[pango/f14/master] Fix CVE-2011-0064

Matthias Clasen mclasen at fedoraproject.org
Fri Mar 11 17:58:46 UTC 2011


commit 574b9188a49ae84a23959c3ab34ae3c3a3f2d6fc
Author: Matthias Clasen <mclasen at redhat.com>
Date:   Fri Mar 11 12:57:44 2011 -0500

    Fix CVE-2011-0064

 pango-hb_buffer_enlarge-overflow.patch |   22 ++++
 pango-hb_buffer_ensure-realloc.patch   |  170 ++++++++++++++++++++++++++++++++
 pango.spec                             |   14 +++
 pangoft2-box-alloc.patch               |   44 ++++++++
 4 files changed, 250 insertions(+), 0 deletions(-)
---
diff --git a/pango-hb_buffer_enlarge-overflow.patch b/pango-hb_buffer_enlarge-overflow.patch
new file mode 100644
index 0000000..106e519
--- /dev/null
+++ b/pango-hb_buffer_enlarge-overflow.patch
@@ -0,0 +1,22 @@
+diff -up pango-1.28.1/pango/opentype/hb-buffer.c.hb_buffer-enlarge pango-1.28.1/pango/opentype/hb-buffer.c
+--- pango-1.28.1/pango/opentype/hb-buffer.c.hb_buffer-enlarge	2011-02-28 16:37:18.449223484 -0500
++++ pango-1.28.1/pango/opentype/hb-buffer.c	2011-02-28 16:39:45.298387617 -0500
+@@ -139,8 +139,16 @@ hb_buffer_ensure (hb_buffer_t *buffer, u
+     while (size > new_allocated)
+       new_allocated += (new_allocated >> 1) + 8;
+ 
+-    new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
+-    new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
++    ASSERT_STATIC (sizeof (buffer->in_string[0]) == sizeof (buffer->positions[0]));
++    hb_bool_t overflows = new_allocated >= ((unsigned int) -1) / sizeof (buffer->in_string[0]);
++
++    if (HB_UNLIKELY (overflows)) {
++      new_pos = NULL;
++      new_info = NULL;
++    } else {
++      new_pos = (hb_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
++      new_info = (hb_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
++    }
+ 
+     if (HB_UNLIKELY (!new_pos || !new_info))
+       buffer->in_error = TRUE;
diff --git a/pango-hb_buffer_ensure-realloc.patch b/pango-hb_buffer_ensure-realloc.patch
new file mode 100644
index 0000000..f51cbb0
--- /dev/null
+++ b/pango-hb_buffer_ensure-realloc.patch
@@ -0,0 +1,170 @@
+@@ -, +, @@ 
+ pango/opentype/hb-buffer-private.h |    1 +
+ pango/opentype/hb-buffer.c         |   70 +++++++++++++++++++++---------------
+ pango/opentype/hb-buffer.h         |    2 +-
+ 3 files changed, 43 insertions(+), 30 deletions(-)
+--- a/pango/opentype/hb-buffer-private.h	
++++ a/pango/opentype/hb-buffer-private.h	
+@@ -72,6 +72,7 @@ struct _hb_buffer_t {
+   unsigned int allocated;
+ 
+   hb_bool_t    have_output; /* weather we have an output buffer going on */
++  hb_bool_t    in_error; /* Allocation failed */
+   unsigned int in_length;
+   unsigned int out_length;
+   unsigned int in_pos;
+--- a/pango/opentype/hb-buffer.c	
++++ a/pango/opentype/hb-buffer.c	
+@@ -52,23 +52,21 @@ static hb_buffer_t _hb_buffer_nil = {
+  * in_string and out_string.
+  */
+ 
+-/* XXX err handling */
+-
+ /* Internal API */
+ 
+-static void
++static hb_bool_t
+ hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size)
+ {
+-  hb_buffer_ensure (buffer, size);
++  if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE;
+   if (buffer->out_string == buffer->in_string)
+   {
+     assert (buffer->have_output);
+-    if (!buffer->positions)
+-      buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0]));
+ 
+     buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+     memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0]));
+   }
++
++  return TRUE;
+ }
+ 
+ /* Public API */
+@@ -114,6 +112,7 @@ void
+ hb_buffer_clear (hb_buffer_t *buffer)
+ {
+   buffer->have_output = FALSE;
++  buffer->in_error = FALSE;
+   buffer->in_length = 0;
+   buffer->out_length = 0;
+   buffer->in_pos = 0;
+@@ -122,32 +121,42 @@ hb_buffer_clear (hb_buffer_t *buffer)
+   buffer->max_lig_id = 0;
+ }
+ 
+-void
++hb_bool_t
+ hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size)
+ {
+-  unsigned int new_allocated = buffer->allocated;
+-
+-  if (size > new_allocated)
++  if (HB_UNLIKELY (size > buffer->allocated))
+   {
++    unsigned int new_allocated = buffer->allocated;
++    hb_internal_glyph_position_t *new_pos;
++    hb_internal_glyph_info_t *new_info;
++    hb_bool_t separate_out;
++
++    if (HB_UNLIKELY (buffer->in_error))
++      return FALSE;
++
++    separate_out = buffer->out_string != buffer->in_string;
++
+     while (size > new_allocated)
+       new_allocated += (new_allocated >> 1) + 8;
+ 
+-    if (buffer->positions)
+-      buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
++    new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
++    new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+ 
+-    if (buffer->out_string != buffer->in_string)
+-    {
+-      buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+-      buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
+-    }
+-    else
+-    {
+-      buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
+-      buffer->out_string = buffer->in_string;
+-    }
++    if (HB_UNLIKELY (!new_pos || !new_info))
++      buffer->in_error = TRUE;
++
++    if (HB_LIKELY (new_pos))
++      buffer->positions = new_pos;
+ 
+-    buffer->allocated = new_allocated;
++    if (HB_LIKELY (new_info))
++      buffer->in_string = new_info;
++
++    buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string;
++    if (HB_LIKELY (!buffer->in_error))
++      buffer->allocated = new_allocated;
+   }
++
++  return HB_LIKELY (!buffer->in_error);
+ }
+ 
+ void
+@@ -158,7 +167,7 @@ hb_buffer_add_glyph (hb_buffer_t    *buffer,
+ {
+   hb_internal_glyph_info_t *glyph;
+ 
+-  hb_buffer_ensure (buffer, buffer->in_length + 1);
++  if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return;
+ 
+   glyph = &buffer->in_string[buffer->in_length];
+   glyph->codepoint = codepoint;
+@@ -213,6 +222,8 @@ _hb_buffer_swap (hb_buffer_t *buffer)
+ 
+   assert (buffer->have_output);
+ 
++  if (HB_UNLIKELY (buffer->in_error)) return;
++
+   if (buffer->out_string != buffer->in_string)
+   {
+     hb_internal_glyph_info_t *tmp_string;
+@@ -265,7 +276,8 @@ _hb_buffer_add_output_glyphs (hb_buffer_t *buffer,
+   if (buffer->out_string != buffer->in_string ||
+       buffer->out_pos + num_out > buffer->in_pos + num_in)
+   {
+-    hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out);
++    if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out)))
++        return;
+   }
+ 
+   mask = buffer->in_string[buffer->in_pos].mask;
+@@ -302,7 +314,7 @@ _hb_buffer_add_output_glyph (hb_buffer_t *buffer,
+ 
+   if (buffer->out_string != buffer->in_string)
+   {
+-    hb_buffer_ensure (buffer, buffer->out_pos + 1);
++    if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+     buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+   }
+   else if (buffer->out_pos != buffer->in_pos)
+@@ -332,7 +344,7 @@ _hb_buffer_next_glyph (hb_buffer_t *buffer)
+ 
+   if (buffer->out_string != buffer->in_string)
+   {
+-    hb_buffer_ensure (buffer, buffer->out_pos + 1);
++    if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
+     buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
+   }
+   else if (buffer->out_pos != buffer->in_pos)
+--- a/pango/opentype/hb-buffer.h	
++++ a/pango/opentype/hb-buffer.h	
+@@ -94,7 +94,7 @@ hb_buffer_clear (hb_buffer_t *buffer);
+ void
+ hb_buffer_clear_positions (hb_buffer_t *buffer);
+ 
+-void
++hb_bool_t
+ hb_buffer_ensure (hb_buffer_t  *buffer,
+ 		  unsigned int  size);
+ 
diff --git a/pango.spec b/pango.spec
index 5a9a0a4..781ff59 100644
--- a/pango.spec
+++ b/pango.spec
@@ -39,6 +39,13 @@ BuildRequires: gnome-common intltool gtk-doc
 # Look for pango.modules in an arch-specific directory
 Patch0: pango-1.21.4-lib64.patch
 
