!52 [sync] PR-46: fix CVE-2023-25193

From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng
2023-02-16 13:13:08 +00:00 · 2023-02-16 13:13:08 +00:00 · 8235fb578d
commit 8235fb578d
parent 3bcb44efab 0a66769c46
3 changed files with 81 additions and 1 deletions
--- a/backport-0001-CVE-2023-25193.patch
+++ b/backport-0001-CVE-2023-25193.patch
@ -0,0 +1,37 @@
+From 56f11ec938260836387256225bc47665473e2bbe Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Fri, 18 Feb 2022 14:08:43 -0600
+Subject: [PATCH] [buffer] Add HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT
+
+---
+ src/hb-buffer.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/hb-buffer.h b/src/hb-buffer.h
+index 865ccb2..51b1760 100644
+--- a/src/hb-buffer.h
+++ b/src/hb-buffer.h
+@@ -296,7 +296,10 @@ hb_buffer_guess_segment_properties (hb_buffer_t *buffer);
+  *                      flag indicating that a dotted circle should
+  *                      not be inserted in the rendering of incorrect
+  *                      character sequences (such at <0905 093E>). Since: 2.4
+- *
+ * @HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT:
+ *                      flag indicating that the @HB_GLYPH_FLAG_UNSAFE_TO_CONCAT
+ *                      glyph-flag should be produced by the shaper. By default
+ *                      it will not be produced since it incurs a cost. Since: REPLACEME
+  * Flags for #hb_buffer_t.
+  *
+  * Since: 0.9.20
+@@ -307,7 +310,8 @@ typedef enum { /*< flags >*/
+   HB_BUFFER_FLAG_EOT				= 0x00000002u, /* End-of-text */
+   HB_BUFFER_FLAG_PRESERVE_DEFAULT_IGNORABLES	= 0x00000004u,
+   HB_BUFFER_FLAG_REMOVE_DEFAULT_IGNORABLES	= 0x00000008u,
+-  HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE	= 0x00000010u
+  HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE	= 0x00000010u,
+  HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT	= 0x00000040u
+ } hb_buffer_flags_t;
+ 
+ HB_EXTERN void
+-- 
+2.27.0
--- a/backport-0002-CVE-2023-25193.patch
+++ b/backport-0002-CVE-2023-25193.patch
@ -0,0 +1,38 @@
+From 85be877925ddbf34f74a1229f3ca1716bb6170dc Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Wed, 1 Feb 2023 20:00:43 -0700
+Subject: [PATCH] [layout] Limit how far we skip when looking back
+
+See comments.
+---
+ src/hb-ot-layout-gsubgpos.hh | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
+index c17bf92..712e307 100644
+--- a/src/hb-ot-layout-gsubgpos.hh
+++ b/src/hb-ot-layout-gsubgpos.hh
+@@ -535,7 +535,19 @@ struct hb_ot_apply_context_t :
+     bool prev ()
+     {
+       assert (num_items > 0);
+-      while (idx > num_items - 1)
+      /* The alternate condition below is faster at string boundaries,
+       * but produces subpar "unsafe-to-concat" values. */
+      unsigned stop = num_items - 1;
+      if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)
+	      stop = 1 - 1;
+
+      /* When looking back, limit how far we search; this function is mostly
+       * used for looking back for base glyphs when attaching marks. If we
+       * don't limit, we can get O(n^2) behavior where n is the number of
+       * consecutive marks. */
+      stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH);
+
+      while (idx > stop)
+       {
+ 	idx--;
+ 	const hb_glyph_info_t &info = c->buffer->out_info[idx];
+-- 
+2.33.0
+
--- a/harfbuzz.spec
+++ b/harfbuzz.spec
@ -1,6 +1,6 @@
 Name:           harfbuzz
 Version:        2.8.2
-Release:        3
+Release:        4
 Summary:        A text shaping engine

 License:        MIT
@ -8,6 +8,8 @@ URL:            https://harfbuzz.github.io/what-is-harfbuzz.html
 Source0:        https://github.com/harfbuzz/harfbuzz/releases/download/2.8.2/%{name}-%{version}.tar.xz

 Patch0001:	backport-CVE-2022-33068.patch
+Patch0002:	backport-0001-CVE-2023-25193.patch
+Patch0003:	backport-0002-CVE-2023-25193.patch

 BuildRequires:  gcc-c++ freetype-devel cairo-devel glib2-devel graphite2-devel
 BuildRequires:  gtk-doc libicu-devel gobject-introspection-devel
@ -71,6 +73,9 @@ make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p"
 %{_datadir}/gtk-doc/html/harfbuzz/*

 %changelog
+* Wed Feb 15 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.8.2-4
+- fix CVE-2023-25193
+
 * Thu Jul 14 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2.8.2-3
 - fix CVE-2022-33068