recipes/pango/pango-1.24.4/CVE-2010-0421.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

CVE-2010-0421
--- a/pango/opentype/harfbuzz-gdef.c
+++ b/pango/opentype/harfbuzz-gdef.c
@@ -923,7 +923,7 @@ HB_Error  HB_GDEF_Build_ClassDefinition(
 	    goto Fail1;
       }
 
-      if ( gcrr[count - 1].End != num_glyphs - 1 )
+      if ( gcrr[count - 1].End + 1 < num_glyphs )
       {
 	if ( ALLOC_ARRAY( ngc[count],
 			  ( num_glyphs - gcrr[count - 1].End + 2 ) / 4,
@@ -938,7 +938,9 @@ HB_Error  HB_GDEF_Build_ClassDefinition(
 			HB_UShort ) )
 	  goto Fail2;
   }
-      
+  else
+    num_glyphs = 1;
+
   gdef->LastGlyph = num_glyphs - 1;
 
   gdef->MarkAttachClassDef_offset = 0L;
@@ -996,6 +998,8 @@ _HB_GDEF_Add_Glyph_Property( HB_GDEFHead
   HB_ClassRangeRecord*  gcrr;
   HB_UShort**            ngc;
 
+  if ( glyphID >= gdef->LastGlyph )
+    return 0;
 
   error = _HB_OPEN_Get_Class( &gdef->GlyphClassDef, glyphID, &class, &index );
   if ( error && error != HB_Err_Not_Covered )