File graphite2-CVE-2016-152x.patch of Package graphite2.6849

Index: src/Code.cpp
===================================================================
--- src/Code.cpp.orig	2015-08-31 06:42:03.000000000 +0200
+++ src/Code.cpp	2016-03-03 15:35:23.281426722 +0100
@@ -120,6 +120,7 @@
     analysis            _analysis;
     enum passtype       _passtype;
     int                 _stack_depth;
+    bool                _in_ctxt_item;
 };
 
 
@@ -139,7 +140,8 @@
   _pre_context(code._constraint ? 0 : lims.pre_context), 
   _rule_length(code._constraint ? 1 : lims.rule_length), 
   _instr(code._code), _data(code._data), _max(lims), _passtype(pt),
-  _stack_depth(0)
+  _stack_depth(0),
+  _in_ctxt_item(false)
 { }
     
 
@@ -356,8 +358,8 @@
             break;
         case CNTXT_ITEM :
             valid_upto(_max.rule_length, _max.pre_context + int8(bc[0]));
-            if (bc + 2 + bc[1] >= _max.bytecode)  failure(jump_past_end);
-            if (_pre_context != 0)                failure(nested_context_item);
+            if (bc + 2 + bc[1] >= _max.bytecode)    failure(jump_past_end);
+            if (_in_ctxt_item)                      failure(nested_context_item);
             break;
         case ATTR_SET :
         case ATTR_ADD :
@@ -574,6 +576,7 @@
     if (opc == CNTXT_ITEM)
     {
         assert(_pre_context == 0);
+        _in_ctxt_item = true;
         _pre_context = _max.pre_context + int8(_data[-2]);
         _rule_length = _max.rule_length;
 
@@ -592,6 +595,7 @@
 
             _rule_length = 1;
             _pre_context = 0;
+            _in_ctxt_item = false;
         }
         else
             return false;
Index: src/SegCacheEntry.cpp
===================================================================
--- src/SegCacheEntry.cpp.orig	2015-08-31 06:42:03.000000000 +0200
+++ src/SegCacheEntry.cpp	2016-03-03 15:34:29.193427244 +0100
@@ -61,7 +61,8 @@
     }
     const Slot * slot = seg->first();
     m_glyph = new Slot[glyphCount];
-    m_attr = gralloc<int16>(glyphCount * seg->numAttrs());
+    int attrSize = seg->numAttrs() + (seg->hasCollisionInfo() ? (sizeof(SlotCollision) + 1) / 2 : 0);
+    m_attr = gralloc<int16>(glyphCount * attrSize);
     if (!m_glyph || (!m_attr && seg->numAttrs())) return;
     m_glyphLength = glyphCount;
     Slot * slotCopy = m_glyph;
@@ -70,9 +71,9 @@
     uint16 pos = 0;
     while (slot)
     {
-        slotCopy->userAttrs(m_attr + pos * seg->numAttrs());
+        slotCopy->userAttrs(m_attr + pos * attrSize);
         slotCopy->m_justs = m_justs ? reinterpret_cast<SlotJustify *>(m_justs + justs_pos++ * sizeof_sjust) : 0;
-        slotCopy->set(*slot, -static_cast<int32>(charOffset), seg->numAttrs(), seg->silf()->numJustLevels(), length);
+        slotCopy->set(*slot, -static_cast<int32>(charOffset), attrSize, seg->silf()->numJustLevels(), length);
         slotCopy->index(pos);
         if (slot->firstChild())
             slotCopy->m_child = m_glyph + slot->firstChild()->index();
Index: src/TtfUtil.cpp
===================================================================
--- src/TtfUtil.cpp.orig	2015-08-31 06:42:03.000000000 +0200
+++ src/TtfUtil.cpp	2016-03-03 15:34:29.193427244 +0100
@@ -1208,7 +1208,7 @@
     // CheckTable verifies the index_to_loc_format is valid
     if (be::swap(pTable->index_to_loc_format) == Sfnt::FontHeader::ShortIndexLocFormat)
     { // loca entries are two bytes and have been divided by two
-        if (nGlyphId < (lLocaSize >> 1) - 1) // allow sentinel value to be accessed
+        if (lLocaSize > 1 && nGlyphId + 1u < lLocaSize >> 1) // allow sentinel value to be accessed
         {
             const uint16 * pShortTable = reinterpret_cast<const uint16 *>(pLoca);
             res = be::peek<uint16>(pShortTable + nGlyphId) << 1;
@@ -1218,7 +1218,7 @@
     }
     else if (be::swap(pTable->index_to_loc_format) == Sfnt::FontHeader::LongIndexLocFormat)
     { // loca entries are four bytes
-        if (nGlyphId < (lLocaSize >> 2) - 1)
+        if (lLocaSize > 3 && nGlyphId + 1u < lLocaSize >> 2)
         {
             const uint32 * pLongTable = reinterpret_cast<const uint32 *>(pLoca);
             res = be::peek<uint32>(pLongTable + nGlyphId);
openSUSE Build Service is sponsored by