Debian Patches

Status for libskia/146.20260602~git.3476902+dfsg-2

Patch Description Author Forwarded Bugs Origin Last update
CVE-2026-14429 Avoid improper mask formats for SDFT runs
SDFTSubRun has a hard assumption of the kA8 mask format and
if the vertex filler differs, there will be a memory mismatch.

This catches it when deserializing the Slug and changes the
debug-only assert to be runtime to make sure we don't miss other
places.
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-06-08
CVE-2026-14427-a Reject Slugs that have creationMatrix with perspective
This shouldn't happen during normal use [1] but if the data
is corrupted, there are some assumptions that can can cause
issues, like the ones linked in the bug.

This rejects those and turns one assert into an actual runtime
check to provide defense in depth.

[1] https://github.com/google/skia/blob/9eecbdc30f7da675edab96974b23174a9d521e0c/src/text/gpu/SubRunContainer.cpp#L1578-L1581
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-06-05
CVE-2026-14427-b Use an assert release on stride length
Follow-up to https://review.skia.org/1256016
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-06-08
build-files Debian-specific makefile. Filip Strömbäck <filip@fprg.se> not-needed
unsupported-attributes Remove unsupported annotations. Filip Strömbäck <filip@fprg.se> not-needed
vk_malloc-location Use system library of vk_mem_alloc.h. Filip Strömbäck <filip@fprg.se> not-needed
loong-build Patches to make loong64 build work with GCC. Filip Strömbäck <filip@fprg.se> yes
CVE-2026-5870 Use SkSafeMath to prevent overflow in pixel offset calculations.

The trim methods in SkReadPixelsRec and SkWritePixelsRec now use
SkSafeMath to calculate the offset for fPixels. This addresses potential
integer overflows when computing the y and x offsets and their sum.
Additionally, a check for fInfo.minRowBytes() == 0 is added, as
minRowBytes() returns 0 on overflow. If any overflow occurs during
offset calculation, trim will now return false.

See linked bug for potential security issue that motivated this.

And see (sorry internal only) go/code-terracotta-review-explainer for
evaluting this phase (1) patch.
Stephen Nusko <nuskos@google.com> yes upstream 2026-03-25
CVE-2026-7920 Make local optimized copy of program when creating SkRP version
As per the linked bug, there could be a problem if the gpu backend
tried to use a compiled runtime effect at the same time as the
cpu backend made its first call to getRPProgram(). This could result
in the fBaselineProgram being mutated out from under the gpu backend's
version.

This makes an optimized copy of the existing program to then convert
to SkRasterPipeline. By setting optimize to true and a non-zero
inlining limit, compiler.convertProgram will call the inliner and
remove unused functions (as well as other things like unused
local/global variables).

To prevent further mutation of fBaseProgram, I made it be pointer
to const (I'd initially been puzzled how a const getRPProgram could
be mutating it, but only the pointer was const).

Performance change looks negligible (parsing is pretty quick):
```
$ out/Release/nanobench_baseline --match sksl_skrp
Timer overhead: 23.5ns
curr/maxrss loops min median mean max stddev samples config bench
92/90 MB 3 5.35µs 5.38µs 5.38µs 5.45µs 0% █▅▁▃▃▄▄▂▃▃ nonrendering sksl_skrp_tiny
92/90 MB 3 14.7µs 14.9µs 15.1µs 17.5µs 6% █▂▁▁▁▁▁▁▁▁ nonrendering sksl_skrp_small
92/90 MB 1 125µs 132µs 135µs 164µs 9% █▅▃▂▂▁▂▁▁▄ nonrendering sksl_skrp_medium
92/90 MB 1 321µs 338µs 339µs 364µs 5% █▆▃▂█▄▂▁▅▂ nonrendering sksl_skrp_large

$ out/Release/nanobench_with_change --match sksl_skrp
Timer overhead: 23.5ns
curr/maxrss loops min median mean max stddev samples config bench
92/90 MB 3 5.62µs 5.64µs 5.64µs 5.69µs 0% █▂▄▄▃▃▄▁▅▃ nonrendering sksl_skrp_tiny
92/90 MB 4 14.8µs 14.9µs 15.3µs 17.1µs 5% █▂▁▁▅▁▁▁▁▁ nonrendering sksl_skrp_small
92/90 MB 2 125µs 130µs 131µs 154µs 7% █▃▂▂▂▁▁▂▁▃ nonrendering sksl_skrp_medium
92/90 MB 1 322µs 344µs 342µs 369µs 5% █▆▅▃▂▁▇▄▂▃ nonrendering sksl_skrp_large
```
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-04-27
CVE-2026-7923 Avoid removing too many stack entries in SkRP during discard_stack
Consider an sksl snippet like:
```
half4 main(float2 xy) {
float4 v = float4(xy.x, -1.0, -2.0, -3.0);
v = abs(v);
return half4(v);
}
```

