CVS commit: pkgsrc/graphics/cairo

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Aug 14 10:14:49 UTC 2025

Modified Files:
        pkgsrc/graphics/cairo: Makefile distinfo
Added Files:
        pkgsrc/graphics/cairo/patches:
            patch-src_cairo-bentley-ottmann-rectangular.c

Log Message:
cairo: add upstream patch for CVE-2025-50422.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.165 -r1.166 pkgsrc/graphics/cairo/Makefile
cvs rdiff -u -r1.102 -r1.103 pkgsrc/graphics/cairo/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/graphics/cairo/patches/patch-src_cairo-bentley-ottmann-rectangular.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/cairo/Makefile
diff -u pkgsrc/graphics/cairo/Makefile:1.165 pkgsrc/graphics/cairo/Makefile:1.166
--- pkgsrc/graphics/cairo/Makefile:1.165        Tue Apr  1 05:19:04 2025
+++ pkgsrc/graphics/cairo/Makefile      Thu Aug 14 10:14:48 2025
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.165 2025/04/01 05:19:04 adam Exp $
+# $NetBSD: Makefile,v 1.166 2025/08/14 10:14:48 wiz Exp $
 
 DISTNAME=      cairo-1.18.4
+PKGREVISION=   1
 CATEGORIES=    graphics
 MASTER_SITES=  https://cairographics.org/releases/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/graphics/cairo/distinfo
diff -u pkgsrc/graphics/cairo/distinfo:1.102 pkgsrc/graphics/cairo/distinfo:1.103
--- pkgsrc/graphics/cairo/distinfo:1.102        Tue Apr  1 05:19:04 2025
+++ pkgsrc/graphics/cairo/distinfo      Thu Aug 14 10:14:48 2025
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.102 2025/04/01 05:19:04 adam Exp $
+$NetBSD: distinfo,v 1.103 2025/08/14 10:14:48 wiz Exp $
 
 BLAKE2s (cairo-1.18.4.tar.xz) = 54a70468f46aef501497461765cebf5c44d0c80579ea5d5165dbec67ba9cfdbd
 SHA512 (cairo-1.18.4.tar.xz) = 863679f817ed67dc2c916c035d740916e27e7e69c04fca63936e37d274e7f4c79848d16c8f7c481798864602e8847c489f698df89b785cbc576c925dbd513316
 Size (cairo-1.18.4.tar.xz) = 32578804 bytes
 SHA1 (patch-meson.build) = 3187c754af123be69e1b5651165f6310c8786558
+SHA1 (patch-src_cairo-bentley-ottmann-rectangular.c) = 7284b21954a35729ca92b248b99d1dca3496f9b5
 SHA1 (patch-src_cairo-colr-glyph-render.c) = 3dc6dc2b0a808b1bd6e2323645f895e276f0a8af
 SHA1 (patch-src_cairo-image-surface.c) = 3ae5966abf7851dfdb74742c39d2033b4655d7f7
 SHA1 (patch-test_pdf-structure.c) = dd3e5ee2cdbc19e77c2d5a60dab98195ecbe82bb

Added files:

Index: pkgsrc/graphics/cairo/patches/patch-src_cairo-bentley-ottmann-rectangular.c
diff -u /dev/null pkgsrc/graphics/cairo/patches/patch-src_cairo-bentley-ottmann-rectangular.c:1.1
--- /dev/null   Thu Aug 14 10:14:49 2025
+++ pkgsrc/graphics/cairo/patches/patch-src_cairo-bentley-ottmann-rectangular.c Thu Aug 14 10:14:49 2025
@@ -0,0 +1,24 @@
+$NetBSD: patch-src_cairo-bentley-ottmann-rectangular.c,v 1.1 2025/08/14 10:14:49 wiz Exp $
+
+Fix for CVE-2025-50422.
+https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/632
+
+--- src/cairo-bentley-ottmann-rectangular.c.orig       2025-03-08 12:35:35.000000000 +0000
++++ src/cairo-bentley-ottmann-rectangular.c
+@@ -847,12 +847,16 @@ _cairo_bentley_ottmann_tessellate_boxes 
+               rectangles[j].left.x = box[i].p2.x;
+               rectangles[j].left.dir = -1;
+           }
++          if (unlikely (rectangles[j].left.x == INT32_MAX)) rectangles[j].left.x = INT32_MAX-1;
++          if (unlikely (rectangles[j].right.x == INT32_MAX)) rectangles[j].right.x = INT32_MAX-1;
+ 
+           rectangles[j].left.right = NULL;
+           rectangles[j].right.right = NULL;
+ 
+           rectangles[j].top = box[i].p1.y;
+           rectangles[j].bottom = box[i].p2.y;
++          if (unlikely (rectangles[j].top == INT32_MIN)) rectangles[j].top = INT32_MIN+1;
++          if (unlikely (rectangles[j].bottom == INT32_MIN)) rectangles[j].bottom = INT32_MIN+1;
+ 
+           if (rectangles_chain) {
+               h = _cairo_fixed_integer_floor (box[i].p1.y) - y_min;