From 22a6cd7c5f76c5212db91c1cb2ce11bb02651109 Mon Sep 17 00:00:00 2001 From: lancer <591320480@qq.com> Date: Mon, 3 Apr 2023 16:41:25 +0800 Subject: [PATCH] fixed 1c63503 from https://gitee.com/shengu_lancer/third_party_harfbuzz/pulls/50 Description: fix CVE-2023-25193 IssueNo: https://gitee.com/openharmony/third_party_harfbuzz/issues/I6S0VH Feature or Bugfix: Bugfix Binary Source:No Signed-off-by: lancer --- src/hb-buffer.h | 3 ++- src/hb-ot-layout-gsubgpos.hh | 12 +++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/hb-buffer.h b/src/hb-buffer.h index 865ccb22..88f1f4c2 100644 --- a/src/hb-buffer.h +++ b/src/hb-buffer.h @@ -307,7 +307,8 @@ typedef enum { /*< flags >*/ HB_BUFFER_FLAG_EOT = 0x00000002u, /* End-of-text */ HB_BUFFER_FLAG_PRESERVE_DEFAULT_IGNORABLES = 0x00000004u, HB_BUFFER_FLAG_REMOVE_DEFAULT_IGNORABLES = 0x00000008u, - HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE = 0x00000010u + HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE = 0x00000010u, + HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT = 0x00000040u } hb_buffer_flags_t; HB_EXTERN void diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh index b537ba00..6086b9b2 100644 --- a/src/hb-ot-layout-gsubgpos.hh +++ b/src/hb-ot-layout-gsubgpos.hh @@ -535,7 +535,17 @@ struct hb_ot_apply_context_t : bool prev () { assert (num_items > 0); - while (idx > num_items - 1) + /* The alternate condition below is faster at string boundaries, + * but produces subpar "unsafe-to-concat" values. */ + unsigned stop = num_items - 1; + if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT) + stop = 1 - 1; + /*When looking back, limit how far we search; this function is mostly + * used for looking back for base glyphs when attaching marks. If we + * don't limit, we can get O(n^2) behavior where n is the number of + * consecutive marks. */ + stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH); + while (idx > stop) { idx--; const hb_glyph_info_t &info = c->buffer->out_info[idx]; -- GitLab