Add openSUSE's fix for the DoS vulnerability remoted in CVE-2011-0064.

5 files changed, 183 insertions, 3 deletions

diff --git a/devel/pango/Makefile b/devel/pango/Makefile
index b632d4f289a..4fa5ecd57ce 100644
--- a/devel/pango/Makefile
+++ b/devel/pango/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.151 2011/01/27 14:04:51 drochner Exp $
+# $NetBSD: Makefile,v 1.152 2011/03/05 13:37:19 tron Exp $
 
 DISTNAME=		pango-1.28.3
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		devel fonts
 MASTER_SITES=		${MASTER_SITE_GNOME:=sources/pango/1.28/}
 EXTRACT_SUFX=		.tar.bz2
diff --git a/devel/pango/distinfo b/devel/pango/distinfo
index 4a57248568f..91663d90abf 100644
--- a/devel/pango/distinfo
+++ b/devel/pango/distinfo
@@ -1,8 +1,11 @@
-$NetBSD: distinfo,v 1.87 2011/01/27 14:04:51 drochner Exp $
+$NetBSD: distinfo,v 1.88 2011/03/05 13:37:19 tron Exp $
 
 SHA1 (pango-1.28.3.tar.bz2) = e72887d6e147b9abf54628c003836e61d97767a1
 RMD160 (pango-1.28.3.tar.bz2) = cdfd6d695b169e15801956fbfd54438c109f7a61
 Size (pango-1.28.3.tar.bz2) = 1509501 bytes
+SHA1 (patch-CVE-2011-0064-1) = 4bee6af464fa849b21e693239a7c0497c8bd2ae0
+SHA1 (patch-CVE-2011-0064-2) = 37e974738af890e2e665290abcfef8f65ebb6dd2
+SHA1 (patch-CVE-2011-0064-3) = 854d3835ad559a10fb4c4323983f8be68d2f46eb
 SHA1 (patch-aa) = 1a87d055dc722eff28517a11d0832ae19df5eb59
 SHA1 (patch-ab) = 12c09b12ba31be19fa0d602f89909811e6221bd8
 SHA1 (patch-ac) = 349eaf578f26e9d55df01c736951f27cd70a89fc
diff --git a/devel/pango/patches/patch-CVE-2011-0064-1 b/devel/pango/patches/patch-CVE-2011-0064-1
new file mode 100644
index 00000000000..4e7a73d27ca
--- /dev/null
+++ b/devel/pango/patches/patch-CVE-2011-0064-1
@@ -0,0 +1,14 @@
+$NetBSD: patch-CVE-2011-0064-1,v 1.1 2011/03/05 13:37:19 tron Exp $
+
+Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE.
+
+--- pango/opentype/hb-buffer-private.h.orig	2010-02-09 12:06:28.000000000 +0000
++++ pango/opentype/hb-buffer-private.h	2011-03-05 13:30:22.000000000 +0000
+@@ -72,6 +72,7 @@
+   unsigned int allocated;
+ 
+   hb_bool_t    have_output; /* weather we have an output buffer going on */
++  hb_bool_t    in_error; /* Allocation failed */
+   unsigned int in_length;
+   unsigned int out_length;
+   unsigned int in_pos;
diff --git a/devel/pango/patches/patch-CVE-2011-0064-2 b/devel/pango/patches/patch-CVE-2011-0064-2
new file mode 100644
index 00000000000..0bd19e46de2
--- /dev/null
+++ b/devel/pango/patches/patch-CVE-2011-0064-2
@@ -0,0 +1,148 @@
+$NetBSD: patch-CVE-2011-0064-2,v 1.1 2011/03/05 13:37:19 tron Exp $
+
+Fix for the DoS vulnerability reported in CVE-2011-0064	taken from openSUSE.
+
+--- pango/opentype/hb-buffer.c.orig	2010-02-09 12:06:28.000000000 +0000
++++ pango/opentype/hb-buffer.c	2011-03-05 13:30:22.000000000 +0000
+@@ -52,23 +52,21 @@
+  * in_string and out_string.
+  */
+ 
+-/* XXX err handling */
+-
+ /* Internal API */
+ 
+-static void
++static hb_bool_t
+ hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size)
+ {
+-  hb_buffer_ensure (buffer, size);
++  if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE;
+   if (buffer->out_string == buffer->in_string)
+   {
+     assert (buffer->have_output);
+-    if (!buffer->positions)
+-      buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0]));
+ 
+     buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+     memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0]));
+   }
++
++  return TRUE;
+ }
+ 
+ /* Public API */
+@@ -114,6 +112,7 @@
+ hb_buffer_clear (hb_buffer_t *buffer)
+ {
+   buffer->have_output = FALSE;
++  buffer->in_error = FALSE;
+   buffer->in_length = 0;
+   buffer->out_length = 0;
+   buffer->in_pos = 0;
+@@ -122,32 +121,42 @@
+   buffer->max_lig_id = 0;
+ }
+ 
+-void
++hb_bool_t
+ hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size)
+ {
+-  unsigned int new_allocated = buffer->allocated;
+-
+-  if (size > new_allocated)
++  if (HB_UNLIKELY (size > buffer->allocated))
+   {
++    unsigned int new_allocated = buffer->allocated;
++    hb_internal_glyph_position_t *new_pos;
++    hb_internal_glyph_info_t *new_info;
++    hb_bool_t separate_out;
++
++    if (HB_UNLIKELY (buffer->in_error))
++      return FALSE;
++
++    separate_out = buffer->out_string != buffer->in_string;
++
+     while (size > new_allocated)
+       new_allocated += (new_allocated >> 1) + 8;
+ 
+-    if (buffer->positions)
+-      buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
++    new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
++    new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+ 
+-    if (buffer->out_string != buffer->in_string)
+-    {
+-      buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+-      buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+-    }
+-    else
+-    {
+-      buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+-      buffer->out_string = buffer->in_string;
+-    }
++    if (HB_UNLIKELY (!new_pos || !new_info))
++      buffer->in_error = TRUE;
++
++    if (HB_LIKELY (new_pos))
++      buffer->positions = new_pos;
+ 
+-    buffer->allocated = new_allocated;
++    if (HB_LIKELY (new_info))
++      buffer->in_string = new_info;
++
++    buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string;
++    if (HB_LIKELY (!buffer->in_error))
++      buffer->allocated = new_allocated;
+   }
++
++  return HB_LIKELY (!buffer->in_error);
+ }
+ 
+ void
+@@ -158,7 +167,7 @@
+ {
+   hb_internal_glyph_info_t *glyph;
+ 
+-  hb_buffer_ensure (buffer, buffer->in_length + 1);
++  if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return;
+ 
+   glyph = &buffer->in_string[buffer->in_length];
+   glyph->codepoint = codepoint;
+@@ -213,6 +222,8 @@
+ 
+   assert (buffer->have_output);
+ 
++  if (HB_UNLIKELY (buffer->in_error)) return;
++
+   if (buffer->out_string != buffer->in_string)
+   {
+     hb_internal_glyph_info_t *tmp_string;
+@@ -265,7 +276,8 @@
+   if (buffer->out_string != buffer->in_string ||
+       buffer->out_pos + num_out > buffer->in_pos + num_in)
+   {
+-    hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out);
++    if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out)))
++        return;
+   }
+ 
+   mask = buffer->in_string[buffer->in_pos].mask;
+@@ -302,7 +314,7 @@
+ 
+   if (buffer->out_string != buffer->in_string)
+   {
+-    hb_buffer_ensure (buffer, buffer->out_pos + 1);
++    if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+     buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+   }
+   else if (buffer->out_pos != buffer->in_pos)
+@@ -332,7 +344,7 @@
+ 
+   if (buffer->out_string != buffer->in_string)
+   {
+-    hb_buffer_ensure (buffer, buffer->out_pos + 1);
++    if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+     buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+   }
+   else if (buffer->out_pos != buffer->in_pos)
diff --git a/devel/pango/patches/patch-CVE-2011-0064-3 b/devel/pango/patches/patch-CVE-2011-0064-3
new file mode 100644
index 00000000000..bae31b6931b
--- /dev/null
+++ b/devel/pango/patches/patch-CVE-2011-0064-3
@@ -0,0 +1,15 @@
+$NetBSD: patch-CVE-2011-0064-3,v 1.1 2011/03/05 13:37:20 tron Exp $
+
+Fix for the DoS vulnerability reported in CVE-2011-0064	taken from openSUSE.
+
+--- pango/opentype/hb-buffer.h.orig	2010-02-09 12:06:28.000000000 +0000
++++ pango/opentype/hb-buffer.h	2011-03-05 13:30:22.000000000 +0000
+@@ -94,7 +94,7 @@
+ void
+ hb_buffer_clear_positions (hb_buffer_t *buffer);
+ 
+-void
++hb_bool_t
+ hb_buffer_ensure (hb_buffer_t  *buffer,
+ 		  unsigned int  size);
+