binutils-devel
+
+* Mon Nov 22 2021 hanhui<hanhui15@huawei.com> - 1.17.4-1
+- DESC:update to 1.17.4
+
+* Wed May 26 2021 liuyumeng <liuyumeng5@huawei.com> - 1.16.0-5
+- Add a BuildRequires for gcc
+
 * Thu Apr 1 2021 wangkerong <wangkerong@huawei.com> - 1.16.0-4
 - Type:cve
 - ID:CVE-2020-35492