Resolves: RHEL-45541 - SAST fix

.fmf/version

@@ -0,0 +1 @@
+1

harfbuzz-8.4.0-sast.patch

@@ -0,0 +1,44 @@
+diff -urN harfbuzz-8.4.0.old/src/hb-cff-interp-dict-common.hh harfbuzz-8.4.0/src/hb-cff-interp-dict-common.hh
+--- harfbuzz-8.4.0.old/src/hb-cff-interp-dict-common.hh	2024-03-29 20:03:04.000000000 +0530
++++ harfbuzz-8.4.0/src/hb-cff-interp-dict-common.hh	2024-08-16 14:53:09.265168054 +0530
+@@ -84,7 +84,7 @@
+ 
+     enum Nibble { DECIMAL=10, EXP_POS, EXP_NEG, RESERVED, NEG, END };
+ 
+-    char buf[32];
++    char buf[32] = {0};
+     unsigned char byte = 0;
+     for (unsigned i = 0, count = 0; count < ARRAY_LENGTH (buf); ++i, ++count)
+     {
+diff -urN harfbuzz-8.4.0.old/test/api/test-font.c harfbuzz-8.4.0/test/api/test-font.c
+--- harfbuzz-8.4.0.old/test/api/test-font.c	2024-03-29 20:03:04.000000000 +0530
++++ harfbuzz-8.4.0/test/api/test-font.c	2024-08-16 14:53:09.266168070 +0530
+@@ -417,7 +417,7 @@
+   font2 = hb_font_create_sub_font (font1);
+   hb_font_destroy (font1);
+   ffuncs2 = hb_font_funcs_create ();
+-  hb_font_funcs_set_nominal_glyphs_func (ffuncs1, nominal_glyphs_func, NULL, NULL);
++  hb_font_funcs_set_nominal_glyphs_func (ffuncs2, nominal_glyphs_func, NULL, NULL);
+   hb_font_set_funcs (font2, ffuncs2, NULL, NULL);
+   hb_font_funcs_destroy (ffuncs2);
+ 
+diff -urN harfbuzz-8.4.0.old/util/hb-subset.cc harfbuzz-8.4.0/util/hb-subset.cc
+--- harfbuzz-8.4.0.old/util/hb-subset.cc	2024-03-29 20:03:04.000000000 +0530
++++ harfbuzz-8.4.0/util/hb-subset.cc	2024-08-16 14:53:09.267168086 +0530
+@@ -792,6 +792,7 @@
+       g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
+ 		   "Failed reading file `%s': %s",
+ 		   arg, strerror (errno));
++      fclose(fp);
+       return false;
+     }
+     g_string_append_c (gs, '\0');
+@@ -812,6 +813,8 @@
+ 
+   g_string_free (gs, false);
+ 
++  fclose(fp);
++
+   return true;
+ }
+ 

harfbuzz.spec

@@ -1,12 +1,14 @@
 Name:           harfbuzz
 Version:        8.4.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Text shaping library
 
 License:        MIT-Modern-Variant
 URL:            https://github.com/harfbuzz/harfbuzz/
 Source0:        https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/harfbuzz-%{version}.tar.xz
 
+Patch0:         harfbuzz-8.4.0-sast.patch
+
 BuildRequires:  cairo-devel
 BuildRequires:  freetype-devel
 BuildRequires:  glib2-devel
@@ -92,6 +94,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/libharfbuzz-icu.so.*
 
 %changelog
+* Fri Aug 16 2024 Parag Nemade <pnemade AT redhat DOT com> - 8.4.0-3
+- Resolves: RHEL-45542 - SAST fix
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 8.4.0-2
 - Bump release for June 2024 mass rebuild
 

plans/harfbuzz.fmf

@@ -0,0 +1,5 @@
+summary: Basic smoke test
+discover:
+    how: fmf
+execute:
+    how: tmt

tests/main.fmf

@@ -0,0 +1,17 @@
+test: ./runtests.sh
+duration: 10m
+framework: beakerlib
+require:
+  - harfbuzz
+  - harfbuzz-devel
+  - rpm-build
+  - autoconf
+  - automake
+  - m4
+  - gcc-c++
+  - make
+  - python3-devel
+  - libtool
+  - gtk-doc
+  - cairo-devel
+  - fontconfig-devel

tests/runtests.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+NAME=harfbuzz
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${NAME}
+        rlAssertRpm ${NAME}-devel
+        rlShowPackageVersion ${NAME}
+        rlRun -t -l "VERSION=$(rpm -q ${NAME} --queryformat='%{version}')" 0 "Get VERSION"
+        FEDORA_VERSION=$(rlGetDistroRelease)
+        rlLog "FEDORA_VERSION=${DISTRO_RELEASE}"
+        rlRun "tmp=\$(mktemp -d)" 0 "Create tmp directory"
+        rlRun "pushd $tmp"
+        rlFetchSrcForInstalled "${NAME}"
+        rlRun "rpm --define '_topdir $tmp' -i *src.rpm"
+        rlRun -t -l "mkdir BUILD" 0 "Creating BUILD directory"
+        rlRun -t -l "rpmbuild --noclean --nodeps --define '_topdir $tmp' -bp $tmp/SPECS/*spec"
+        if [ -d BUILD/${NAME}-${VERSION}-build ]; then
+            rlRun -t -l "pushd BUILD/${NAME}-${VERSION}-build/${NAME}-${VERSION}"
+        else
+            rlRun -t -l "pushd BUILD/${NAME}-${VERSION}"
+        fi
+        rlRun "set -o pipefail"
+        rlRun "NOCONFIGURE=1 ./autogen.sh"
+        rlRun "./configure --disable-static --with-graphite2 --with-gobject --enable-introspection"
+        rlRun "make check"
+        rlRun "retval=$?"
+        rlRun "echo $retval"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun -t -l "INSTALLED_VERSION=$(hb-info --version|awk 'NR==1 {print $3}')" \
+              0 "Get installed version"
+        rlAssertEquals "versions should be equal" "${VERSION}" "${INSTALLED_VERSION}"
+        rlGetTestState
+        rlLog "Number of failed asserts so far: ${ECODE}"
+        rlRun "popd" 0
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $tmp" 0 "Remove tmp directory"
+    rlPhaseEnd
+rlJournalEnd
+

tests/smoke/runtest.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-set -e
-cd ../source
-
-echo "---Start autogen.sh---"
-NOCONFIGURE=1 ./autogen.sh
-echo "---End autogen.sh---"
-echo "--------------------"
-
-./configure --disable-static --with-graphite2 --with-gobject --enable-introspection
-echo "--------------------"
-echo "---Start make check---"
-make check
-retval=$?
-echo $retval
-if [ $retval -ne 0 ]; then
-        echo "make check failed"
-else
-        echo "make check completed sucessfully"
-fi
-echo "---End make check---"

tests/tests.yml

@@ -1,25 +0,0 @@
----
-- hosts: localhost
-  tags:
-  - classic
-  roles:
-  - role: standard-test-source
-
-- hosts: localhost
-  tags:
-  - classic
-  roles:
-  - role: standard-test-basic
-    tests:
-    - smoke
-    required_packages:
-    - autoconf
-    - automake
-    - m4
-    - gcc-c++
-    - make
-    - python3-devel
-    - libtool
-    - gtk-doc
-    - cairo-devel
-    - fontconfig-devel