pool/harfbuzz
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1063480 from GNOME:Next

Browse Source 
- Add harfbuzz-CVE-2023-25193.patch: limit how far we skip when
  looking back (boo#1207922 CVE-2023-25193).

OBS-URL: https://build.opensuse.org/request/show/1063480
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/harfbuzz?expand=0&rev=227
This commit is contained in:
Bjørn Lie 2023-02-06 18:36:18 +00:00 committed by Git OBS Bridge
parent 3fc19374f4
commit 7a420960eb
3 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
harfbuzz-CVE-2023-25193.patch Normal file
View File

@ -0,0 +1,31 @@
From 85be877925ddbf34f74a1229f3ca1716bb6170dc Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 1 Feb 2023 20:00:43 -0700
Subject: [PATCH] [layout] Limit how far we skip when looking back
See comments.
---
src/hb-ot-layout-gsubgpos.hh | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
index bf74672a1..8ca691805 100644
--- a/src/hb-ot-layout-gsubgpos.hh
+++ b/src/hb-ot-layout-gsubgpos.hh
@@ -578,6 +578,13 @@ struct hb_ot_apply_context_t :
unsigned stop = num_items - 1;
if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)
stop = 1 - 1;
+
+ /* When looking back, limit how far we search; this function is mostly
+ * used for looking back for base glyphs when attaching marks. If we
+ * don't limit, we can get O(n^2) behavior where n is the number of
+ * consecutive marks. */
+ stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH);
+
while (idx > stop)
{
idx--;
--
2.39.0

6
harfbuzz.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Feb 6 17:11:49 UTC 2023 - Michael Gorse <mgorse@suse.com>
- Add harfbuzz-CVE-2023-25193.patch: limit how far we skip when
looking back (boo#1207922 CVE-2023-25193).
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Dec 17 09:26:17 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> Sat Dec 17 09:26:17 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>

4
harfbuzz.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package harfbuzz # spec file for package harfbuzz
# #
# Copyright (c) 2022 SUSE LLC # Copyright (c) 2023 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -24,6 +24,8 @@ License: MIT
URL: https://www.freedesktop.org/wiki/Software/HarfBuzz URL: https://www.freedesktop.org/wiki/Software/HarfBuzz
Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/%{name}-%{version}.tar.xz Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/%{name}-%{version}.tar.xz
Source99: baselibs.conf Source99: baselibs.conf
# PATCH-FIX-UPSTREAM harfbuzz-CVE-2023-25193.patch boo#1207922 mgorse@suse.com -- limit how far we skip when looking back.
Patch0: harfbuzz-CVE-2023-25193.patch
BuildRequires: c++_compiler BuildRequires: c++_compiler
BuildRequires: c_compiler BuildRequires: c_compiler
BuildRequires: meson BuildRequires: meson