diff --git a/backport-0001-CVE-2023-25193.patch b/backport-0001-CVE-2023-25193.patch new file mode 100644 index 0000000000000000000000000000000000000000..ce065a468ea7e4d2384aa05370e511f8512f147c --- /dev/null +++ b/backport-0001-CVE-2023-25193.patch @@ -0,0 +1,37 @@ +From 56f11ec938260836387256225bc47665473e2bbe Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Fri, 18 Feb 2022 14:08:43 -0600 +Subject: [PATCH] [buffer] Add HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT + +--- + src/hb-buffer.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/hb-buffer.h b/src/hb-buffer.h +index 865ccb2..51b1760 100644 +--- a/src/hb-buffer.h ++++ b/src/hb-buffer.h +@@ -296,7 +296,10 @@ hb_buffer_guess_segment_properties (hb_buffer_t *buffer); + * flag indicating that a dotted circle should + * not be inserted in the rendering of incorrect + * character sequences (such at <0905 093E>). Since: 2.4 +- * ++ * @HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT: ++ * flag indicating that the @HB_GLYPH_FLAG_UNSAFE_TO_CONCAT ++ * glyph-flag should be produced by the shaper. By default ++ * it will not be produced since it incurs a cost. Since: REPLACEME + * Flags for #hb_buffer_t. + * + * Since: 0.9.20 +@@ -307,7 +310,8 @@ typedef enum { /*< flags >*/ + HB_BUFFER_FLAG_EOT = 0x00000002u, /* End-of-text */ + HB_BUFFER_FLAG_PRESERVE_DEFAULT_IGNORABLES = 0x00000004u, + HB_BUFFER_FLAG_REMOVE_DEFAULT_IGNORABLES = 0x00000008u, +- HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE = 0x00000010u ++ HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE = 0x00000010u, ++ HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT = 0x00000040u + } hb_buffer_flags_t; + + HB_EXTERN void +-- +2.27.0 diff --git a/backport-0002-CVE-2023-25193.patch b/backport-0002-CVE-2023-25193.patch new file mode 100644 index 0000000000000000000000000000000000000000..6827d99bb29efca8f8dd4cdd5cc0d4aeefad8114 --- /dev/null +++ b/backport-0002-CVE-2023-25193.patch @@ -0,0 +1,38 @@ +From 85be877925ddbf34f74a1229f3ca1716bb6170dc Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Wed, 1 Feb 2023 20:00:43 -0700 +Subject: [PATCH] [layout] Limit how far we skip when looking back + +See comments. +--- + src/hb-ot-layout-gsubgpos.hh | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index c17bf92..712e307 100644 +--- a/src/hb-ot-layout-gsubgpos.hh ++++ b/src/hb-ot-layout-gsubgpos.hh +@@ -535,7 +535,19 @@ struct hb_ot_apply_context_t : + bool prev () + { + assert (num_items > 0); +- while (idx > num_items - 1) ++ /* The alternate condition below is faster at string boundaries, ++ * but produces subpar "unsafe-to-concat" values. */ ++ unsigned stop = num_items - 1; ++ if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT) ++ stop = 1 - 1; ++ ++ /* When looking back, limit how far we search; this function is mostly ++ * used for looking back for base glyphs when attaching marks. If we ++ * don't limit, we can get O(n^2) behavior where n is the number of ++ * consecutive marks. */ ++ stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH); ++ ++ while (idx > stop) + { + idx--; + const hb_glyph_info_t &info = c->buffer->out_info[idx]; +-- +2.33.0 + diff --git a/harfbuzz.spec b/harfbuzz.spec index a961a780e7f6e404ec7e686407b49aae76b15017..1f2f19304cfd353d03ecb0dc7fbafdf6e9026df7 100644 --- a/harfbuzz.spec +++ b/harfbuzz.spec @@ -1,6 +1,6 @@ Name: harfbuzz Version: 2.8.2 -Release: 3 +Release: 4 Summary: A text shaping engine License: MIT @@ -8,6 +8,8 @@ URL: https://harfbuzz.github.io/what-is-harfbuzz.html Source0: https://github.com/harfbuzz/harfbuzz/releases/download/2.8.2/%{name}-%{version}.tar.xz Patch0001: backport-CVE-2022-33068.patch +Patch0002: backport-0001-CVE-2023-25193.patch +Patch0003: backport-0002-CVE-2023-25193.patch BuildRequires: gcc-c++ freetype-devel cairo-devel glib2-devel graphite2-devel BuildRequires: gtk-doc libicu-devel gobject-introspection-devel @@ -71,6 +73,9 @@ make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" %{_datadir}/gtk-doc/html/harfbuzz/* %changelog +* Wed Feb 15 2023 zhouwenpei - 2.8.2-4 +- fix CVE-2023-25193 + * Thu Jul 14 2022 zhouwenpei - 2.8.2-3 - fix CVE-2022-33068