this could be turned into (unoptimized) instructions like [1]
```
store_src_rg xy = src.rg
init_lane_masks CondMask = LoopMask = RetMask = true
copy_slot_unmasked v(0) = xy(0)
copy_constant v(1) = 0xBF800000 (-1.0)
copy_constant v(2) = 0xC0000000 (-2.0)
copy_constant v(3) = 0xC0400000 (-3.0)
copy_4_slots_unmasked $0..3 = v # unnecessary
bitwise_and_imm_4_ints $0..3 &= 0x7FFFFFFF
copy_4_slots_unmasked v = $0..3
load_src src.rgba = $0..3
```
( the bitwise_and_imm_4_ints instruction is the abs() part, masking
off the sign bit)

We can optimize cases where we push to the stack (e.g.
the copy_4_slots_unmasked), do an operation (the &=) and then
pop the value off the stack into just doing the operation w/o
involving the stack. (We might have to push the result to the
stack for further use).
```
...
copy_constant v(3) = 0xC0400000 (-3.0)
bitwise_and_imm_4_ints v &= 0x7FFFFFFF
copy_4_slots_unmasked $0..3 = v
load_src src.rgba = $0..3
```

There was a bug in the optimization where we removed *all* the
slots for an instruction (4 in this case because it's a float4)
even though the call was discard_stack(1). This would be followed
up by a call to discard_stack(3) (the remainder of the previous
instruction's stack) and we'd underflow the stack.

Problematic sksl:
```
half4 main(float2 xy) {
float4 v;
v.x += xy.x;
(v = abs(v)).xyz; # drop 1 channel (the .w)
return half4(v);
}
// This was in the output
bitwise_and_imm_4_ints v &= 0x7FFFFFFF
copy_4_slots_unmasked ExternalPtr(0..3) = v
load_src src.rgba = ExternalPtr(0..3)
```

where ExternalPtr is referring to memory outside any variables,
uniforms, or the temporary stack. Yikes! I'll keep that in mind
for the future.

Anyway, for the fix, we'll only remove N slots if the previous
call was N slots wide.

[1] e.g. bazel build //tools/skslc && bazel-bin/tools/skslc/skslc input.sksl output.skrp
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-04-27
CVE-2026-7949 Use a local data copy for strike deserialization
The readStrikeData() input is volatile (shared memory) and untrusted.

To avoid time-of-check to time-of-use issues during deserialization,
always make a copy when transitioning to internal/non-volatile APIs.

This is similar to the other defensive copies used in Chromium's
cc/paint_op deserialization, e.g. [1].

[1] https://source.chromium.org/chromium/chromium/src/+/main:cc/paint/paint_op_reader.cc;drc=9c91b2494d4bf0a2d33b5985f7d1af79e72146f2;l=329
Florin Malita <fmalita@google.com> yes upstream 2026-03-27
CVE-2026-8510 [sksl] Check allowSkSL for SkRuntimeImageFilter::CreateProc
Since SkRuntimeImageFilter doesn't create its runtime shaders until
actually evaluating the image filter, SkRuntimeShader's CreateProc
was not being reached; it must be responsible for validating allowSkSL.

