Accepting request 63074 from GNOME:Factory

Accepted submit request 63074 from user vuntz OBS-URL: https://build.opensuse.org/request/show/63074 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pango?expand=0&rev=59
2011-03-01 09:13:06 +00:00 · 2011-03-01 09:13:06 +00:00 · ad3be6bd9d
commit ad3be6bd9d
parent 176f4c14d2 5d7a22114a
4 changed files with 250 additions and 0 deletions
--- a/pango-CVE-2011-0020.patch
+++ b/pango-CVE-2011-0020.patch
@ -0,0 +1,50 @@
+From 4e6248d76f55c6184f28afe614d7d76b6fa3d455 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Thu, 17 Feb 2011 16:19:48 +0000
+Subject: Bug 639882 - Heap corruption in font parsing with FreeType2 backend
+
+---
+diff --git a/pango/pangoft2-render.c b/pango/pangoft2-render.c
+index bd3b7d4..42923f4 100644
+--- a/pango/pangoft2-render.c
+++ b/pango/pangoft2-render.c
+@@ -121,9 +121,14 @@ pango_ft2_font_render_box_glyph (int      width,
+ 
+   box->bitmap.width = width;
+   box->bitmap.rows = height;
+-  box->bitmap.pitch = height;
+  box->bitmap.pitch = width;
+ 
+-  box->bitmap.buffer = g_malloc0 (box->bitmap.rows * box->bitmap.pitch);
+  box->bitmap.buffer = g_malloc0_n (box->bitmap.rows, box->bitmap.pitch);
+
+  if (G_UNLIKELY (!box->bitmap.buffer)) {
+    g_slice_free (PangoFT2RenderedGlyph, box);
+    return NULL;
+  }
+ 
+   /* draw the box */
+   for (j = 0; j < line_width; j++)
+@@ -226,6 +231,11 @@ pango_ft2_font_render_glyph (PangoFont *font,
+       rendered->bitmap_left = face->glyph->bitmap_left;
+       rendered->bitmap_top = face->glyph->bitmap_top;
+ 
+      if (G_UNLIKELY (!rendered->bitmap.buffer)) {
+        g_slice_free (PangoFT2RenderedGlyph, rendered);
+	return NULL;
+      }
+
+       return rendered;
+     }
+   else
+@@ -276,6 +286,8 @@ pango_ft2_renderer_draw_glyph (PangoRenderer *renderer,
+   if (rendered_glyph == NULL)
+     {
+       rendered_glyph = pango_ft2_font_render_glyph (font, glyph);
+      if (rendered_glyph == NULL)
+        return;
+       add_glyph_to_cache = TRUE;
+     }
+ 
+--
+cgit v0.8.3.4
--- a/pango-CVE-2011-0064.patch
+++ b/pango-CVE-2011-0064.patch
@ -0,0 +1,186 @@
+From 3104961bc0ffaf847d2a1e116e6de4fdc1cd8ada Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Thu, 2 Dec 2010 16:00:46 +1300
+Subject: [PATCH] Handle realloc failure in the buffer
+
+Ported from http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e
+by Karl Tomlinson <karlt+@karlt.net>
+---
+ pango/opentype/hb-buffer-private.h |    1 +
+ pango/opentype/hb-buffer.c         |   70 +++++++++++++++++++++---------------
+ pango/opentype/hb-buffer.h         |    2 +-
+ 3 files changed, 43 insertions(+), 30 deletions(-)
+
+diff --git a/pango/opentype/hb-buffer-private.h b/pango/opentype/hb-buffer-private.h
+index 45cdc4d..f194786 100644
+--- a/pango/opentype/hb-buffer-private.h
+++ b/pango/opentype/hb-buffer-private.h
+@@ -72,6 +72,7 @@ struct _hb_buffer_t {
+   unsigned int allocated;
+ 
+   hb_bool_t    have_output; /* weather we have an output buffer going on */
+  hb_bool_t    in_error; /* Allocation failed */
+   unsigned int in_length;
+   unsigned int out_length;
+   unsigned int in_pos;
+diff --git a/pango/opentype/hb-buffer.c b/pango/opentype/hb-buffer.c
+index 93b51e5..e9788ad 100644
+--- a/pango/opentype/hb-buffer.c
+++ b/pango/opentype/hb-buffer.c
+@@ -52,23 +52,21 @@ static hb_buffer_t _hb_buffer_nil = {
+  * in_string and out_string.
+  */
+ 
+-/* XXX err handling */
+-
+ /* Internal API */
+ 
+-static void
+static hb_bool_t
+ hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size)
+ {
+-  hb_buffer_ensure (buffer, size);
+  if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE;
+   if (buffer->out_string == buffer->in_string)
+   {
+     assert (buffer->have_output);
+-    if (!buffer->positions)
+-      buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0]));
+ 
+     buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+     memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0]));
+   }
+
+  return TRUE;
+ }
+ 
+ /* Public API */
+@@ -114,6 +112,7 @@ void
+ hb_buffer_clear (hb_buffer_t *buffer)
+ {
+   buffer->have_output = FALSE;
+  buffer->in_error = FALSE;
+   buffer->in_length = 0;
+   buffer->out_length = 0;
+   buffer->in_pos = 0;
+@@ -122,32 +121,42 @@ hb_buffer_clear (hb_buffer_t *buffer)
+   buffer->max_lig_id = 0;
+ }
+ 
+-void
+hb_bool_t
+ hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size)
+ {
+-  unsigned int new_allocated = buffer->allocated;
+-
+-  if (size > new_allocated)
+  if (HB_UNLIKELY (size > buffer->allocated))
+   {
+    unsigned int new_allocated = buffer->allocated;
+    hb_internal_glyph_position_t *new_pos;
+    hb_internal_glyph_info_t *new_info;
+    hb_bool_t separate_out;
