From e347d1a528dcf1fd9ad14068ad00c6c981770c9b Mon Sep 17 00:00:00 2001 From: Eike Rathke Date: Mon, 9 Mar 2015 21:14:55 +0100 Subject: [PATCH] Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591 --- icu.changeset_37086.patch | 125 ++++++++++++++++++++++++++++++++++++++ icu.spec | 7 ++- 2 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 icu.changeset_37086.patch diff --git a/icu.changeset_37086.patch b/icu.changeset_37086.patch new file mode 100644 index 0000000..f202bfa --- /dev/null +++ b/icu.changeset_37086.patch @@ -0,0 +1,125 @@ +# https://ssl.icu-project.org/trac/changeset/37086 + +Index: icu/source/layout/ContextualSubstSubtables.cpp +=================================================================== +--- icu/source/layout/ContextualSubstSubtables.cpp (revision 37085) ++++ icu/source/layout/ContextualSubstSubtables.cpp (revision 37086) +@@ -1,4 +1,4 @@ + /* +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -467,4 +467,10 @@ + (const ChainSubClassRuleTable *) ((char *) chainSubClassSetTable + chainSubClassRuleTableOffset); + le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount); ++ ++ // TODO: Ticket #11557 - enable this check, originally from ticket #11525. ++ // Depends on other, more extensive, changes. ++ // LEReferenceToArrayOf backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount); ++ if( LE_FAILURE(success) ) { return 0; } ++ + le_uint16 inputGlyphCount = SWAPW(chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount]) - 1; + const le_uint16 *inputClassArray = &chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount + 1]; +Index: icu/source/layout/CursiveAttachmentSubtables.cpp +=================================================================== +--- icu/source/layout/CursiveAttachmentSubtables.cpp (revision 37085) ++++ icu/source/layout/CursiveAttachmentSubtables.cpp (revision 37086) +@@ -1,4 +1,4 @@ + /* +- * (C) Copyright IBM Corp. 1998 - 2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998 - 2015 - All Rights Reserved + * + */ +@@ -21,5 +21,8 @@ + le_uint16 eeCount = SWAPW(entryExitCount); + +- if (coverageIndex < 0 || coverageIndex >= eeCount) { ++ LEReferenceToArrayOf ++ entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex); ++ ++ if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) { + glyphIterator->setCursiveGlyph(); + return 0; +Index: icu/source/layout/Features.cpp +=================================================================== +--- icu/source/layout/Features.cpp (revision 37085) ++++ icu/source/layout/Features.cpp (revision 37086) +@@ -2,5 +2,5 @@ + * @(#)Features.cpp 1.4 00/03/15 + * +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -16,4 +16,7 @@ + LEReferenceTo FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const + { ++ LEReferenceToArrayOf ++ featureRecordArrayRef(base, success, featureRecordArray, featureIndex); ++ + if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) { + return LEReferenceTo(); +Index: icu/source/layout/LETableReference.h +=================================================================== +--- icu/source/layout/LETableReference.h (revision 37085) ++++ icu/source/layout/LETableReference.h (revision 37086) +@@ -2,5 +2,5 @@ + * -*- c++ -*- + * +- * (C) Copyright IBM Corp. and others 2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. and others 2015 - All Rights Reserved + * + * Range checking +@@ -314,5 +314,10 @@ + + const T& getObject(le_uint32 i, LEErrorCode &success) const { +- return *getAlias(i,success); ++ const T *ret = getAlias(i, success); ++ if (LE_FAILURE(success) || ret==NULL) { ++ return *(new T(0)); ++ } else { ++ return *ret; ++ } + } + +Index: icu/source/layout/LigatureSubstSubtables.cpp +=================================================================== +--- icu/source/layout/LigatureSubstSubtables.cpp (revision 37085) ++++ icu/source/layout/LigatureSubstSubtables.cpp (revision 37086) +@@ -1,4 +1,4 @@ + /* +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -28,4 +28,7 @@ + const LigatureTable *ligTable = (const LigatureTable *) ((char *)ligSetTable + ligTableOffset); + le_uint16 compCount = SWAPW(ligTable->compCount) - 1; ++ LEReferenceToArrayOf ++ componentArrayRef(base, success, ligTable->componentArray, compCount); ++ if (LE_FAILURE(success)) { return 0; } + le_int32 startPosition = glyphIterator->getCurrStreamPosition(); + TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph); +Index: icu/source/layout/MultipleSubstSubtables.cpp +=================================================================== +--- icu/source/layout/MultipleSubstSubtables.cpp (revision 37085) ++++ icu/source/layout/MultipleSubstSubtables.cpp (revision 37086) +@@ -1,5 +1,5 @@ + /* + * +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -36,5 +36,10 @@ + le_int32 coverageIndex = getGlyphCoverage(base, glyph, success); + le_uint16 seqCount = SWAPW(sequenceCount); ++ LEReferenceToArrayOf ++ sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount); + ++ if (LE_FAILURE(success)) { ++ return 0; ++ } + if (coverageIndex >= 0 && coverageIndex < seqCount) { + Offset sequenceTableOffset = SWAPW(sequenceTableOffsetArray[coverageIndex]); diff --git a/icu.spec b/icu.spec index 08f6f22..0e8374e 100644 --- a/icu.spec +++ b/icu.spec @@ -1,6 +1,6 @@ Name: icu Version: 54.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: International Components for Unicode Group: Development/Tools License: MIT and UCD and Public Domain @@ -15,6 +15,7 @@ Patch2: icu.8800.freeserif.crash.patch Patch3: icu.7601.Indic-ccmp.patch Patch4: gennorm2-man.patch Patch5: icuinfo-man.patch +Patch6: icu.changeset_37086.patch %description Tools and utilities for developing with icu. @@ -62,6 +63,7 @@ BuildArch: noarch %patch3 -p1 -b .icu7601.Indic-ccmp.patch %patch4 -p1 -b .gennorm2-man.patch %patch5 -p1 -b .icuinfo-man.patch +%patch6 -p1 -b .icu.changeset_37086.patch %build cd source @@ -170,6 +172,9 @@ make %{?_smp_mflags} -C source check %doc source/__docs/%{name}/html/* %changelog +* Mon Mar 09 2015 Eike Rathke - 54.1-2 +- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591 + * Mon Jan 26 2015 Eike Rathke - 54.1-1 - Resolves: rhbz#1185433 upgrade to upstream ICU 54.1