diff --git a/backport-CVE-2022-33068.patch b/backport-CVE-2022-33068.patch new file mode 100644 index 0000000000000000000000000000000000000000..2a87e75900ae0547ff838cc3fbc30fa504722ee0 --- /dev/null +++ b/backport-CVE-2022-33068.patch @@ -0,0 +1,29 @@ +From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Wed, 1 Jun 2022 07:38:21 -0600 +Subject: [PATCH] [sbix] Limit glyph extents + +Fixes https://github.com/harfbuzz/harfbuzz/issues/3557 +--- + src/hb-ot-color-sbix-table.hh | 6 ++++++ + test/fuzzing/fonts/sbix-extents.ttf | Bin 0 -> 582 bytes + 2 files changed, 6 insertions(+) + create mode 100644 test/fuzzing/fonts/sbix-extents.ttf + +diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh +index 9741ebd450..6efae43cda 100644 +--- a/src/hb-ot-color-sbix-table.hh ++++ b/src/hb-ot-color-sbix-table.hh +@@ -298,6 +298,12 @@ struct sbix + + const PNGHeader &png = *blob->as(); + ++ if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536) ++ { ++ hb_blob_destroy (blob); ++ return false; ++ } ++ + extents->x_bearing = x_offset; + extents->y_bearing = png.IHDR.height + y_offset; + extents->width = png.IHDR.width; diff --git a/harfbuzz.spec b/harfbuzz.spec index 849c79005172b9eef376a464580d79a492dc2f9a..dd5cbdcbd1cf2a15cea6dbc031c51e21757a8b65 100644 --- a/harfbuzz.spec +++ b/harfbuzz.spec @@ -1,11 +1,13 @@ Name: harfbuzz Version: 4.3.0 -Release: 1 +Release: 2 Summary: A text shaping engine License: MIT URL: https://harfbuzz.github.io/ Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/harfbuzz-%{version}.tar.xz +Patch0001: backport-CVE-2022-33068.patch + BuildRequires: gcc-c++ freetype-devel cairo-devel glib2-devel graphite2-devel BuildRequires: gtk-doc libicu-devel gobject-introspection-devel make Provides: harfbuzz-icu @@ -68,6 +70,9 @@ make check %{_datadir}/gtk-doc/html/harfbuzz/* %changelog +* Thu Jul 14 2022 zhouwenpei - 4.3.0-2 +- fix CVE-2022-33068 + * Mon Jun 20 2022 lin zhang - 4.3.0-1 - update to 4.3.0