+
+    if (HB_UNLIKELY (buffer->in_error))
+      return FALSE;
+
+    separate_out = buffer->out_string != buffer->in_string;
+
+     while (size > new_allocated)
+       new_allocated += (new_allocated >> 1) + 8;
+ 
+-    if (buffer->positions)
+-      buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
+    new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
+    new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+ 
+-    if (buffer->out_string != buffer->in_string)
+-    {
+-      buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+-      buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+-    }
+-    else
+-    {
+-      buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+-      buffer->out_string = buffer->in_string;
+-    }
+    if (HB_UNLIKELY (!new_pos || !new_info))
+      buffer->in_error = TRUE;
+
+    if (HB_LIKELY (new_pos))
+      buffer->positions = new_pos;
+ 
+-    buffer->allocated = new_allocated;
+    if (HB_LIKELY (new_info))
+      buffer->in_string = new_info;
+
+    buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string;
+    if (HB_LIKELY (!buffer->in_error))
+      buffer->allocated = new_allocated;
+   }
+
+  return HB_LIKELY (!buffer->in_error);
+ }
+ 
+ void
+@@ -158,7 +167,7 @@ hb_buffer_add_glyph (hb_buffer_t    *buffer,
+ {
+   hb_internal_glyph_info_t *glyph;
+ 
+-  hb_buffer_ensure (buffer, buffer->in_length + 1);
+  if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return;
+ 
+   glyph = &buffer->in_string[buffer->in_length];
+   glyph->codepoint = codepoint;
+@@ -213,6 +222,8 @@ _hb_buffer_swap (hb_buffer_t *buffer)
+ 
+   assert (buffer->have_output);
+ 
+  if (HB_UNLIKELY (buffer->in_error)) return;
+
+   if (buffer->out_string != buffer->in_string)
+   {
+     hb_internal_glyph_info_t *tmp_string;
+@@ -265,7 +276,8 @@ _hb_buffer_add_output_glyphs (hb_buffer_t *buffer,
+   if (buffer->out_string != buffer->in_string ||
+       buffer->out_pos + num_out > buffer->in_pos + num_in)
+   {
+-    hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out);
+    if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out)))
+        return;
+   }
+ 
+   mask = buffer->in_string[buffer->in_pos].mask;
+@@ -302,7 +314,7 @@ _hb_buffer_add_output_glyph (hb_buffer_t *buffer,
+ 
+   if (buffer->out_string != buffer->in_string)
+   {
+-    hb_buffer_ensure (buffer, buffer->out_pos + 1);
+    if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+     buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+   }
+   else if (buffer->out_pos != buffer->in_pos)
+@@ -332,7 +344,7 @@ _hb_buffer_next_glyph (hb_buffer_t *buffer)
+ 
+   if (buffer->out_string != buffer->in_string)
+   {
+-    hb_buffer_ensure (buffer, buffer->out_pos + 1);
+    if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+     buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+   }
+   else if (buffer->out_pos != buffer->in_pos)
+diff --git a/pango/opentype/hb-buffer.h b/pango/opentype/hb-buffer.h
+index b030ba9..aaf6694 100644
+--- a/pango/opentype/hb-buffer.h
+++ b/pango/opentype/hb-buffer.h
+@@ -94,7 +94,7 @@ hb_buffer_clear (hb_buffer_t *buffer);
+ void
+ hb_buffer_clear_positions (hb_buffer_t *buffer);
+ 
+-void
+hb_bool_t
+ hb_buffer_ensure (hb_buffer_t  *buffer,
+ 		  unsigned int  size);
+ 
+-- 
+1.7.2.2
--- a/pango.changes
+++ b/pango.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Feb 28 09:32:26 CET 2011 - vuntz@opensuse.org
+
+- Add pango-CVE-2011-0020.patch: fixes heap corruption in font
+  parsing with FreeType2 backend. Fix bnc#666101, CVE-2011-0020.
+- Add pango-CVE-2011-0064.patch: handle realloc failure in the
+  buffer to fix potential crashes. Fix bnc#672502, CVE-2011-0064.
+
 -------------------------------------------------------------------
 Wed Oct 13 20:26:17 CEST 2010 - vuntz@opensuse.org

--- a/pango.spec
+++ b/pango.spec
@ -32,6 +32,10 @@ Source2:        macros.pango
 Source99:       baselibs.conf
 # PATCH-FIX-UPSTREAM pango64.patch bgo129534 -- needed for biarch. Unfortunately, this is not good enough for usptream.
 Patch0:         pango64.patch
+# PATCH-FIX-UPSTREAM pango-CVE-2011-0020.patch bnc#666101 CVE-2011-0020 vuntz@opensuse.org -- heap corruption in font parsing with FreeType2 backend
+Patch1:         pango-CVE-2011-0020.patch
+# PATCH-FIX-UPSTREAM pango-CVE-2011-0064.patch bnc#672502 CVE-2011-0064. vuntz@opensuse.org -- handle realloc failure in the buffer
+Patch2:         pango-CVE-2011-0064.patch
 BuildRequires:  gcc-c++
 BuildRequires:  gtk-doc
 BuildRequires:  pkg-config
@ -128,6 +132,8 @@ to develop applications that require these.
 cp -a %{S:1} .
 %patch0 -p0
 %endif
+%patch1 -p1
+%patch2 -p1

 %build
 %configure --disable-static --with-pic