Updates the unit test to confirm that all sources of runtime effects
in drawables are detected when allowSkSl is false.
Michael Ludwig <michaelludwig@google.com> yes upstream 2026-04-21
CVE-2026-8579 Validate sizes in mskp reading and SkTableMaskFilter
The max dimension for mskps is approximately the sqrt of INT32_MAX
which felt "big enough"
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-03-30
CVE-2026-9892 Report and handle failure for inlineUpload(...) calls
* The bug associated with this change called out that we should not attempt to perform an upload on an externally-owned secondary command buffer.

* Exiting early does not appropriately signal that an upload failed, so modify `GrOpsRenderPass::inlineUpload(...)` base class to return a bool indicating success or failure. Upon failure, do not attempt the associated immediate draw call and report that the draw failed.

* To maintain current behavior, have `inlineUpload(...)` return true in nearly all cases except that identified in the associated bug.
Nicolette Prevost <nicolettep@google.com> yes upstream 2026-05-20
CVE-2026-9893 Null out VkShaderModule handles when destroying them. Greg Daniel <egdaniel@google.com> yes upstream 2026-05-18
CVE-2026-9909 Identify overflow in SkGlyph allocation earlier
Follow-up to https://review.skia.org/1209996
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-04-27
CVE-2026-9923 [graphite] Fix a security issue in GlobalCache::findGraphicsPipeline Robert Phillips <robertphillips@google.com> yes upstream 2026-04-23
CVE-2026-9981 [ganesh] Use & when testing for input attachment self-dep
Other than these two sites, kForInputAttachment and
kForNonCoherentAdvBlend are not treated as mutually exclusive.

When using only == kForInputAttachment, the layout and bindings wouldn't
apply correctly for a renderpass that was using both forms of self
dependencies.
Michael Ludwig <michaelludwig@google.com> yes upstream 2026-05-21
CVE-2026-9983 Fix pathops bug with linked lists in SkOpCoincidence
I added some logging to SkOpCoincidence::fixUp and ::release and,
with the new test case (which has multiple coincidences [1]), observed

```
```

As per the linked bug, this leads to a faulty state because the
old head pointer 0x...7378 is being used after it was "released".
I could not get ASAN to fire on this but it is worth fixing for
correctness and consistency.

My change fixes that particular issue and adds some asserts to avoid
this happening again.

I also rewrote some do while loops to
avoid iffy behavior where we were releasing coin and then for
the next iteration still calling coin->next(). This worked because
we had an SkArenaAlloc and that memory wasn't "fully" released.

[1] a coincidence is an overlap between two path segments that
lasts for more than a single point. e.g. two squares sharing an edge.
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-05-18
CVE-2026-9998 Fix for integer wraparound in sksl
I found the ES 2 spec [1] helpful for reference here.

The calculate_count_neq_int is not strictly necessary (I was unable
to find a case that tricked the existing floats with ints), but
I like the refactoring and it mirrors the gt/lt cases nicely.

[1] https://registry.khronos.org/OpenGL/specs/es/2.0/GLSL_ES_Specification_1.00.pdf
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-05-20
CVE-2026-10009 Avoid overflow and timeout in SkPathWriter::assemble
I was unable to make a test case that caused an overflow
and didn't timeout, but I think the possibility exists
for both.

This removes that, adds a few defensive asserts, and
makes one assert actually checked at runtime, just to be safe.
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-05-19
CVE-2026-10011 [ganesh] Require glyph padding to use linear sampling Michael Ludwig <michaelludwig@google.com> yes upstream 2026-05-19
CVE-2026-10012 [graphite] ensure drawlist resources are cleared on failure Thomas Smith <thomsmit@google.com> yes upstream 2026-05-18
CVE-2026-13781 Restrict deserial types further in SkGlyph and SkCustomTypeface

Importantly, we don't want typefaces or textblobs in
SkPictureBackedGlyphDrawable. In fact, we can look at
the code used to make the drawables by our various backends
[1][2][3][4] and see we only draw paths and use paints. Thus, we can
restrict deserializing these to just those (and the helper tags).

