diff options
author | Dhairya Nagodra <dnagodra@cisco.com> | 2023-07-25 23:45:34 -0700 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-08-16 03:55:13 -1000 |
commit | 3b52050443eef30e7c2b35b9ead441f77b62401c (patch) | |
tree | 8d5b187fc2be7d8977bb07c74fc0c2828d41af7b /meta/recipes-graphics | |
parent | 959e7b1432994ade7a79b074d8de3070a69c494f (diff) | |
download | poky-3b52050443eef30e7c2b35b9ead441f77b62401c.tar.gz |
harfbuzz: Resolve backported commit bug.
The commit [https://github.com/openembedded/openembedded-core/commit/c22bbe9b45e3]
backports fix for CVE-2023-25193 for version 2.6.4.
The apply() in src/hb-ot-layout-gpos-table.hh ends prematurely.
The if block in apply() has an extra return statement,
which causes it to return w/o executing
buffer->unsafe_to_concat_from_outbuffer() function.
(From OE-Core rev: e3fda60c4131c21cfb3139c56c1771e342d4b9bf)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r-- | meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch index 8243117551..e4ac13dbad 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8708b9e081192786c027bb7f5f23d76dbe5c19e8 Mon Sep 17 00:00:00 2001 | 1 | From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001 |
2 | From: Behdad Esfahbod <behdad@behdad.org> | 2 | From: Behdad Esfahbod <behdad@behdad.org> |
3 | Date: Mon, 6 Feb 2023 14:51:25 -0700 | 3 | Date: Mon, 6 Feb 2023 14:51:25 -0700 |
4 | Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment | 4 | Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment |
@@ -8,13 +8,15 @@ Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be87 | |||
8 | Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00 | 8 | Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00 |
9 | CVE: CVE-2023-25193 | 9 | CVE: CVE-2023-25193 |
10 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | 10 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> |
11 | Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com> | ||
12 | |||
11 | --- | 13 | --- |
12 | src/hb-ot-layout-gpos-table.hh | 101 ++++++++++++++++++++++++--------- | 14 | src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++---------- |
13 | src/hb-ot-layout-gsubgpos.hh | 5 +- | 15 | src/hb-ot-layout-gsubgpos.hh | 5 +- |
14 | 2 files changed, 77 insertions(+), 29 deletions(-) | 16 | 2 files changed, 78 insertions(+), 30 deletions(-) |
15 | 17 | ||
16 | diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh | 18 | diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh |
17 | index 024312d..88df13d 100644 | 19 | index 024312d..db5f9ae 100644 |
18 | --- a/src/hb-ot-layout-gpos-table.hh | 20 | --- a/src/hb-ot-layout-gpos-table.hh |
19 | +++ b/src/hb-ot-layout-gpos-table.hh | 21 | +++ b/src/hb-ot-layout-gpos-table.hh |
20 | @@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1 | 22 | @@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1 |
@@ -102,8 +104,9 @@ index 024312d..88df13d 100644 | |||
102 | + //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); } | 104 | + //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); } |
103 | 105 | ||
104 | - unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint); | 106 | - unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint); |
107 | - if (base_index == NOT_COVERED) return_trace (false); | ||
105 | + unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint); | 108 | + unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint); |
106 | if (base_index == NOT_COVERED) return_trace (false); | 109 | + if (base_index == NOT_COVERED) |
107 | + { | 110 | + { |
108 | + buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1); | 111 | + buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1); |
109 | + return_trace (false); | 112 | + return_trace (false); |
@@ -174,6 +177,3 @@ index 5a7e564..437123c 100644 | |||
174 | void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } | 177 | void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } |
175 | void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } | 178 | void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } |
176 | void set_random (bool random_) { random = random_; } | 179 | void set_random (bool random_) { random = random_; } |
177 | -- | ||
178 | 2.25.1 | ||
179 | |||