From 423fb9c7efc0180c85967754719f6cea492d46a5 Mon Sep 17 00:00:00 2001
From: Parag Nemade <pnemade@fedoraproject.org>
Date: Sat, 16 Sep 2023 17:05:40 +0530
Subject: [PATCH] Resolves:RHEL-2268 CVE-2023-25193

---
 ...it_how_far_we_skip_when_looking_back.patch | 20 +++++++++++++++++++
 harfbuzz.spec                                 |  7 ++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-25193-Limit_how_far_we_skip_when_looking_back.patch

diff --git a/CVE-2023-25193-Limit_how_far_we_skip_when_looking_back.patch b/CVE-2023-25193-Limit_how_far_we_skip_when_looking_back.patch
new file mode 100644
index 0000000..dc2f326
--- /dev/null
+++ b/CVE-2023-25193-Limit_how_far_we_skip_when_looking_back.patch
@@ -0,0 +1,20 @@
+diff -urN harfbuzz-2.7.4.old/src/hb-ot-layout-gsubgpos.hh harfbuzz-2.7.4/src/hb-ot-layout-gsubgpos.hh
+--- harfbuzz-2.7.4.old/src/hb-ot-layout-gsubgpos.hh	2020-12-27 05:31:18.000000000 +0530
++++ harfbuzz-2.7.4/src/hb-ot-layout-gsubgpos.hh	2023-09-09 18:11:07.014324408 +0530
+@@ -468,7 +468,15 @@
+     bool prev ()
+     {
+       assert (num_items > 0);
+-      while (idx > num_items - 1)
++      unsigned stop = num_items - 1;
++
++      /* When looking back, limit how far we search; this function is mostly
++       * used for looking back for base glyphs when attaching marks. If we
++       * don't limit, we can get O(n^2) behavior where n is the number of
++       * consecutive marks. */
++      stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH);
++
++      while (idx > stop)
+       {
+ 	idx--;
+ 	const hb_glyph_info_t &info = c->buffer->out_info[idx];
diff --git a/harfbuzz.spec b/harfbuzz.spec
index b89c156..33b764d 100644
--- a/harfbuzz.spec
+++ b/harfbuzz.spec
@@ -1,6 +1,6 @@
 Name:           harfbuzz
 Version:        2.7.4
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Text shaping library
 
 License:        MIT
@@ -9,6 +9,8 @@ Source0:        https://github.com/harfbuzz/harfbuzz/releases/download/%{version
 
 # Upstream patch https://github.com/harfbuzz/harfbuzz/issues/3557
 Patch0:         CVE-2022-33068-sbix-Limit-glyph-extents.patch
+# Upstream https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc#commitcomment-101335712
+Patch1:         CVE-2023-25193-Limit_how_far_we_skip_when_looking_back.patch
 
 BuildRequires:  cairo-devel
 BuildRequires:  freetype-devel
@@ -91,6 +93,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/libharfbuzz-icu.so.*
 
 %changelog
+* Sat Sep 09 2023 Parag Nemade <pnemade AT redhat DOT com> - 2.7.4-9
+- Resolves:RHEL-2268 CVE-2023-25193
+
 * Mon Jul 18 2022 Parag Nemade <pnemade AT redhat DOT com> - 2.7.4-8
 - Resolves:rh#2103849
 - Update tests.yaml