+# https://bugzilla.gnome.org/show_bug.cgi?id=639882
+Patch1: pangoft2-box-alloc.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=681378
+Patch2: pango-hb_buffer_ensure-realloc.patch
+Patch3: pango-hb_buffer_enlarge-overflow.patch
+
 %description
 Pango is a library for laying out and rendering of text, with an emphasis
 on internationalization. Pango can be used anywhere that text layout is needed,
@@ -73,6 +80,9 @@ for the pango package.
 %setup -q -n pango-%{version}
 
 %patch0 -p1 -b .lib64
+%patch1 -p1 -b .box-alloc
+%patch2 -p1 -b .hb_buffer-realloc
+%patch3 -p1 -b .hb_buffer-enlarge
 
 %build
 
@@ -238,6 +248,10 @@ fi
 
 
 %changelog
+* Fri Mar 11 2011 Matthias Clasen <mclasen at redhat.com> - 1.28.3-2
+- Fix CVS-2011-0064
+- Include an upstream heap corruption fix for pangoft2
+
 * Wed Sep 29 2010 Matthias Clasen <mclasen at redhat.com> - 1.28.3-1
 - Update to 1.28.3
 
diff --git a/pangoft2-box-alloc.patch b/pangoft2-box-alloc.patch
new file mode 100644
index 0000000..0ab61d7
--- /dev/null
+++ b/pangoft2-box-alloc.patch
@@ -0,0 +1,44 @@
+diff -up pango-1.28.1/pango/pangoft2-render.c.box-alloc pango-1.28.1/pango/pangoft2-render.c
+--- pango-1.28.1/pango/pangoft2-render.c.box-alloc	2010-05-04 11:50:40.000000000 -0400
++++ pango-1.28.1/pango/pangoft2-render.c	2011-01-26 13:58:30.981494512 -0500
+@@ -121,9 +121,17 @@ pango_ft2_font_render_box_glyph (int    
+ 
+   box->bitmap.width = width;
+   box->bitmap.rows = height;
+-  box->bitmap.pitch = height;
++  box->bitmap.pitch = width;
+ 
+-  box->bitmap.buffer = g_malloc0 (box->bitmap.rows * box->bitmap.pitch);
++  if (box->bitmap.pitch > 0)
++    box->bitmap.buffer = g_malloc0_n (box->bitmap.rows, box->bitmap.pitch);
++  else
++    box->bitmap.buffer = NULL;
++
++  if (G_UNLIKELY (!box->bitmap.buffer)) {
++    g_slice_free (PangoFT2RenderedGlyph, box);
++    return NULL;
++  }
+ 
+   /* draw the box */
+   for (j = 0; j < line_width; j++)
+@@ -226,6 +234,11 @@ pango_ft2_font_render_glyph (PangoFont *
+       rendered->bitmap_left = face->glyph->bitmap_left;
+       rendered->bitmap_top = face->glyph->bitmap_top;
+ 
++      if (G_UNLIKELY (!rendered->bitmap.buffer)) {
++        g_slice_free (PangoFT2RenderedGlyph, rendered);
++	return NULL;
++      }
++
+       return rendered;
+     }
+   else
+@@ -276,6 +289,8 @@ pango_ft2_renderer_draw_glyph (PangoRend
+   if (rendered_glyph == NULL)
+     {
+       rendered_glyph = pango_ft2_font_render_glyph (font, glyph);
++      if (rendered_glyph == NULL)
++        return;
+       add_glyph_to_cache = TRUE;
+     }
+ 


More information about the fonts-bugs mailing list