diff mbox series

[kirkstone,02/29] harfbuzz: fix CVE-2023-25193 allows attackers to trigger O(n^2) growth via consecutive marks

Message ID 9bc6342a9e02e14806903fdb589bf5a854093639.1677859897.git.steve@sakoman.com
State New, archived
Headers show
Series [kirkstone,01/29] binutils : Fix CVE-2023-22608 | expand

Commit Message

Steve Sakoman March 3, 2023, 4:17 p.m. UTC 
From: Vivek Kumbhar <vkumbhar@mvista.com>

[layout] Limit how far we skip when looking back

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../harfbuzz/harfbuzz/CVE-2023-25193.patch    | 71 +++++++++++++++++++
 .../harfbuzz/harfbuzz_4.0.1.bb                |  4 +-
 2 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
diff mbox series

Patch

diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
new file mode 100644
index 0000000000..54ceebcf93
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
@@ -0,0 +1,71 @@ 
+From 85be877925ddbf34f74a1229f3ca1716bb6170dc Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Wed, 1 Feb 2023 20:00:43 -0700
+Subject: [PATCH] [layout] Limit how far we skip when looking back
+
+Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc]
+CVE: CVE-2023-25193
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/hb-ot-layout-common.hh   |  7 +++++++
+ src/hb-ot-layout-gsubgpos.hh | 19 ++++++++++++++++---
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
+index 60a1906..f7f8d5f 100644
+--- a/src/hb-ot-layout-common.hh
++++ b/src/hb-ot-layout-common.hh
+@@ -72,6 +72,13 @@
+ #define HB_MAX_LOOKUP_VISIT_COUNT	35000
+ #endif
+ 
++#ifndef HB_MAX_NESTING_LEVEL
++#define HB_MAX_NESTING_LEVEL	6
++#endif
++#ifndef HB_MAX_CONTEXT_LENGTH
++#define HB_MAX_CONTEXT_LENGTH	64
++#endif
++
+ 
+ namespace OT {
+ 
+diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
+index 65de131..891d96a 100644
+--- a/src/hb-ot-layout-gsubgpos.hh
++++ b/src/hb-ot-layout-gsubgpos.hh
+@@ -525,7 +525,10 @@ struct hb_ot_apply_context_t :
+     bool next (unsigned *unsafe_to = nullptr)
+     {
+       assert (num_items > 0);
+-      while (idx + num_items < end)
++      unsigned stop = end - num_items;
++      if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)
++      	stop = end - 1;
++      while (idx < stop)
+       {
+ 	idx++;
+ 	const hb_glyph_info_t &info = c->buffer->info[idx];
+@@ -557,8 +560,18 @@ struct hb_ot_apply_context_t :
+     }
+     bool prev (unsigned *unsafe_from = nullptr)
+     {
+-      assert (num_items > 0);
+-      while (idx > num_items - 1)
++      assert (num_items > 0);      
++      unsigned stop = 1 - num_items;
++      if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)        
++      	stop = 1 - 1;
++      	
++      /* When looking back, limit how far we search; this function is mostly
++       * used for looking back for base glyphs when attaching marks. If we
++       * don't limit, we can get O(n^2) behavior where n is the number of
++       * consecutive marks. */
++      stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH);
++
++      while (idx > stop)
+       {
+ 	idx--;
+ 	const hb_glyph_info_t &info = c->buffer->out_info[idx];
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
index bdbb322e42..2a2ec714d0 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
@@ -13,7 +13,9 @@  UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"
 
 SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz \
            file://CVE-2022-33068.patch \
-           file://0001-Fix-conditional.patch"
+           file://0001-Fix-conditional.patch \
+           file://CVE-2023-25193.patch \
+           "
 SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49"
 
 inherit meson pkgconfig lib_package gtk-doc gobject-introspection