From 2f02c8344a7eda9ac70a1cd6a1c178446feb5918 Mon Sep 17 00:00:00 2001 From: zhangpan Date: Mon, 30 Dec 2024 07:40:04 +0000 Subject: [PATCH] fix CVE-2024-56732 (cherry picked from commit 12bbdd96ed7cd7483479ea9171174f6ae6c53f72) --- backport-CVE-2024-56732.patch | 59 +++++++++++++++++++++++++++++++++++ harfbuzz.spec | 7 ++++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-56732.patch diff --git a/backport-CVE-2024-56732.patch b/backport-CVE-2024-56732.patch new file mode 100644 index 0000000..bf053fd --- /dev/null +++ b/backport-CVE-2024-56732.patch @@ -0,0 +1,59 @@ +From 1767f99e2e2196c3fcae27db6d8b60098d3f6d26 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Sun, 10 Nov 2024 22:43:28 -0700 +Subject: [PATCH] [cairo] Guard hb_cairo_glyphs_from_buffer() against bad UTF-8 + +Previously it was assuming valid UTF-8. +--- + src/hb-cairo.cc | 2 ++ + src/hb-utf.hh | 6 ++++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/hb-cairo.cc b/src/hb-cairo.cc +index d8b582c4908..4d22ae059ff 100644 +--- a/src/hb-cairo.cc ++++ b/src/hb-cairo.cc +@@ -1000,6 +1000,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer, + end = start + hb_glyph[i].cluster - hb_glyph[i+1].cluster; + else + end = (const char *) hb_utf_offset_to_pointer ((const uint8_t *) start, ++ (const uint8_t *) utf8, utf8_len, + (signed) (hb_glyph[i].cluster - hb_glyph[i+1].cluster)); + (*clusters)[cluster].num_bytes = end - start; + start = end; +@@ -1020,6 +1021,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer, + end = start + hb_glyph[i].cluster - hb_glyph[i-1].cluster; + else + end = (const char *) hb_utf_offset_to_pointer ((const uint8_t *) start, ++ (const uint8_t *) utf8, utf8_len, + (signed) (hb_glyph[i].cluster - hb_glyph[i-1].cluster)); + (*clusters)[cluster].num_bytes = end - start; + start = end; +diff --git a/src/hb-utf.hh b/src/hb-utf.hh +index 1120bd1cccf..6db9bf2fd79 100644 +--- a/src/hb-utf.hh ++++ b/src/hb-utf.hh +@@ -458,19 +458,21 @@ struct hb_ascii_t + template + static inline const typename utf_t::codepoint_t * + hb_utf_offset_to_pointer (const typename utf_t::codepoint_t *start, ++ const typename utf_t::codepoint_t *text, ++ unsigned text_len, + signed offset) + { + hb_codepoint_t unicode; + + while (offset-- > 0) + start = utf_t::next (start, +- start + utf_t::max_len, ++ text + text_len, + &unicode, + HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT); + + while (offset++ < 0) + start = utf_t::prev (start, +- start - utf_t::max_len, ++ text, + &unicode, + HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT); + diff --git a/harfbuzz.spec b/harfbuzz.spec index fddb7e5..a5c04a0 100644 --- a/harfbuzz.spec +++ b/harfbuzz.spec @@ -1,11 +1,13 @@ Name: harfbuzz Version: 8.3.0 -Release: 1 +Release: 2 Summary: A text shaping engine License: MIT URL: https://harfbuzz.github.io/ Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/harfbuzz-%{version}.tar.xz +Patch6000: backport-CVE-2024-56732.patch + BuildRequires: gcc-c++ freetype-devel cairo-devel glib2-devel graphite2-devel BuildRequires: gtk-doc libicu-devel gobject-introspection-devel make Provides: harfbuzz-icu @@ -69,6 +71,9 @@ make check %{_datadir}/gtk-doc/html/harfbuzz/* %changelog +* Mon Dec 30 2024 zhangpan - 8.3.0-2 +- fix CVE-2024-56732 + * Wed Nov 22 2023 wangqia - 8.3.0-1 - Update to 8.3.0 -- Gitee