M gnu-system.am => gnu-system.am +1 -0
@@ 586,6 586,7 @@ dist_patch_DATA = \
gnu/packages/patches/perl-tk-x11-discover.patch \
gnu/packages/patches/pidgin-add-search-path.patch \
gnu/packages/patches/pingus-sdl-libs-config.patch \
+ gnu/packages/patches/pixman-pointer-arithmetic.patch \
gnu/packages/patches/plotutils-libpng-jmpbuf.patch \
gnu/packages/patches/polkit-drop-test.patch \
gnu/packages/patches/portaudio-audacity-compat.patch \
A gnu/packages/patches/pixman-pointer-arithmetic.patch => gnu/packages/patches/pixman-pointer-arithmetic.patch +15 -0
@@ 0,0 1,15 @@
+Fix <https://bugs.freedesktop.org/show_bug.cgi?id=92027> whereby
+an arithemitic overflow could occur while doing pointer arithmetic,
+leading pixman to use an invalid address as the destination buffer.
+
+--- pixman-0.32.6/pixman/pixman-general.c 2015-09-21 15:14:34.695981325 +0200
++++ pixman-0.32.6/pixman/pixman-general.c 2015-09-21 15:19:48.898355548 +0200
+@@ -144,8 +144,7 @@ general_composite_rect (pixman_implemen
+ mask_buffer = ALIGN (src_buffer + width * Bpp);
+ dest_buffer = ALIGN (mask_buffer + width * Bpp);
+
+- if (ALIGN (dest_buffer + width * Bpp) >
+- scanline_buffer + sizeof (stack_scanline_buffer))
++ if ((width + 1) * Bpp * 3 > sizeof (stack_scanline_buffer))
+ {
+ scanline_buffer = pixman_malloc_ab_plus_c (width, Bpp * 3, 32 * 3);
M gnu/packages/xdisorg.scm => gnu/packages/xdisorg.scm +2 -1
@@ 150,7 150,8 @@ following the mouse.")
".tar.gz"))
(sha256
(base32
- "0129g4zdrw5hif5783li7rzcr4vpbc2cfia91azxmsk0h0xx3zix"))))
+ "0129g4zdrw5hif5783li7rzcr4vpbc2cfia91azxmsk0h0xx3zix"))
+ (patches (list (search-patch "pixman-pointer-arithmetic.patch")))))
(build-system gnu-build-system)
(inputs
`(("libpng" ,libpng)