The SVG fonts could be a bit more complex [5] but chromium doesn't
use those (SkGraphics::SetOpenTypeSVGDecoderFactory is never called)

See also http://graphviz/#57cc93d0c3c73546055bec64fa8e27cb

[1] https://skia.googlesource.com/skia/+/9da67e212e59fbe4f144a92315ca6f8b876c9c01/src/ports/SkFontHost_FreeType_common.cpp#1567
[2] https://skia.googlesource.com/skia/+/9da67e212e59fbe4f144a92315ca6f8b876c9c01/src/ports/SkFontHost_FreeType_common.cpp#1078
[3] https://skia.googlesource.com/skia/+/9da67e212e59fbe4f144a92315ca6f8b876c9c01/src/ports/SkScalerContext_win_dw.cpp#677
[4] https://skia.googlesource.com/skia/+/9da67e212e59fbe4f144a92315ca6f8b876c9c01/src/ports/SkTypeface_fontations.cpp#1336

[4] https://skia.googlesource.com/skia/+/9da67e212e59fbe4f144a92315ca6f8b876c9c01/modules/svg/src/SkSVGOpenTypeSVGDecoder.cpp#160
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-05-27
CVE-2026-13841 [graphite] Drop excessively large gradient draws
This skips recording draws with more than 1M color stops, primarily as
a way to avoid worrying about overflowing during intermediate
calculations. We can increase it if necessary, but hopefully this is
healthy enough no one is trying to make shaders this large.

This also skips recording draws when the FSM has maxed out its
allocatable size for a single buffer. Given how large that is,
we shouldn't encounter it in the wild but this lets us fail semi
gracefully. If needed, we can revisit by either flushing the entire
Recorder when reaching a limit, or by allowing a recording to use
multiple buffers
Michael Ludwig <michaelludwig@google.com> yes upstream 2026-05-22
CVE-2026-13820 [graphite] Ref count large gradient shaders in FloatStorageManager

This also removes the unique ID from SkShaderBase as the FSM was the
only system that relied on it.
Michael Ludwig <michaelludwig@google.com> yes upstream 2026-05-22
CVE-2026-13885 Use exclusive mutex in SkFontMgr_android_ndk.cpp
SkLRUCache::find() is mutating so a shared mutex doesn't actually
buy us anything here.
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-05-28
CVE-2026-13971 Address potential MSAN issue in SkScalerContext
If malformed data was passed to SkStrikeClient, an unexpected
mask would pass through asserts in a release build and lead
to a mask being allocated that was 4x bigger than what
was written to.

To defend against this problem, we 1) reject masks that
aren't of the three formats SkScalerContext::GenerateImageFromPath
expects; 2) zero out the whole mask, regardless of how big
it is instead of relying on how big an A8 mask would be.

Additionally, I noticed that in the intermediateDst case
(e.g. for LCD text when we draw into an A8 and then later unpack
it to be LCD16) we weren't zeroing that intermediate buffer
which could be a problem if the glyph itself was small (but
the bounds were corrupted to be big). Thus, we zero that
intermediate A8 buffer too.
Kaylee Lubick <kjlubick@google.com> yes upstream 2026-05-29
CVE-2026-14387 [graphite] Cache single-buffer BindGroups on DawnBuffer
* This follows the Vulkan backend in caching single-buffer bind groups on to Buffer implementations. This allows us to remove DawnResourceProvider's special caching of single-texture bindgroups and findOrCreateSingleTextureSamplerBindGroup(...).

* The DawnCommandBuffer instead defines the bind group entries for single-texture groups and uses the generic createBindGroup(...) method.
Nicolette Prevost <nicolettep@google.com> yes upstream 2026-05-13
CVE-2026-14389 Fix potential integer overflows in SurfaceContext using SkSafeMath Greg Daniel <egdaniel@google.com> yes upstream 2026-05-04
CVE-2026-14410 [graphite] correctly advance index in drawEdgeAAImageSet Thomas Smith <thomsmit@google.com> yes upstream 2026-05-19
CVE-2026-14414 Reland "Reconstruct subRun bounds from glyphs"
* Allow subRuns which are drawn with drawable or path rendering to exit gracefully instead of failing.

