[icu/f21] Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591

Eike Rathke erack at fedoraproject.org
Mon Mar 9 20:57:32 UTC 2015 

commit 3b04a62a5959a17f67a9686c9c36cf2bbc7c96b2
Author: Eike Rathke <erack at redhat.com>
Date:   Mon Mar 9 21:44:51 2015 +0100

    Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591

 icu.changeset_37086.patch | 125 ++++++++++++++++++++++++++++++++++++++++++++++
 icu.spec                  |   7 ++-
 2 files changed, 131 insertions(+), 1 deletion(-)
---
diff --git a/icu.changeset_37086.patch b/icu.changeset_37086.patch
new file mode 100644
index 0000000..f202bfa
--- /dev/null
+++ b/icu.changeset_37086.patch
@@ -0,0 +1,125 @@
+# https://ssl.icu-project.org/trac/changeset/37086
+
+Index: icu/source/layout/ContextualSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/ContextualSubstSubtables.cpp	(revision 37085)
++++ icu/source/layout/ContextualSubstSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -467,4 +467,10 @@
+                     (const ChainSubClassRuleTable *) ((char *) chainSubClassSetTable + chainSubClassRuleTableOffset);
+                 le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount);
++
++                // TODO: Ticket #11557 - enable this check, originally from ticket #11525.
++                //       Depends on other, more extensive, changes.
++                // LEReferenceToArrayOf<le_uint16>   backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount);
++                if( LE_FAILURE(success) ) { return 0; }
++
+                 le_uint16 inputGlyphCount = SWAPW(chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount]) - 1;
+                 const le_uint16 *inputClassArray = &chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount + 1];
+Index: icu/source/layout/CursiveAttachmentSubtables.cpp
+===================================================================
+--- icu/source/layout/CursiveAttachmentSubtables.cpp	(revision 37085)
++++ icu/source/layout/CursiveAttachmentSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998 - 2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998 - 2015 - All Rights Reserved
+  *
+  */
+@@ -21,5 +21,8 @@
+     le_uint16 eeCount       = SWAPW(entryExitCount);
+ 
+-    if (coverageIndex < 0 || coverageIndex >= eeCount) {
++    LEReferenceToArrayOf<EntryExitRecord>
++        entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex);
++
++    if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) {
+         glyphIterator->setCursiveGlyph();
+         return 0;
+Index: icu/source/layout/Features.cpp
+===================================================================
+--- icu/source/layout/Features.cpp	(revision 37085)
++++ icu/source/layout/Features.cpp	(revision 37086)
+@@ -2,5 +2,5 @@
+  * @(#)Features.cpp 1.4 00/03/15
+  *
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -16,4 +16,7 @@
+ LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
+ {
++    LEReferenceToArrayOf<FeatureRecord>
++        featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
++
+   if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
+     return LEReferenceTo<FeatureTable>();
+Index: icu/source/layout/LETableReference.h
+===================================================================
+--- icu/source/layout/LETableReference.h	(revision 37085)
++++ icu/source/layout/LETableReference.h	(revision 37086)
+@@ -2,5 +2,5 @@
+  * -*- c++ -*-
+  *
+- * (C) Copyright IBM Corp. and others 2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. and others 2015 - All Rights Reserved
+  *
+  * Range checking
+@@ -314,5 +314,10 @@
+ 
+   const T& getObject(le_uint32 i, LEErrorCode &success) const {
+-    return *getAlias(i,success);
++      const T *ret = getAlias(i, success);
++      if (LE_FAILURE(success) || ret==NULL) {
++          return *(new T(0));
++      } else {
++          return *ret;
++     }
+   }
+   
+Index: icu/source/layout/LigatureSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/LigatureSubstSubtables.cpp	(revision 37085)
++++ icu/source/layout/LigatureSubstSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -28,4 +28,7 @@
+             const LigatureTable *ligTable = (const LigatureTable *) ((char *)ligSetTable + ligTableOffset);
+             le_uint16 compCount = SWAPW(ligTable->compCount) - 1;
++            LEReferenceToArrayOf<TTGlyphID>
++                componentArrayRef(base, success, ligTable->componentArray, compCount);
++            if (LE_FAILURE(success)) { return 0; }
+             le_int32 startPosition = glyphIterator->getCurrStreamPosition();
+             TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph);
+Index: icu/source/layout/MultipleSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/MultipleSubstSubtables.cpp	(revision 37085)
++++ icu/source/layout/MultipleSubstSubtables.cpp	(revision 37086)
+@@ -1,5 +1,5 @@
+ /*
+  *
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -36,5 +36,10 @@
+     le_int32 coverageIndex = getGlyphCoverage(base, glyph, success);
+     le_uint16 seqCount = SWAPW(sequenceCount);
++    LEReferenceToArrayOf<Offset>
++        sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount);
+ 
++    if (LE_FAILURE(success)) {
++        return 0;
++    }
+     if (coverageIndex >= 0 && coverageIndex < seqCount) {
+         Offset sequenceTableOffset = SWAPW(sequenceTableOffsetArray[coverageIndex]);
diff --git a/icu.spec b/icu.spec
index e0ce99a..d48452f 100644
--- a/icu.spec
+++ b/icu.spec
@@ -1,6 +1,6 @@
 Name:      icu
 Version:   52.1
-Release:   4%{?dist}
+Release:   5%{?dist}
 Summary:   International Components for Unicode
 Group:     Development/Tools
 License:   MIT and UCD and Public Domain
@@ -17,6 +17,7 @@ Patch4: icu.9948.mlym-crash.patch
 Patch5: gennorm2-man.patch
 Patch6: icuinfo-man.patch
 Patch7: icu-testtwodigityear.patch
+Patch8: icu.changeset_37086.patch
 
 %description
 Tools and utilities for developing with icu.
@@ -66,6 +67,7 @@ BuildArch: noarch
 %patch5 -p1 -b .gennorm2-man.patch
 %patch6 -p1 -b .icuinfo-man.patch
 %patch7 -p1 -b .icu-testtwodigityear.patch
+%patch8 -p1 -b .icu.changeset_37086.patch
 
 %build
 cd source
@@ -174,6 +176,9 @@ make %{?_smp_mflags} -C source check
 %doc source/__docs/%{name}/html/*
 
 %changelog
+* Mon Mar 09 2015 Eike Rathke <erack at redhat.com> - 52.1-5
+- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591
+
 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 52.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

More information about the scm-commits mailing list