erack pushed to icu (master). "Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591"

notifications at fedoraproject.org notifications at fedoraproject.org
Fri Apr 10 18:27:22 UTC 2015 

>From e347d1a528dcf1fd9ad14068ad00c6c981770c9b Mon Sep 17 00:00:00 2001
From: Eike Rathke <erack at redhat.com>
Date: Mon, 9 Mar 2015 21:14:55 +0100
Subject: Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591


diff --git a/icu.changeset_37086.patch b/icu.changeset_37086.patch
new file mode 100644
index 0000000..f202bfa
--- /dev/null
+++ b/icu.changeset_37086.patch
@@ -0,0 +1,125 @@
+# https://ssl.icu-project.org/trac/changeset/37086
+
+Index: icu/source/layout/ContextualSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/ContextualSubstSubtables.cpp	(revision 37085)
++++ icu/source/layout/ContextualSubstSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -467,4 +467,10 @@
+                     (const ChainSubClassRuleTable *) ((char *) chainSubClassSetTable + chainSubClassRuleTableOffset);
+                 le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount);
++
++                // TODO: Ticket #11557 - enable this check, originally from ticket #11525.
++                //       Depends on other, more extensive, changes.
++                // LEReferenceToArrayOf<le_uint16>   backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount);
++                if( LE_FAILURE(success) ) { return 0; }
++
+                 le_uint16 inputGlyphCount = SWAPW(chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount]) - 1;
+                 const le_uint16 *inputClassArray = &chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount + 1];
+Index: icu/source/layout/CursiveAttachmentSubtables.cpp
+===================================================================
+--- icu/source/layout/CursiveAttachmentSubtables.cpp	(revision 37085)
++++ icu/source/layout/CursiveAttachmentSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998 - 2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998 - 2015 - All Rights Reserved
+  *
+  */
+@@ -21,5 +21,8 @@
+     le_uint16 eeCount       = SWAPW(entryExitCount);
+ 
+-    if (coverageIndex < 0 || coverageIndex >= eeCount) {
++    LEReferenceToArrayOf<EntryExitRecord>
++        entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex);
++
++    if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) {
+         glyphIterator->setCursiveGlyph();
+         return 0;
+Index: icu/source/layout/Features.cpp
+===================================================================
+--- icu/source/layout/Features.cpp	(revision 37085)
++++ icu/source/layout/Features.cpp	(revision 37086)
+@@ -2,5 +2,5 @@
+  * @(#)Features.cpp 1.4 00/03/15
+  *
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -16,4 +16,7 @@
+ LEReferenceTo<FeatureTable> FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const
+ {
++    LEReferenceToArrayOf<FeatureRecord>
++        featureRecordArrayRef(base, success, featureRecordArray, featureIndex);
++
+   if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) {
+     return LEReferenceTo<FeatureTable>();
+Index: icu/source/layout/LETableReference.h
+===================================================================
+--- icu/source/layout/LETableReference.h	(revision 37085)
++++ icu/source/layout/LETableReference.h	(revision 37086)
+@@ -2,5 +2,5 @@
+  * -*- c++ -*-
+  *
+- * (C) Copyright IBM Corp. and others 2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. and others 2015 - All Rights Reserved
+  *
+  * Range checking
+@@ -314,5 +314,10 @@
+ 
+   const T& getObject(le_uint32 i, LEErrorCode &success) const {
+-    return *getAlias(i,success);
++      const T *ret = getAlias(i, success);
++      if (LE_FAILURE(success) || ret==NULL) {
++          return *(new T(0));
++      } else {
++          return *ret;
++     }
+   }
+   
+Index: icu/source/layout/LigatureSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/LigatureSubstSubtables.cpp	(revision 37085)
++++ icu/source/layout/LigatureSubstSubtables.cpp	(revision 37086)
+@@ -1,4 +1,4 @@
+ /*
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -28,4 +28,7 @@
+             const LigatureTable *ligTable = (const LigatureTable *) ((char *)ligSetTable + ligTableOffset);
+             le_uint16 compCount = SWAPW(ligTable->compCount) - 1;
++            LEReferenceToArrayOf<TTGlyphID>
++                componentArrayRef(base, success, ligTable->componentArray, compCount);
++            if (LE_FAILURE(success)) { return 0; }
+             le_int32 startPosition = glyphIterator->getCurrStreamPosition();
+             TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph);
+Index: icu/source/layout/MultipleSubstSubtables.cpp
+===================================================================
+--- icu/source/layout/MultipleSubstSubtables.cpp	(revision 37085)
++++ icu/source/layout/MultipleSubstSubtables.cpp	(revision 37086)
+@@ -1,5 +1,5 @@
+ /*
+  *
+- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved
++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved
+  *
+  */
+@@ -36,5 +36,10 @@
+     le_int32 coverageIndex = getGlyphCoverage(base, glyph, success);
+     le_uint16 seqCount = SWAPW(sequenceCount);
++    LEReferenceToArrayOf<Offset>
++        sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount);
+ 
++    if (LE_FAILURE(success)) {
++        return 0;
++    }
+     if (coverageIndex >= 0 && coverageIndex < seqCount) {
+         Offset sequenceTableOffset = SWAPW(sequenceTableOffsetArray[coverageIndex]);
diff --git a/icu.spec b/icu.spec
index 08f6f22..0e8374e 100644
--- a/icu.spec
+++ b/icu.spec
@@ -1,6 +1,6 @@
 Name:      icu
 Version:   54.1
-Release:   1%{?dist}
+Release:   2%{?dist}
 Summary:   International Components for Unicode
 Group:     Development/Tools
 License:   MIT and UCD and Public Domain
@@ -15,6 +15,7 @@ Patch2: icu.8800.freeserif.crash.patch
 Patch3: icu.7601.Indic-ccmp.patch
 Patch4: gennorm2-man.patch
 Patch5: icuinfo-man.patch
+Patch6: icu.changeset_37086.patch
 
 %description
 Tools and utilities for developing with icu.
@@ -62,6 +63,7 @@ BuildArch: noarch
 %patch3 -p1 -b .icu7601.Indic-ccmp.patch
 %patch4 -p1 -b .gennorm2-man.patch
 %patch5 -p1 -b .icuinfo-man.patch
+%patch6 -p1 -b .icu.changeset_37086.patch
 
 %build
 cd source
@@ -170,6 +172,9 @@ make %{?_smp_mflags} -C source check
 %doc source/__docs/%{name}/html/*
 
 %changelog
+* Mon Mar 09 2015 Eike Rathke <erack at redhat.com> - 54.1-2
+- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591
+
 * Mon Jan 26 2015 Eike Rathke <erack at redhat.com> - 54.1-1
 - Resolves: rhbz#1185433 upgrade to upstream ICU 54.1
 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/icu.git/commit/?h=master&id=e347d1a528dcf1fd9ad14068ad00c6c981770c9b

More information about the scm-commits mailing list