summaryrefslogtreecommitdiff
path: root/devel/pango/patches/patch-CVE-2011-0064-2
diff options
context:
space:
mode:
Diffstat (limited to 'devel/pango/patches/patch-CVE-2011-0064-2')
-rw-r--r--devel/pango/patches/patch-CVE-2011-0064-2148
1 files changed, 148 insertions, 0 deletions
diff --git a/devel/pango/patches/patch-CVE-2011-0064-2 b/devel/pango/patches/patch-CVE-2011-0064-2
new file mode 100644
index 00000000000..1a776c2250b
--- /dev/null
+++ b/devel/pango/patches/patch-CVE-2011-0064-2
@@ -0,0 +1,148 @@
+$NetBSD: patch-CVE-2011-0064-2,v 1.1.2.2 2011/03/05 19:44:54 spz Exp $
+
+Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE.
+
+--- pango/opentype/hb-buffer.c.orig 2010-02-09 12:06:28.000000000 +0000
++++ pango/opentype/hb-buffer.c 2011-03-05 13:30:22.000000000 +0000
+@@ -52,23 +52,21 @@
+ * in_string and out_string.
+ */
+
+-/* XXX err handling */
+-
+ /* Internal API */
+
+-static void
++static hb_bool_t
+ hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size)
+ {
+- hb_buffer_ensure (buffer, size);
++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE;
+ if (buffer->out_string == buffer->in_string)
+ {
+ assert (buffer->have_output);
+- if (!buffer->positions)
+- buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0]));
+
+ buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+ memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0]));
+ }
++
++ return TRUE;
+ }
+
+ /* Public API */
+@@ -114,6 +112,7 @@
+ hb_buffer_clear (hb_buffer_t *buffer)
+ {
+ buffer->have_output = FALSE;
++ buffer->in_error = FALSE;
+ buffer->in_length = 0;
+ buffer->out_length = 0;
+ buffer->in_pos = 0;
+@@ -122,32 +121,42 @@
+ buffer->max_lig_id = 0;
+ }
+
+-void
++hb_bool_t
+ hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size)
+ {
+- unsigned int new_allocated = buffer->allocated;
+-
+- if (size > new_allocated)
++ if (HB_UNLIKELY (size > buffer->allocated))
+ {
++ unsigned int new_allocated = buffer->allocated;
++ hb_internal_glyph_position_t *new_pos;
++ hb_internal_glyph_info_t *new_info;
++ hb_bool_t separate_out;
++
++ if (HB_UNLIKELY (buffer->in_error))
++ return FALSE;
++
++ separate_out = buffer->out_string != buffer->in_string;
++
+ while (size > new_allocated)
+ new_allocated += (new_allocated >> 1) + 8;
+
+- if (buffer->positions)
+- buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
++ new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
++ new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+
+- if (buffer->out_string != buffer->in_string)
+- {
+- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+- buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+- }
+- else
+- {
+- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+- buffer->out_string = buffer->in_string;
+- }
++ if (HB_UNLIKELY (!new_pos || !new_info))
++ buffer->in_error = TRUE;
++
++ if (HB_LIKELY (new_pos))
++ buffer->positions = new_pos;
+
+- buffer->allocated = new_allocated;
++ if (HB_LIKELY (new_info))
++ buffer->in_string = new_info;
++
++ buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string;
++ if (HB_LIKELY (!buffer->in_error))
++ buffer->allocated = new_allocated;
+ }
++
++ return HB_LIKELY (!buffer->in_error);
+ }
+
+ void
+@@ -158,7 +167,7 @@
+ {
+ hb_internal_glyph_info_t *glyph;
+
+- hb_buffer_ensure (buffer, buffer->in_length + 1);
++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return;
+
+ glyph = &buffer->in_string[buffer->in_length];
+ glyph->codepoint = codepoint;
+@@ -213,6 +222,8 @@
+
+ assert (buffer->have_output);
+
++ if (HB_UNLIKELY (buffer->in_error)) return;
++
+ if (buffer->out_string != buffer->in_string)
+ {
+ hb_internal_glyph_info_t *tmp_string;
+@@ -265,7 +276,8 @@
+ if (buffer->out_string != buffer->in_string ||
+ buffer->out_pos + num_out > buffer->in_pos + num_in)
+ {
+- hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out);
++ if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out)))
++ return;
+ }
+
+ mask = buffer->in_string[buffer->in_pos].mask;
+@@ -302,7 +314,7 @@
+
+ if (buffer->out_string != buffer->in_string)
+ {
+- hb_buffer_ensure (buffer, buffer->out_pos + 1);
++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+ buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+ }
+ else if (buffer->out_pos != buffer->in_pos)
+@@ -332,7 +344,7 @@
+
+ if (buffer->out_string != buffer->in_string)
+ {
+- hb_buffer_ensure (buffer, buffer->out_pos + 1);
++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+ buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+ }
+ else if (buffer->out_pos != buffer->in_pos)
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-07 03:30:23 +0000