summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu-system.am1
-rw-r--r--gnu/packages/patches/pixman-pointer-arithmetic.patch15
-rw-r--r--gnu/packages/xdisorg.scm3
3 files changed, 18 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 9decf3eaf3..8e50a71bb6 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -586,6 +586,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/perl-tk-x11-discover.patch		\
   gnu/packages/patches/pidgin-add-search-path.patch		\
   gnu/packages/patches/pingus-sdl-libs-config.patch		\
+  gnu/packages/patches/pixman-pointer-arithmetic.patch		\
   gnu/packages/patches/plotutils-libpng-jmpbuf.patch		\
   gnu/packages/patches/polkit-drop-test.patch			\
   gnu/packages/patches/portaudio-audacity-compat.patch		\
diff --git a/gnu/packages/patches/pixman-pointer-arithmetic.patch b/gnu/packages/patches/pixman-pointer-arithmetic.patch
new file mode 100644
index 0000000000..d34e6632a0
--- /dev/null
+++ b/gnu/packages/patches/pixman-pointer-arithmetic.patch
@@ -0,0 +1,15 @@
+Fix <https://bugs.freedesktop.org/show_bug.cgi?id=92027> whereby
+an arithemitic overflow could occur while doing pointer arithmetic,
+leading pixman to use an invalid address as the destination buffer.
+
+--- pixman-0.32.6/pixman/pixman-general.c	2015-09-21 15:14:34.695981325 +0200
++++ pixman-0.32.6/pixman/pixman-general.c	2015-09-21 15:19:48.898355548 +0200
+@@ -144,8 +144,7 @@ general_composite_rect  (pixman_implemen
+     mask_buffer = ALIGN (src_buffer + width * Bpp);
+     dest_buffer = ALIGN (mask_buffer + width * Bpp);
+ 
+-    if (ALIGN (dest_buffer + width * Bpp) >
+-	    scanline_buffer + sizeof (stack_scanline_buffer))
++    if ((width + 1) * Bpp * 3 > sizeof (stack_scanline_buffer))
+     {
+ 	scanline_buffer = pixman_malloc_ab_plus_c (width, Bpp * 3, 32 * 3);
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 9fd9f4a321..7aa82fe312 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -150,7 +150,8 @@ following the mouse.")
                ".tar.gz"))
         (sha256
           (base32
-           "0129g4zdrw5hif5783li7rzcr4vpbc2cfia91azxmsk0h0xx3zix"))))
+           "0129g4zdrw5hif5783li7rzcr4vpbc2cfia91azxmsk0h0xx3zix"))
+        (patches (list (search-patch "pixman-pointer-arithmetic.patch")))))
     (build-system gnu-build-system)
     (inputs
       `(("libpng" ,libpng)