File graphite2-CVE-2016-152x.patch of Package graphite2.2131
Index: src/Code.cpp
===================================================================
--- src/Code.cpp.orig 2015-08-31 06:42:03.000000000 +0200
+++ src/Code.cpp 2016-03-03 15:35:23.281426722 +0100
@@ -120,6 +120,7 @@
analysis _analysis;
enum passtype _passtype;
int _stack_depth;
+ bool _in_ctxt_item;
};
@@ -139,7 +140,8 @@
_pre_context(code._constraint ? 0 : lims.pre_context),
_rule_length(code._constraint ? 1 : lims.rule_length),
_instr(code._code), _data(code._data), _max(lims), _passtype(pt),
- _stack_depth(0)
+ _stack_depth(0),
+ _in_ctxt_item(false)
{ }
@@ -356,8 +358,8 @@
break;
case CNTXT_ITEM :
valid_upto(_max.rule_length, _max.pre_context + int8(bc[0]));
- if (bc + 2 + bc[1] >= _max.bytecode) failure(jump_past_end);
- if (_pre_context != 0) failure(nested_context_item);
+ if (bc + 2 + bc[1] >= _max.bytecode) failure(jump_past_end);
+ if (_in_ctxt_item) failure(nested_context_item);
break;
case ATTR_SET :
case ATTR_ADD :
@@ -574,6 +576,7 @@
if (opc == CNTXT_ITEM)
{
assert(_pre_context == 0);
+ _in_ctxt_item = true;
_pre_context = _max.pre_context + int8(_data[-2]);
_rule_length = _max.rule_length;
@@ -592,6 +595,7 @@
_rule_length = 1;
_pre_context = 0;
+ _in_ctxt_item = false;
}
else
return false;
Index: src/SegCacheEntry.cpp
===================================================================
--- src/SegCacheEntry.cpp.orig 2015-08-31 06:42:03.000000000 +0200
+++ src/SegCacheEntry.cpp 2016-03-03 15:34:29.193427244 +0100
@@ -61,7 +61,8 @@
}
const Slot * slot = seg->first();
m_glyph = new Slot[glyphCount];
- m_attr = gralloc<int16>(glyphCount * seg->numAttrs());
+ int attrSize = seg->numAttrs() + (seg->hasCollisionInfo() ? (sizeof(SlotCollision) + 1) / 2 : 0);
+ m_attr = gralloc<int16>(glyphCount * attrSize);
if (!m_glyph || (!m_attr && seg->numAttrs())) return;
m_glyphLength = glyphCount;
Slot * slotCopy = m_glyph;
@@ -70,9 +71,9 @@
uint16 pos = 0;
while (slot)
{
- slotCopy->userAttrs(m_attr + pos * seg->numAttrs());
+ slotCopy->userAttrs(m_attr + pos * attrSize);
slotCopy->m_justs = m_justs ? reinterpret_cast<SlotJustify *>(m_justs + justs_pos++ * sizeof_sjust) : 0;
- slotCopy->set(*slot, -static_cast<int32>(charOffset), seg->numAttrs(), seg->silf()->numJustLevels(), length);
+ slotCopy->set(*slot, -static_cast<int32>(charOffset), attrSize, seg->silf()->numJustLevels(), length);
slotCopy->index(pos);
if (slot->firstChild())
slotCopy->m_child = m_glyph + slot->firstChild()->index();
Index: src/TtfUtil.cpp
===================================================================
--- src/TtfUtil.cpp.orig 2015-08-31 06:42:03.000000000 +0200
+++ src/TtfUtil.cpp 2016-03-03 15:34:29.193427244 +0100
@@ -1208,7 +1208,7 @@
// CheckTable verifies the index_to_loc_format is valid
if (be::swap(pTable->index_to_loc_format) == Sfnt::FontHeader::ShortIndexLocFormat)
{ // loca entries are two bytes and have been divided by two
- if (nGlyphId < (lLocaSize >> 1) - 1) // allow sentinel value to be accessed
+ if (lLocaSize > 1 && nGlyphId + 1u < lLocaSize >> 1) // allow sentinel value to be accessed
{
const uint16 * pShortTable = reinterpret_cast<const uint16 *>(pLoca);
res = be::peek<uint16>(pShortTable + nGlyphId) << 1;
@@ -1218,7 +1218,7 @@
}
else if (be::swap(pTable->index_to_loc_format) == Sfnt::FontHeader::LongIndexLocFormat)
{ // loca entries are four bytes
- if (nGlyphId < (lLocaSize >> 2) - 1)
+ if (lLocaSize > 3 && nGlyphId + 1u < lLocaSize >> 2)
{
const uint32 * pLongTable = reinterpret_cast<const uint32 *>(pLoca);
res = be::peek<uint32>(pLongTable + nGlyphId);
