harfbuzz/CVE-2022-33068-sbix-Limit-glyph-extents.patch

From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 1 Jun 2022 07:38:21 -0600
Subject: [PATCH 001/363] [sbix] Limit glyph extents

Fixes https://github.com/harfbuzz/harfbuzz/issues/3557
---
 src/hb-ot-color-sbix-table.hh       |   6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
index 9741ebd45..6efae43cd 100644
--- a/src/hb-ot-color-sbix-table.hh
+++ b/src/hb-ot-color-sbix-table.hh
@@ -298,6 +298,12 @@ struct sbix
 
       const PNGHeader &png = *blob->as<PNGHeader>();
 
+      if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
+      {
+	hb_blob_destroy (blob);
+	return false;
+      }
+
       extents->x_bearing = x_offset;
       extents->y_bearing = png.IHDR.height + y_offset;
       extents->width     = png.IHDR.width;
-- 
2.36.1
Resolves:rh#2103849 CVE-2022-33068 harfbuzz: integer overflow in the component hb-ot-shape-fallback.c 2022-07-16 02:27:05 +00:00			`From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001`
			`From: Behdad Esfahbod <behdad@behdad.org>`
			`Date: Wed, 1 Jun 2022 07:38:21 -0600`
			`Subject: [PATCH 001/363] [sbix] Limit glyph extents`

			`Fixes https://github.com/harfbuzz/harfbuzz/issues/3557`
			`---`
			`src/hb-ot-color-sbix-table.hh \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh`
			`index 9741ebd45..6efae43cd 100644`
			`--- a/src/hb-ot-color-sbix-table.hh`
			`+++ b/src/hb-ot-color-sbix-table.hh`
			`@@ -298,6 +298,12 @@ struct sbix`

			`const PNGHeader &png = *blob->as<PNGHeader>();`

			`+ if (png.IHDR.height >= 65536 \| png.IHDR.width >= 65536)`
			`+ {`
			`+ hb_blob_destroy (blob);`
			`+ return false;`
			`+ }`
			`+`
			`extents->x_bearing = x_offset;`
			`extents->y_bearing = png.IHDR.height + y_offset;`
			`extents->width = png.IHDR.width;`
			`--`
			`2.36.1`