Resolves:rh#2103849 CVE-2022-33068

harfbuzz: integer overflow in the component hb-ot-shape-fallback.c
This commit is contained in:
Parag Nemade 2022-07-16 07:57:05 +05:30
parent 83b5de60e0
commit 7b433c6c08
No known key found for this signature in database
GPG Key ID: 71932951EB71E972
2 changed files with 38 additions and 1 deletions

View File

@ -0,0 +1,30 @@
From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 1 Jun 2022 07:38:21 -0600
Subject: [PATCH 001/363] [sbix] Limit glyph extents
Fixes https://github.com/harfbuzz/harfbuzz/issues/3557
---
src/hb-ot-color-sbix-table.hh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
index 9741ebd45..6efae43cd 100644
--- a/src/hb-ot-color-sbix-table.hh
+++ b/src/hb-ot-color-sbix-table.hh
@@ -298,6 +298,12 @@ struct sbix
const PNGHeader &png = *blob->as<PNGHeader>();
+ if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
+ {
+ hb_blob_destroy (blob);
+ return false;
+ }
+
extents->x_bearing = x_offset;
extents->y_bearing = png.IHDR.height + y_offset;
extents->width = png.IHDR.width;
--
2.36.1

View File

@ -1,12 +1,15 @@
Name: harfbuzz Name: harfbuzz
Version: 2.7.4 Version: 2.7.4
Release: 5%{?dist} Release: 6%{?dist}
Summary: Text shaping library Summary: Text shaping library
License: MIT License: MIT
URL: https://harfbuzz.github.io/ URL: https://harfbuzz.github.io/
Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/harfbuzz-%{version}.tar.xz Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/harfbuzz-%{version}.tar.xz
# Upstream patch https://github.com/harfbuzz/harfbuzz/issues/3557
Patch0: CVE-2022-33068-sbix-Limit-glyph-extents.patch
BuildRequires: cairo-devel BuildRequires: cairo-devel
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: glib2-devel BuildRequires: glib2-devel
@ -88,6 +91,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%{_libdir}/libharfbuzz-icu.so.* %{_libdir}/libharfbuzz-icu.so.*
%changelog %changelog
* Fri Jul 15 2022 Parag Nemade <pnemade AT redhat DOT com> - 2.7.4-6
- Resolves:rh#2103849 CVE-2022-33068
harfbuzz: integer overflow in the component hb-ot-shape-fallback.c
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.7.4-5 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.7.4-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688