From: Dhairya Nagodra <dnago...@cisco.com> The commit [https://github.com/openembedded/openembedded-core/commit/c22bbe9b45e3] backports fix for CVE-2023-25193 for version 2.6.4. The apply() in src/hb-ot-layout-gpos-table.hh ends prematurely. The if block in apply() has an extra return statement, which causes it to return w/o executing buffer->unsafe_to_concat_from_outbuffer() function.
Signed-off-by: Dhairya Nagodra <dnago...@cisco.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../harfbuzz/harfbuzz/CVE-2023-25193.patch | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch index 8243117551..e4ac13dbad 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch @@ -1,4 +1,4 @@ -From 8708b9e081192786c027bb7f5f23d76dbe5c19e8 Mon Sep 17 00:00:00 2001 +From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod <beh...@behdad.org> Date: Mon, 6 Feb 2023 14:51:25 -0700 Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment @@ -8,13 +8,15 @@ Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be87 Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00 CVE: CVE-2023-25193 Signed-off-by: Siddharth Doshi <sdo...@mvista.com> +Signed-off-by: Dhairya Nagodra <dnago...@cisco.com> + --- - src/hb-ot-layout-gpos-table.hh | 101 ++++++++++++++++++++++++--------- + src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++---------- src/hb-ot-layout-gsubgpos.hh | 5 +- - 2 files changed, 77 insertions(+), 29 deletions(-) + 2 files changed, 78 insertions(+), 30 deletions(-) diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh -index 024312d..88df13d 100644 +index 024312d..db5f9ae 100644 --- a/src/hb-ot-layout-gpos-table.hh +++ b/src/hb-ot-layout-gpos-table.hh @@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1 @@ -102,8 +104,9 @@ index 024312d..88df13d 100644 + //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); } - unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint); +- if (base_index == NOT_COVERED) return_trace (false); + unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint); - if (base_index == NOT_COVERED) return_trace (false); ++ if (base_index == NOT_COVERED) + { + buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1); + return_trace (false); @@ -174,6 +177,3 @@ index 5a7e564..437123c 100644 void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } void set_random (bool random_) { random = random_; } --- -2.25.1 - -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185906): https://lists.openembedded.org/g/openembedded-core/message/185906 Mute This Topic: https://lists.openembedded.org/mt/100725546/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-