head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.8 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.6 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.4 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.2 pkgsrc-2011Q2-base:1.2 pkgsrc-2011Q1:1.1.0.4 pkgsrc-2011Q1-base:1.1 pkgsrc-2010Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2011.04.11.15.35.53; author drochner; state dead; branches; next 1.1; 1.1 date 2011.03.05.13.37.19; author tron; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2011.03.05.13.37.19; author spz; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2011.03.05.19.44.54; author spz; state Exp; branches; next ; desc @@ 1.2 log @update to 1.28.4 changes: bugfixes @ text @$NetBSD: patch-CVE-2011-0064-2,v 1.1 2011/03/05 13:37:19 tron Exp $ Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE. --- pango/opentype/hb-buffer.c.orig 2010-02-09 12:06:28.000000000 +0000 +++ pango/opentype/hb-buffer.c 2011-03-05 13:30:22.000000000 +0000 @@@@ -52,23 +52,21 @@@@ * in_string and out_string. */ -/* XXX err handling */ - /* Internal API */ -static void +static hb_bool_t hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size) { - hb_buffer_ensure (buffer, size); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE; if (buffer->out_string == buffer->in_string) { assert (buffer->have_output); - if (!buffer->positions) - buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0])); buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0])); } + + return TRUE; } /* Public API */ @@@@ -114,6 +112,7 @@@@ hb_buffer_clear (hb_buffer_t *buffer) { buffer->have_output = FALSE; + buffer->in_error = FALSE; buffer->in_length = 0; buffer->out_length = 0; buffer->in_pos = 0; @@@@ -122,32 +121,42 @@@@ buffer->max_lig_id = 0; } -void +hb_bool_t hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size) { - unsigned int new_allocated = buffer->allocated; - - if (size > new_allocated) + if (HB_UNLIKELY (size > buffer->allocated)) { + unsigned int new_allocated = buffer->allocated; + hb_internal_glyph_position_t *new_pos; + hb_internal_glyph_info_t *new_info; + hb_bool_t separate_out; + + if (HB_UNLIKELY (buffer->in_error)) + return FALSE; + + separate_out = buffer->out_string != buffer->in_string; + while (size > new_allocated) new_allocated += (new_allocated >> 1) + 8; - if (buffer->positions) - buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - if (buffer->out_string != buffer->in_string) - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; - } - else - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = buffer->in_string; - } + if (HB_UNLIKELY (!new_pos || !new_info)) + buffer->in_error = TRUE; + + if (HB_LIKELY (new_pos)) + buffer->positions = new_pos; - buffer->allocated = new_allocated; + if (HB_LIKELY (new_info)) + buffer->in_string = new_info; + + buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string; + if (HB_LIKELY (!buffer->in_error)) + buffer->allocated = new_allocated; } + + return HB_LIKELY (!buffer->in_error); } void @@@@ -158,7 +167,7 @@@@ { hb_internal_glyph_info_t *glyph; - hb_buffer_ensure (buffer, buffer->in_length + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return; glyph = &buffer->in_string[buffer->in_length]; glyph->codepoint = codepoint; @@@@ -213,6 +222,8 @@@@ assert (buffer->have_output); + if (HB_UNLIKELY (buffer->in_error)) return; + if (buffer->out_string != buffer->in_string) { hb_internal_glyph_info_t *tmp_string; @@@@ -265,7 +276,8 @@@@ if (buffer->out_string != buffer->in_string || buffer->out_pos + num_out > buffer->in_pos + num_in) { - hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out); + if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out))) + return; } mask = buffer->in_string[buffer->in_pos].mask; @@@@ -302,7 +314,7 @@@@ if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) @@@@ -332,7 +344,7 @@@@ if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) @ 1.1 log @Add openSUSE's fix for the DoS vulnerability remoted in CVE-2011-0064. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2011-0064-2 was added on branch pkgsrc-2010Q4 on 2011-03-05 19:44:54 +0000 @ text @d1 148 @ 1.1.2.2 log @Pullup ticket #3378 - requested by tron devel/pango: security fix Revisions pulled up: - devel/pango/Makefile 1.152 - devel/pango/distinfo 1.88 Files added: devel/pango/patches/patch-CVE-2011-0064-1 devel/pango/patches/patch-CVE-2011-0064-2 devel/pango/patches/patch-CVE-2011-0064-3 --------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Sat Mar 5 13:37:20 UTC 2011 Modified Files: pkgsrc/devel/pango: Makefile distinfo Added Files: pkgsrc/devel/pango/patches: patch-CVE-2011-0064-1 patch-CVE-2011-0064-2 patch-CVE-2011-0064-3 Log Message: Add openSUSE's fix for the DoS vulnerability remoted in CVE-2011-0064. @ text @a0 148 $NetBSD$ Fix for the DoS vulnerability reported in CVE-2011-0064 taken from openSUSE. --- pango/opentype/hb-buffer.c.orig 2010-02-09 12:06:28.000000000 +0000 +++ pango/opentype/hb-buffer.c 2011-03-05 13:30:22.000000000 +0000 @@@@ -52,23 +52,21 @@@@ * in_string and out_string. */ -/* XXX err handling */ - /* Internal API */ -static void +static hb_bool_t hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size) { - hb_buffer_ensure (buffer, size); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE; if (buffer->out_string == buffer->in_string) { assert (buffer->have_output); - if (!buffer->positions) - buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0])); buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0])); } + + return TRUE; } /* Public API */ @@@@ -114,6 +112,7 @@@@ hb_buffer_clear (hb_buffer_t *buffer) { buffer->have_output = FALSE; + buffer->in_error = FALSE; buffer->in_length = 0; buffer->out_length = 0; buffer->in_pos = 0; @@@@ -122,32 +121,42 @@@@ buffer->max_lig_id = 0; } -void +hb_bool_t hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size) { - unsigned int new_allocated = buffer->allocated; - - if (size > new_allocated) + if (HB_UNLIKELY (size > buffer->allocated)) { + unsigned int new_allocated = buffer->allocated; + hb_internal_glyph_position_t *new_pos; + hb_internal_glyph_info_t *new_info; + hb_bool_t separate_out; + + if (HB_UNLIKELY (buffer->in_error)) + return FALSE; + + separate_out = buffer->out_string != buffer->in_string; + while (size > new_allocated) new_allocated += (new_allocated >> 1) + 8; - if (buffer->positions) - buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - if (buffer->out_string != buffer->in_string) - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; - } - else - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = buffer->in_string; - } + if (HB_UNLIKELY (!new_pos || !new_info)) + buffer->in_error = TRUE; + + if (HB_LIKELY (new_pos)) + buffer->positions = new_pos; - buffer->allocated = new_allocated; + if (HB_LIKELY (new_info)) + buffer->in_string = new_info; + + buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string; + if (HB_LIKELY (!buffer->in_error)) + buffer->allocated = new_allocated; } + + return HB_LIKELY (!buffer->in_error); } void @@@@ -158,7 +167,7 @@@@ { hb_internal_glyph_info_t *glyph; - hb_buffer_ensure (buffer, buffer->in_length + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return; glyph = &buffer->in_string[buffer->in_length]; glyph->codepoint = codepoint; @@@@ -213,6 +222,8 @@@@ assert (buffer->have_output); + if (HB_UNLIKELY (buffer->in_error)) return; + if (buffer->out_string != buffer->in_string) { hb_internal_glyph_info_t *tmp_string; @@@@ -265,7 +276,8 @@@@ if (buffer->out_string != buffer->in_string || buffer->out_pos + num_out > buffer->in_pos + num_in) { - hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out); + if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out))) + return; } mask = buffer->in_string[buffer->in_pos].mask; @@@@ -302,7 +314,7 @@@@ if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) @@@@ -332,7 +344,7 @@@@ if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) @