diff options
Diffstat (limited to 'devel/pango/patches/patch-CVE-2011-0064-2')
-rw-r--r-- | devel/pango/patches/patch-CVE-2011-0064-2 | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/devel/pango/patches/patch-CVE-2011-0064-2 b/devel/pango/patches/patch-CVE-2011-0064-2 new file mode 100644 index 00000000000..1a776c2250b --- /dev/null +++ b/devel/pango/patches/patch-CVE-2011-0064-2 @@ -0,0 +1,148 @@ +$NetBSD: patch-CVE-2011-0064-2,v 1.1.2.2 2011/03/05 19:44:54 spz Exp $ + +Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE. + +--- pango/opentype/hb-buffer.c.orig 2010-02-09 12:06:28.000000000 +0000 ++++ pango/opentype/hb-buffer.c 2011-03-05 13:30:22.000000000 +0000 +@@ -52,23 +52,21 @@ + * in_string and out_string. + */ + +-/* XXX err handling */ +- + /* Internal API */ + +-static void ++static hb_bool_t + hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size) + { +- hb_buffer_ensure (buffer, size); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE; + if (buffer->out_string == buffer->in_string) + { + assert (buffer->have_output); +- if (!buffer->positions) +- buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0])); + + buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; + memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0])); + } ++ ++ return TRUE; + } + + /* Public API */ +@@ -114,6 +112,7 @@ + hb_buffer_clear (hb_buffer_t *buffer) + { + buffer->have_output = FALSE; ++ buffer->in_error = FALSE; + buffer->in_length = 0; + buffer->out_length = 0; + buffer->in_pos = 0; +@@ -122,32 +121,42 @@ + buffer->max_lig_id = 0; + } + +-void ++hb_bool_t + hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size) + { +- unsigned int new_allocated = buffer->allocated; +- +- if (size > new_allocated) ++ if (HB_UNLIKELY (size > buffer->allocated)) + { ++ unsigned int new_allocated = buffer->allocated; ++ hb_internal_glyph_position_t *new_pos; ++ hb_internal_glyph_info_t *new_info; ++ hb_bool_t separate_out; ++ ++ if (HB_UNLIKELY (buffer->in_error)) ++ return FALSE; ++ ++ separate_out = buffer->out_string != buffer->in_string; ++ + while (size > new_allocated) + new_allocated += (new_allocated >> 1) + 8; + +- if (buffer->positions) +- buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); ++ new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); ++ new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); + +- if (buffer->out_string != buffer->in_string) +- { +- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); +- buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; +- } +- else +- { +- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); +- buffer->out_string = buffer->in_string; +- } ++ if (HB_UNLIKELY (!new_pos || !new_info)) ++ buffer->in_error = TRUE; ++ ++ if (HB_LIKELY (new_pos)) ++ buffer->positions = new_pos; + +- buffer->allocated = new_allocated; ++ if (HB_LIKELY (new_info)) ++ buffer->in_string = new_info; ++ ++ buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string; ++ if (HB_LIKELY (!buffer->in_error)) ++ buffer->allocated = new_allocated; + } ++ ++ return HB_LIKELY (!buffer->in_error); + } + + void +@@ -158,7 +167,7 @@ + { + hb_internal_glyph_info_t *glyph; + +- hb_buffer_ensure (buffer, buffer->in_length + 1); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return; + + glyph = &buffer->in_string[buffer->in_length]; + glyph->codepoint = codepoint; +@@ -213,6 +222,8 @@ + + assert (buffer->have_output); + ++ if (HB_UNLIKELY (buffer->in_error)) return; ++ + if (buffer->out_string != buffer->in_string) + { + hb_internal_glyph_info_t *tmp_string; +@@ -265,7 +276,8 @@ + if (buffer->out_string != buffer->in_string || + buffer->out_pos + num_out > buffer->in_pos + num_in) + { +- hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out); ++ if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out))) ++ return; + } + + mask = buffer->in_string[buffer->in_pos].mask; +@@ -302,7 +314,7 @@ + + if (buffer->out_string != buffer->in_string) + { +- hb_buffer_ensure (buffer, buffer->out_pos + 1); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; + buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; + } + else if (buffer->out_pos != buffer->in_pos) +@@ -332,7 +344,7 @@ + + if (buffer->out_string != buffer->in_string) + { +- hb_buffer_ensure (buffer, buffer->out_pos + 1); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; + buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; + } + else if (buffer->out_pos != buffer->in_pos) |