diff options
| author | Behdad Esfahbod <behdad@behdad.org> | 2023-02-06 14:51:25 -0700 |
|---|---|---|
| committer | Bowon Ryu <bowon.ryu@samsung.com> | 2023-06-20 10:51:45 +0900 |
| commit | 2ac0d6d4cd32d2add09102dc9afae5a03c31ccc5 (patch) | |
| tree | 935b182eabec555f3770c4b714b312e07bcaf221 | |
| parent | adc15de0bb68e623eb890cc54ae82a36fc5df466 (diff) | |
| download | harfbuzz-tizen_6.0.tar.gz harfbuzz-tizen_6.0.tar.bz2 harfbuzz-tizen_6.0.zip | |
[Tizen] [GPOS] Avoid O(n^2) behavior in mark-attachmentaccepted/tizen/6.0/unified/20230621.004738tizen_6.0accepted/tizen_6.0_unified
Better implementation; avoids arbitrary limit on look-back.
[CVE-2023-25193]
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0
allows attackers to trigger O(n^2) growth via consecutive marks
during the process of looking back for base glyphs when attaching marks.
https://nvd.nist.gov/vuln/detail/CVE-2023-25193
Change-Id: I778490c8c94aae046e38cb07f04753cbc26b8e6a
| -rw-r--r-- | src/hb-ot-layout-gsubgpos.hh | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh index 579d178..f781550 100644 --- a/src/hb-ot-layout-gsubgpos.hh +++ b/src/hb-ot-layout-gsubgpos.hh @@ -477,6 +477,9 @@ struct hb_ot_apply_context_t : uint32_t random_state; + signed last_base = -1; // GPOS uses + unsigned last_base_until = 0; // GPOS uses + hb_ot_apply_context_t (unsigned int table_index_, hb_font_t *font_, hb_buffer_t *buffer_) : @@ -510,7 +513,7 @@ struct hb_ot_apply_context_t : iter_context.init (this, true); } - void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); } + void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); } void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } void set_random (bool random_) { random = random_; } |