harfbuzz: fix CVE-2022-33068

Backport patch from https://github.com/harfbuzz/harfbuzz/commit/62e803b36173fd096d7ad460dd1d1db9be542593 The 'tff' file in upstream patch is for testing only which cause error during do_patch so need be dropped. File test/fuzzing/fonts/sbix-extents.ttf: git binary diffs are not supported. (From OE-Core rev: 537e7d323f57a0484c279c3b52ad5bb45eb44a10) Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Wentao Zhang <wentao.zhang@windriver.com> 2022-07-08 08:48:16 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-07-16 06:52:45 +0100
commit: 917569e54b6a6a7fbcfba24b70fd0aac4a53639d (patch)
tree: 2ed8c793dd49449d4fb3f8b75db509b648021aaf /meta/recipes-graphics
parent: b7a414eaf02c2f67dcef630288ed9fba1bc5eff0 (diff)
download: poky-917569e54b6a6a7fbcfba24b70fd0aac4a53639d.tar.gz
2 files changed, 37 insertions, 1 deletions
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch
new file mode 100644
index 0000000000..931b9abe1e
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch
@@ -0,0 +1,35 @@
+From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Wed, 1 Jun 2022 07:38:21 -0600
+Subject: [PATCH] [sbix] Limit glyph extents
+Fixes https://github.com/harfbuzz/harfbuzz/issues/3557
+Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/62e803b36173fd096d7ad460dd1d1db9be542593]
+CVE:CVE-2022-33068
+Signed-off-by: Wentao Zhang<Wentao.Zhang@windriver.com>
+---
+ src/hb-ot-color-sbix-table.hh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
+index 9741ebd45..6efae43cd 100644
+--- a/src/hb-ot-color-sbix-table.hh
+++ b/src/hb-ot-color-sbix-table.hh
+@@ -298,6 +298,12 @@ struct sbix
+ 
+       const PNGHeader &png = *blob->as<PNGHeader>();
+ 
+      if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
+      {
+       hb_blob_destroy (blob);
+       return false;
+      }
+
+       extents->x_bearing = x_offset;
+       extents->y_bearing = png.IHDR.height + y_offset;
+       extents->width     = png.IHDR.width;
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
index bf77a5e56c..81518a53ea 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
@@ -11,7 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6ee0f16281694fb6aa689cca1e0fb3da \
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
 UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"
-SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz"
+SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz\
+           file://CVE-2022-33068.patch"
 SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49"
 inherit meson pkgconfig lib_package gtk-doc gobject-introspection
author	Wentao Zhang <wentao.zhang@windriver.com>	2022-07-08 08:48:16 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-07-16 06:52:45 +0100
commit	917569e54b6a6a7fbcfba24b70fd0aac4a53639d (patch)
tree	2ed8c793dd49449d4fb3f8b75db509b648021aaf /meta/recipes-graphics
parent	b7a414eaf02c2f67dcef630288ed9fba1bc5eff0 (diff)
download	poky-917569e54b6a6a7fbcfba24b70fd0aac4a53639d.tar.gz

diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch new file mode 100644 index 0000000000..931b9abe1e --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch
@@ -0,0 +1,35 @@
		1	From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001
		2	From: Behdad Esfahbod <behdad@behdad.org>
		3	Date: Wed, 1 Jun 2022 07:38:21 -0600
		4	Subject: [PATCH] [sbix] Limit glyph extents
		5
		6	Fixes https://github.com/harfbuzz/harfbuzz/issues/3557
		7
		8	Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/62e803b36173fd096d7ad460dd1d1db9be542593]
		9	CVE:CVE-2022-33068
		10	Signed-off-by: Wentao Zhang<Wentao.Zhang@windriver.com>
		11
		12	---
		13	src/hb-ot-color-sbix-table.hh \| 6 ++++++
		14	1 file changed, 6 insertions(+)
		15
		16	diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
		17	index 9741ebd45..6efae43cd 100644
		18	--- a/src/hb-ot-color-sbix-table.hh
		19	+++ b/src/hb-ot-color-sbix-table.hh
		20	@@ -298,6 +298,12 @@ struct sbix
		21
		22	const PNGHeader &png = *blob->as<PNGHeader>();
		23
		24	+ if (png.IHDR.height >= 65536 \| png.IHDR.width >= 65536)
		25	+ {
		26	+ hb_blob_destroy (blob);
		27	+ return false;
		28	+ }
		29	+
		30	extents->x_bearing = x_offset;
		31	extents->y_bearing = png.IHDR.height + y_offset;
		32	extents->width = png.IHDR.width;
		33	--
		34	2.25.1
		35


diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb index bf77a5e56c..81518a53ea 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
@@ -11,7 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6ee0f16281694fb6aa689cca1e0fb3da \
11	UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"	11	UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
12	UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"	12	UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"
13		13
14	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz"	14	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz\
		15	file://CVE-2022-33068.patch"
15	SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49"	16	SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49"
16		17
17	inherit meson pkgconfig lib_package gtk-doc gobject-introspection	18	inherit meson pkgconfig lib_package gtk-doc gobject-introspection