[AUTO-CHERRYPICK] Fix CVE-2024-56732 for harfbuzz - branch 3.0-dev (#11866)

CBL-Mariner-Bot · realsdx · web-flow · commit 41821e42cf05 · 2025-01-13T15:02:34.000-05:00
Co-authored-by: Sudipta Pandit &lt;sudpandit@microsoft.com&gt;
diff --git a/SPECS/harfbuzz/CVE-2024-56732.patch b/SPECS/harfbuzz/CVE-2024-56732.patch
@@ -0,0 +1,59 @@
+From 1767f99e2e2196c3fcae27db6d8b60098d3f6d26 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Sun, 10 Nov 2024 22:43:28 -0700
+Subject: [PATCH] [cairo] Guard hb_cairo_glyphs_from_buffer() against bad UTF-8
+
+Previously it was assuming valid UTF-8.
+---
+ src/hb-cairo.cc | 2 ++
+ src/hb-utf.hh   | 6 ++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/hb-cairo.cc b/src/hb-cairo.cc
+index d8b582c4908..4d22ae059ff 100644
+--- a/src/hb-cairo.cc
++++ b/src/hb-cairo.cc
+@@ -1000,6 +1000,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer,
+ 	    end = start + hb_glyph[i].cluster - hb_glyph[i+1].cluster;
+ 	  else
+ 	    end = (const char *) hb_utf_offset_to_pointer<hb_utf8_t> ((const uint8_t *) start,
++								      (const uint8_t *) utf8, utf8_len,
+ 								      (signed) (hb_glyph[i].cluster - hb_glyph[i+1].cluster));
+ 	  (*clusters)[cluster].num_bytes = end - start;
+ 	  start = end;
+@@ -1020,6 +1021,7 @@ hb_cairo_glyphs_from_buffer (hb_buffer_t *buffer,
+ 	    end = start + hb_glyph[i].cluster - hb_glyph[i-1].cluster;
+ 	  else
+ 	    end = (const char *) hb_utf_offset_to_pointer<hb_utf8_t> ((const uint8_t *) start,
++								      (const uint8_t *) utf8, utf8_len,
+ 								      (signed) (hb_glyph[i].cluster - hb_glyph[i-1].cluster));
+ 	  (*clusters)[cluster].num_bytes = end - start;
+ 	  start = end;
+diff --git a/src/hb-utf.hh b/src/hb-utf.hh
+index 1120bd1cccf..6db9bf2fd79 100644
+--- a/src/hb-utf.hh
++++ b/src/hb-utf.hh
+@@ -458,19 +458,21 @@ struct hb_ascii_t
+ template <typename utf_t>
+ static inline const typename utf_t::codepoint_t *
+ hb_utf_offset_to_pointer (const typename utf_t::codepoint_t *start,
++			  const typename utf_t::codepoint_t *text,
++			  unsigned text_len,
+ 			  signed offset)
+ {
+   hb_codepoint_t unicode;
+ 
+   while (offset-- > 0)
+     start = utf_t::next (start,
+-			 start + utf_t::max_len,
++			 text + text_len,
+ 			 &unicode,
+ 			 HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT);
+ 
+   while (offset++ < 0)
+     start = utf_t::prev (start,
+-			 start - utf_t::max_len,
++			 text,
+ 			 &unicode,
+ 			 HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT);
+ 
diff --git a/SPECS/harfbuzz/harfbuzz.spec b/SPECS/harfbuzz/harfbuzz.spec
@@ -1,13 +1,14 @@
 Summary:        opentype text shaping engine
 Name:           harfbuzz
 Version:        8.3.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Libraries
 URL:            https://harfbuzz.github.io/
 Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
+Patch0:         CVE-2024-56732.patch
 BuildRequires:  pkgconfig(cairo)
 BuildRequires:  pkgconfig(freetype2)
 BuildRequires:  pkgconfig(glib-2.0)
@@ -90,6 +91,9 @@ find . -type f -name "*.py" -exec sed -i'' -e '1 s|^#!\s*/usr/bin/env\s\+python3
 %{_libdir}/libharfbuzz-icu.so.*
 
 %changelog
+* Wed Jan 08 2025 Sudipta Pandit <sudpandit@microsoft.com> - 8.3.0-3
+- Patch for CVE-2024-56732
+
 * Wed Jul 31 2024 Andrew Phelps <anphel@microsoft.com> - 8.3.0-2
 - Update file listings to remove duplicate files
 
