diff --git a/backport-Add-unlikely-to-test-for-x-INT32_MAX-for-the-NULL.patch b/backport-Add-unlikely-to-test-for-x-INT32_MAX-for-the-NULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..8010871f8907bc1078b5dc7bfca687dc4b1c2843 --- /dev/null +++ b/backport-Add-unlikely-to-test-for-x-INT32_MAX-for-the-NULL.patch @@ -0,0 +1,31 @@ +From b9a3098830fa5e993ed9f82efd009aed9a00684d Mon Sep 17 00:00:00 2001 +From: William Bader +Date: Mon, 28 Apr 2025 05:34:39 +0200 +Subject: [PATCH] Add unlikely() to test for x == INT32_MAX for the NULL + +reference in https://gitlab.freedesktop.org/poppler/poppler/-/issues/1579 + +Reference:https://gitlab.freedesktop.org/cairo/cairo/-/commit/b9a3098830fa5e993ed9f82efd009aed9a00684d.patch +Conflict:NA + +--- + src/cairo-bentley-ottmann-rectangular.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c +index be01e04f7..357d1a75f 100644 +--- a/src/cairo-bentley-ottmann-rectangular.c ++++ b/src/cairo-bentley-ottmann-rectangular.c +@@ -847,8 +847,8 @@ _cairo_bentley_ottmann_tessellate_boxes (const cairo_boxes_t *in, + rectangles[j].left.x = box[i].p2.x; + rectangles[j].left.dir = -1; + } +- if (rectangles[j].left.x == INT32_MAX) rectangles[j].left.x = INT32_MAX-1; +- if (rectangles[j].right.x == INT32_MAX) rectangles[j].right.x = INT32_MAX-1; ++ if (unlikely (rectangles[j].left.x == INT32_MAX)) rectangles[j].left.x = INT32_MAX-1; ++ if (unlikely (rectangles[j].right.x == INT32_MAX)) rectangles[j].right.x = INT32_MAX-1; + + rectangles[j].left.right = NULL; + rectangles[j].right.right = NULL; +-- +GitLab diff --git a/backport-Fix-a-NULL-access-in-active_edges_to_traps.patch b/backport-Fix-a-NULL-access-in-active_edges_to_traps.patch new file mode 100644 index 0000000000000000000000000000000000000000..f4252fcaef12206f8bc409652c37556d55b1214d --- /dev/null +++ b/backport-Fix-a-NULL-access-in-active_edges_to_traps.patch @@ -0,0 +1,36 @@ +From b57526185d60b3e36bb0f6684cc0ae9ac2294972 Mon Sep 17 00:00:00 2001 +From: William Bader +Date: Mon, 28 Apr 2025 05:01:45 +0200 +Subject: [PATCH] Fix a NULL access in active_edges_to_traps(). + +The bentley-ottmann tessellation implementation uses an x of INT32_MAX as a +sentinel. If a rectangle has an x of INT32_MAX, active_edges_to_traps() can +read past the end of the edge list when building trapezoids. This patch +reduces an x of INT32_MAX to INT32_MAX-1. This avoids the crash in +https://gitlab.freedesktop.org/poppler/poppler/-/issues/1579 This is an +alternative to the patch in +https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/620 that adds a +check for NULL pointers when traversing the edge list. + +Reference:https://gitlab.freedesktop.org/cairo/cairo/-/commit/b57526185d60b3e36bb0f6684cc0ae9ac2294972 +Conflict:NA + +--- + src/cairo-bentley-ottmann-rectangular.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c +index 65f95d797..be01e04f7 100644 +--- a/src/cairo-bentley-ottmann-rectangular.c ++++ b/src/cairo-bentley-ottmann-rectangular.c +@@ -847,6 +847,8 @@ _cairo_bentley_ottmann_tessellate_boxes (const cairo_boxes_t *in, + rectangles[j].left.x = box[i].p2.x; + rectangles[j].left.dir = -1; + } ++ if (rectangles[j].left.x == INT32_MAX) rectangles[j].left.x = INT32_MAX-1; ++ if (rectangles[j].right.x == INT32_MAX) rectangles[j].right.x = INT32_MAX-1; + + rectangles[j].left.right = NULL; + rectangles[j].right.right = NULL; +-- +GitLab \ No newline at end of file diff --git a/cairo.spec b/cairo.spec index 6a651a23ae6773e0b98b201bf870a89f1db4c636..a54ceede790f0756677a1fe2344ff854e3d0ce55 100644 --- a/cairo.spec +++ b/cairo.spec @@ -1,6 +1,6 @@ Name: cairo Version: 1.18.4 -Release: 1 +Release: 2 Summary: A 2D graphics library License: LGPL-2.1-only OR MPL-1.1 URL: https://cairographics.org @@ -24,6 +24,9 @@ BuildRequires: pkgconfig(xrender) BuildRequires: pkgconfig(zlib) BuildRequires: gtk-doc +Patch0001: backport-Fix-a-NULL-access-in-active_edges_to_traps.patch +Patch0002: backport-Add-unlikely-to-test-for-x-INT32_MAX-for-the-NULL.patch + %description Cairo is a 2D graphics libarary with support for multiple output devices. It provides high-quality display and print output and this package also @@ -147,6 +150,13 @@ This package contains tools for working with the cairo graphics library. %{_libdir}/cairo/ %changelog +* Fri Nov 14 2025 zhangqiumiao - 1.18.4-2 +- Type:CVE +- ID:CVE-2025-50422 +- SUG:NA +- DESC:Fix a NULL access in active_edges_to_traps() + Add unlikely() to test for x == INT32_MAX for the NULL reference + * Fri Mar 14 2025 Funda Wang - 1.18.4-1 - update to 1.18.4