File harfbuzz-CVE-2024-56732.patch of Package harfbuzz
From 1767f99e2e2196c3fcae27db6d8b60098d3f6d26 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sun, 10 Nov 2024 22:43:28 -0700
Subject: [PATCH] [cairo] Guard hb_cairo_glyphs_from_buffer() against bad UTF-8
Previously it was assuming valid UTF-8.
---
src/hb-cairo.cc | 2 ++
src/hb-utf.hh | 6 ++++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/hb-cairo.cc b/src/hb-cairo.cc
index d8b582c49..4d22ae059 100644
--- a/src/hb-cairo.cc
+++ b/src/hb-cairo.cc
@@ -1000,6 +1000,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer,
end = start + hb_glyph[i].cluster - hb_glyph[i+1].cluster;
else
end = (const char *) hb_utf_offset_to_pointer<hb_utf8_t> ((const uint8_t *) start,
+ (const uint8_t *) utf8, utf8_len,
(signed) (hb_glyph[i].cluster - hb_glyph[i+1].cluster));
(*clusters)[cluster].num_bytes = end - start;
start = end;
@@ -1020,6 +1021,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer,
end = start + hb_glyph[i].cluster - hb_glyph[i-1].cluster;
else
end = (const char *) hb_utf_offset_to_pointer<hb_utf8_t> ((const uint8_t *) start,
+ (const uint8_t *) utf8, utf8_len,
(signed) (hb_glyph[i].cluster - hb_glyph[i-1].cluster));
(*clusters)[cluster].num_bytes = end - start;
start = end;
diff --git a/src/hb-utf.hh b/src/hb-utf.hh
index 1120bd1cc..6db9bf2fd 100644
--- a/src/hb-utf.hh
+++ b/src/hb-utf.hh
@@ -458,19 +458,21 @@ struct hb_ascii_t
template <typename utf_t>
static inline const typename utf_t::codepoint_t *
hb_utf_offset_to_pointer (const typename utf_t::codepoint_t *start,
+ const typename utf_t::codepoint_t *text,
+ unsigned text_len,
signed offset)
{
hb_codepoint_t unicode;
while (offset-- > 0)
start = utf_t::next (start,
- start + utf_t::max_len,
+ text + text_len,
&unicode,
HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT);
while (offset++ < 0)
start = utf_t::prev (start,
- start - utf_t::max_len,
+ text,
&unicode,
HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT);
--
2.47.1
