File harfbuzz-limit-buffer-max-size-growth.patch of Package harfbuzz

From 4301703bddb63a01651a0d58474bb15ac0ebbcf6 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 5 Nov 2015 23:44:59 -0800
Subject: [PATCH] Limit buffer max size growth

https://github.com/behdad/harfbuzz/issues/161

Backported by Mike Gorse <mgorse@suse.com>
---
diff -ur harfbuzz-1.0.3.orig/src/hb-buffer.cc harfbuzz-1.0.3/src/hb-buffer.cc
--- harfbuzz-1.0.3.orig/src/hb-buffer.cc	2015-09-01 10:59:29.785158338 -0500
+++ harfbuzz-1.0.3/src/hb-buffer.cc	2016-08-08 20:13:10.770617254 -0500
@@ -92,6 +92,12 @@
   if (unlikely (in_error))
     return false;
 
+  if (unlikely (size > max_len))
+  {
+    in_error = true;
+    return false;
+  }
+
   unsigned int new_allocated = allocated;
   hb_glyph_position_t *new_pos = NULL;
   hb_glyph_info_t *new_info = NULL;
@@ -714,6 +720,8 @@
   if (!(buffer = hb_object_create<hb_buffer_t> ()))
     return hb_buffer_get_empty ();
 
+  buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
+
   buffer->reset ();
 
   return buffer;
@@ -739,6 +747,8 @@
     HB_BUFFER_CLUSTER_LEVEL_DEFAULT,
     HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT,
 
+    HB_BUFFER_MAX_LEN_DEFAULT,
+
     HB_BUFFER_CONTENT_TYPE_INVALID,
     HB_SEGMENT_PROPERTIES_DEFAULT,
     true, /* in_error */
diff -ur harfbuzz-1.0.3.orig/src/hb-buffer-private.hh harfbuzz-1.0.3/src/hb-buffer-private.hh
--- harfbuzz-1.0.3.orig/src/hb-buffer-private.hh	2015-09-01 10:59:29.785158338 -0500
+++ harfbuzz-1.0.3/src/hb-buffer-private.hh	2016-08-08 20:13:10.770617254 -0500
@@ -34,6 +34,15 @@
 #include "hb-object-private.hh"
 #include "hb-unicode-private.hh"
 
+#ifndef HB_BUFFER_MAX_EXPANSION_FACTOR
+#define HB_BUFFER_MAX_EXPANSION_FACTOR 32
+#endif
+#ifndef HB_BUFFER_MAX_LEN_MIN
+#define HB_BUFFER_MAX_LEN_MIN 8192
+#endif
+#ifndef HB_BUFFER_MAX_LEN_DEFAULT_
+#define HB_BUFFER_MAX_LEN_DEFAULT 0x3FFFFFFF /* Shaping more than a billion chars? Let us know! */
+#endif
 
 ASSERT_STATIC (sizeof (hb_glyph_info_t) == 20);
 ASSERT_STATIC (sizeof (hb_glyph_info_t) == sizeof (hb_glyph_position_t));
@@ -53,6 +62,8 @@
   hb_buffer_cluster_level_t cluster_level;
   hb_codepoint_t replacement; /* U+FFFD or something else. */
 
+  unsigned int max_len; /* Maximum allowed len. */
+
   /* Buffer contents */
   hb_buffer_content_type_t content_type;
   hb_segment_properties_t props; /* Script, language, direction */
diff -ur harfbuzz-1.0.3.orig/src/hb-ot-shape.cc harfbuzz-1.0.3/src/hb-ot-shape.cc
--- harfbuzz-1.0.3.orig/src/hb-ot-shape.cc	2015-09-01 10:59:29.789158287 -0500
+++ harfbuzz-1.0.3/src/hb-ot-shape.cc	2016-08-08 20:13:33.462617668 -0500
@@ -779,6 +779,12 @@
 {
   c->buffer->deallocate_var_all ();
 
+  if (likely (!_hb_unsigned_int_mul_overflows (c->buffer->len, HB_BUFFER_MAX_EXPANSION_FACTOR)))
+  {
+    c->buffer->max_len = MAX (c->buffer->len * HB_BUFFER_MAX_EXPANSION_FACTOR,
+			      (unsigned) HB_BUFFER_MAX_LEN_MIN);
+  }
+
   /* Save the original direction, we use it later. */
   c->target_direction = c->buffer->props.direction;
 
@@ -801,6 +807,7 @@
 
   c->buffer->props.direction = c->target_direction;
 
+  c->buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
   c->buffer->deallocate_var_all ();
 }