From 76aee8e27afee2cf2e869515df7c7cf8285f254a Mon Sep 17 00:00:00 2001 From: spz Date: Sat, 5 Mar 2011 19:44:54 +0000 Subject: Pullup ticket #3378 - requested by tron devel/pango: security fix Revisions pulled up: - devel/pango/Makefile 1.152 - devel/pango/distinfo 1.88 Files added: devel/pango/patches/patch-CVE-2011-0064-1 devel/pango/patches/patch-CVE-2011-0064-2 devel/pango/patches/patch-CVE-2011-0064-3 --------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Sat Mar 5 13:37:20 UTC 2011 Modified Files: pkgsrc/devel/pango: Makefile distinfo Added Files: pkgsrc/devel/pango/patches: patch-CVE-2011-0064-1 patch-CVE-2011-0064-2 patch-CVE-2011-0064-3 Log Message: Add openSUSE's fix for the DoS vulnerability remoted in CVE-2011-0064. --- devel/pango/Makefile | 4 +- devel/pango/distinfo | 5 +- devel/pango/patches/patch-CVE-2011-0064-1 | 14 +++ devel/pango/patches/patch-CVE-2011-0064-2 | 148 ++++++++++++++++++++++++++++++ devel/pango/patches/patch-CVE-2011-0064-3 | 15 +++ 5 files changed, 183 insertions(+), 3 deletions(-) create mode 100644 devel/pango/patches/patch-CVE-2011-0064-1 create mode 100644 devel/pango/patches/patch-CVE-2011-0064-2 create mode 100644 devel/pango/patches/patch-CVE-2011-0064-3 diff --git a/devel/pango/Makefile b/devel/pango/Makefile index e752bbc9272..721fa22c404 100644 --- a/devel/pango/Makefile +++ b/devel/pango/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.149.2.1 2011/03/05 17:58:14 spz Exp $ +# $NetBSD: Makefile,v 1.149.2.2 2011/03/05 19:44:54 spz Exp $ DISTNAME= pango-1.28.3 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= devel fonts MASTER_SITES= ${MASTER_SITE_GNOME:=sources/pango/1.28/} EXTRACT_SUFX= .tar.bz2 diff --git a/devel/pango/distinfo b/devel/pango/distinfo index f2918fe828f..d8e8942fdf0 100644 --- a/devel/pango/distinfo +++ b/devel/pango/distinfo @@ -1,8 +1,11 @@ -$NetBSD: distinfo,v 1.86.2.1 2011/03/05 17:58:14 spz Exp $ +$NetBSD: distinfo,v 1.86.2.2 2011/03/05 19:44:54 spz Exp $ SHA1 (pango-1.28.3.tar.bz2) = e72887d6e147b9abf54628c003836e61d97767a1 RMD160 (pango-1.28.3.tar.bz2) = cdfd6d695b169e15801956fbfd54438c109f7a61 Size (pango-1.28.3.tar.bz2) = 1509501 bytes +SHA1 (patch-CVE-2011-0064-1) = 4bee6af464fa849b21e693239a7c0497c8bd2ae0 +SHA1 (patch-CVE-2011-0064-2) = 37e974738af890e2e665290abcfef8f65ebb6dd2 +SHA1 (patch-CVE-2011-0064-3) = 854d3835ad559a10fb4c4323983f8be68d2f46eb SHA1 (patch-aa) = 1a87d055dc722eff28517a11d0832ae19df5eb59 SHA1 (patch-ab) = 12c09b12ba31be19fa0d602f89909811e6221bd8 SHA1 (patch-ac) = 349eaf578f26e9d55df01c736951f27cd70a89fc diff --git a/devel/pango/patches/patch-CVE-2011-0064-1 b/devel/pango/patches/patch-CVE-2011-0064-1 new file mode 100644 index 00000000000..1377a8dc34f --- /dev/null +++ b/devel/pango/patches/patch-CVE-2011-0064-1 @@ -0,0 +1,14 @@ +$NetBSD: patch-CVE-2011-0064-1,v 1.1.2.2 2011/03/05 19:44:54 spz Exp $ + +Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE. + +--- pango/opentype/hb-buffer-private.h.orig 2010-02-09 12:06:28.000000000 +0000 ++++ pango/opentype/hb-buffer-private.h 2011-03-05 13:30:22.000000000 +0000 +@@ -72,6 +72,7 @@ + unsigned int allocated; + + hb_bool_t have_output; /* weather we have an output buffer going on */ ++ hb_bool_t in_error; /* Allocation failed */ + unsigned int in_length; + unsigned int out_length; + unsigned int in_pos; diff --git a/devel/pango/patches/patch-CVE-2011-0064-2 b/devel/pango/patches/patch-CVE-2011-0064-2 new file mode 100644 index 00000000000..1a776c2250b --- /dev/null +++ b/devel/pango/patches/patch-CVE-2011-0064-2 @@ -0,0 +1,148 @@ +$NetBSD: patch-CVE-2011-0064-2,v 1.1.2.2 2011/03/05 19:44:54 spz Exp $ + +Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE. + +--- pango/opentype/hb-buffer.c.orig 2010-02-09 12:06:28.000000000 +0000 ++++ pango/opentype/hb-buffer.c 2011-03-05 13:30:22.000000000 +0000 +@@ -52,23 +52,21 @@ + * in_string and out_string. + */ + +-/* XXX err handling */ +- + /* Internal API */ + +-static void ++static hb_bool_t + hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size) + { +- hb_buffer_ensure (buffer, size); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE; + if (buffer->out_string == buffer->in_string) + { + assert (buffer->have_output); +- if (!buffer->positions) +- buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0])); + + buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; + memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0])); + } ++ ++ return TRUE; + } + + /* Public API */ +@@ -114,6 +112,7 @@ + hb_buffer_clear (hb_buffer_t *buffer) + { + buffer->have_output = FALSE; ++ buffer->in_error = FALSE; + buffer->in_length = 0; + buffer->out_length = 0; + buffer->in_pos = 0; +@@ -122,32 +121,42 @@ + buffer->max_lig_id = 0; + } + +-void ++hb_bool_t + hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size) + { +- unsigned int new_allocated = buffer->allocated; +- +- if (size > new_allocated) ++ if (HB_UNLIKELY (size > buffer->allocated)) + { ++ unsigned int new_allocated = buffer->allocated; ++ hb_internal_glyph_position_t *new_pos; ++ hb_internal_glyph_info_t *new_info; ++ hb_bool_t separate_out; ++ ++ if (HB_UNLIKELY (buffer->in_error)) ++ return FALSE; ++ ++ separate_out = buffer->out_string != buffer->in_string; ++ + while (size > new_allocated) + new_allocated += (new_allocated >> 1) + 8; + +- if (buffer->positions) +- buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); ++ new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); ++ new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); + +- if (buffer->out_string != buffer->in_string) +- { +- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); +- buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; +- } +- else +- { +- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); +- buffer->out_string = buffer->in_string; +- } ++ if (HB_UNLIKELY (!new_pos || !new_info)) ++ buffer->in_error = TRUE; ++ ++ if (HB_LIKELY (new_pos)) ++ buffer->positions = new_pos; + +- buffer->allocated = new_allocated; ++ if (HB_LIKELY (new_info)) ++ buffer->in_string = new_info; ++ ++ buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string; ++ if (HB_LIKELY (!buffer->in_error)) ++ buffer->allocated = new_allocated; + } ++ ++ return HB_LIKELY (!buffer->in_error); + } + + void +@@ -158,7 +167,7 @@ + { + hb_internal_glyph_info_t *glyph; + +- hb_buffer_ensure (buffer, buffer->in_length + 1); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return; + + glyph = &buffer->in_string[buffer->in_length]; + glyph->codepoint = codepoint; +@@ -213,6 +222,8 @@ + + assert (buffer->have_output); + ++ if (HB_UNLIKELY (buffer->in_error)) return; ++ + if (buffer->out_string != buffer->in_string) + { + hb_internal_glyph_info_t *tmp_string; +@@ -265,7 +276,8 @@ + if (buffer->out_string != buffer->in_string || + buffer->out_pos + num_out > buffer->in_pos + num_in) + { +- hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out); ++ if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out))) ++ return; + } + + mask = buffer->in_string[buffer->in_pos].mask; +@@ -302,7 +314,7 @@ + + if (buffer->out_string != buffer->in_string) + { +- hb_buffer_ensure (buffer, buffer->out_pos + 1); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; + buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; + } + else if (buffer->out_pos != buffer->in_pos) +@@ -332,7 +344,7 @@ + + if (buffer->out_string != buffer->in_string) + { +- hb_buffer_ensure (buffer, buffer->out_pos + 1); ++ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; + buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; + } + else if (buffer->out_pos != buffer->in_pos) diff --git a/devel/pango/patches/patch-CVE-2011-0064-3 b/devel/pango/patches/patch-CVE-2011-0064-3 new file mode 100644 index 00000000000..3afe5203433 --- /dev/null +++ b/devel/pango/patches/patch-CVE-2011-0064-3 @@ -0,0 +1,15 @@ +$NetBSD: patch-CVE-2011-0064-3,v 1.1.2.2 2011/03/05 19:44:54 spz Exp $ + +Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE. + +--- pango/opentype/hb-buffer.h.orig 2010-02-09 12:06:28.000000000 +0000 ++++ pango/opentype/hb-buffer.h 2011-03-05 13:30:22.000000000 +0000 +@@ -94,7 +94,7 @@ + void + hb_buffer_clear_positions (hb_buffer_t *buffer); + +-void ++hb_bool_t + hb_buffer_ensure (hb_buffer_t *buffer, + unsigned int size); + -- cgit v1.2.3