From: Vivek Kumbhar <vkumb...@mvista.com> [layout] Limit how far we skip when looking back
Signed-off-by: Vivek Kumbhar <vkumb...@mvista.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../harfbuzz/harfbuzz/CVE-2023-25193.patch | 71 +++++++++++++++++++ .../harfbuzz/harfbuzz_4.0.1.bb | 4 +- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch new file mode 100644 index 0000000000..54ceebcf93 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch @@ -0,0 +1,71 @@ +From 85be877925ddbf34f74a1229f3ca1716bb6170dc Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <beh...@behdad.org> +Date: Wed, 1 Feb 2023 20:00:43 -0700 +Subject: [PATCH] [layout] Limit how far we skip when looking back + +Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc] +CVE: CVE-2023-25193 +Signed-off-by: Vivek Kumbhar <vkumb...@mvista.com> +--- + src/hb-ot-layout-common.hh | 7 +++++++ + src/hb-ot-layout-gsubgpos.hh | 19 ++++++++++++++++--- + 2 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh +index 60a1906..f7f8d5f 100644 +--- a/src/hb-ot-layout-common.hh ++++ b/src/hb-ot-layout-common.hh +@@ -72,6 +72,13 @@ + #define HB_MAX_LOOKUP_VISIT_COUNT 35000 + #endif + ++#ifndef HB_MAX_NESTING_LEVEL ++#define HB_MAX_NESTING_LEVEL 6 ++#endif ++#ifndef HB_MAX_CONTEXT_LENGTH ++#define HB_MAX_CONTEXT_LENGTH 64 ++#endif ++ + + namespace OT { + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index 65de131..891d96a 100644 +--- a/src/hb-ot-layout-gsubgpos.hh ++++ b/src/hb-ot-layout-gsubgpos.hh +@@ -525,7 +525,10 @@ struct hb_ot_apply_context_t : + bool next (unsigned *unsafe_to = nullptr) + { + assert (num_items > 0); +- while (idx + num_items < end) ++ unsigned stop = end - num_items; ++ if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT) ++ stop = end - 1; ++ while (idx < stop) + { + idx++; + const hb_glyph_info_t &info = c->buffer->info[idx]; +@@ -557,8 +560,18 @@ struct hb_ot_apply_context_t : + } + bool prev (unsigned *unsafe_from = nullptr) + { +- assert (num_items > 0); +- while (idx > num_items - 1) ++ assert (num_items > 0); ++ unsigned stop = 1 - num_items; ++ if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT) ++ stop = 1 - 1; ++ ++ /* When looking back, limit how far we search; this function is mostly ++ * used for looking back for base glyphs when attaching marks. If we ++ * don't limit, we can get O(n^2) behavior where n is the number of ++ * consecutive marks. */ ++ stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH); ++ ++ while (idx > stop) + { + idx--; + const hb_glyph_info_t &info = c->buffer->out_info[idx]; +-- +2.25.1 + diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb index bdbb322e42..2a2ec714d0 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb @@ -13,7 +13,9 @@ UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar" SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz \ file://CVE-2022-33068.patch \ - file://0001-Fix-conditional.patch" + file://0001-Fix-conditional.patch \ + file://CVE-2023-25193.patch \ + " SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49" inherit meson pkgconfig lib_package gtk-doc gobject-introspection -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177991): https://lists.openembedded.org/g/openembedded-core/message/177991 Mute This Topic: https://lists.openembedded.org/mt/97365566/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