* Remove erroneous SFINAE

This reverts commit c480ba2eb2eba29a78b28b188cf2e8a3fb44dd49.

Original change's description:
> Revert "Reconstruct subRun bounds from glyphs"
>
> This reverts commit f93ed13d77fb28b1ab5c058c10bda3049ccbc5f5.
>
> Reason for revert: SkRemoteGlyphCacheTest failures and build failures
>
> ../../../../../skia/tests/SkRemoteGlyphCacheTest.cpp:193:37: error: unused function template 'get_container_ptr' [-Werror,-Wunused-template]
> 193 | const sktext::gpu::SubRunContainer* get_container_ptr(const T& t) {
> | ^~~~~~~~~~~~~~~~~
> ../../../../../skia/tests/SkRemoteGlyphCacheTest.cpp:212:37: error: unused function template 'get_container' [-Werror,-Wunused-template]
> 212 | const sktext::gpu::SubRunContainer* get_container(T* slugImpl) {
> | ^~~~~~~~~~~~~
> 2 errors generated.
>
> and
>
>
> ../../../../../skia/tests/SkRemoteGlyphCacheTest.cpp:660 Dst subrun is null for TransformedMaskSubRun [SkRemoteGlyphCache_SubRunBoundsReconstruction, OpenGL]
>
> Original change's description:
> > Reconstruct subRun bounds from glyphs
> >
> > * Reconstruct the bounds of a subRun after deserialization instead of packaging onto the VertexFiller.
> >
> > * An attacker could create a VertexFiller with creation bounds that did not contain its glyphs but were entirely contained within the current clip, enabling to the glyphs to ignore the creation bounds clip and sample from stale scratch textures
> >
> > Bug: b/513948227
> > Change-Id: Ib4902657e6a50dd5675db4d73a1576b77c4ce88e
> > Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1239916
> > Commit-Queue: Thomas Smith <thomsmit@google.com>
> > Reviewed-by: Michael Ludwig <michaelludwig@google.com>
>
> Bug: b/513948227
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Change-Id: Ide85466e17b870d2cc738bd25602d6cbf65d332b
> Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1249276
> Auto-Submit: Michael Ludwig <michaelludwig@google.com>
> Commit-Queue: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com>
> Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com>
Thomas Smith <thomsmit@google.com> yes upstream 2026-05-29
CVE-2026-14419 Reland "[graphite] BufferSubAllocator respects failed mapping on reset"

* `getMappedUniformBuffer` was changed after M148 but before M149. This caused comments in the unit test to be wrong, causing M148 cherry pick to fail CQ.

* Change the unit test to instead use `getMappedIndexBuffer`, which is stable across the relevant releases, and has been confirmed to trigger the bug.

* These changes purely affect the unit test and not the fix itself.

This reverts commit c329e877d1848877d459999a4ed43b3728892b7b.

Original change's description:
> Revert "[graphite] BufferSubAllocator respects failed mapping on reset"
>
> This reverts commit e7bff78bf5d2994f627742aaf5040b2ba55c4475.
>
> Fails clang-tidy
>
> Original change's description:
> > [graphite] BufferSubAllocator respects failed mapping on reset
> >
> > Bug: b/516981393
> > Change-Id: If6837e26ee520ad34c8df46a34850220ec5b538c
> > Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1247536
> > Commit-Queue: Thomas Smith <thomsmit@google.com>
> > Reviewed-by: Michael Ludwig <michaelludwig@google.com>
>
> Bug: b/516981393
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Change-Id: I8cf69a8ba2ff318aab65033af821954e4493e5cb
> Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1249556
> Auto-Submit: Thomas Smith <thomsmit@google.com>
> Commit-Queue: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com>
> Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com>
Thomas Smith <thomsmit@google.com> yes upstream 2026-05-29

All known versions for source package 'libskia'

Links