summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--icu-last.spec10
-rw-r--r--icu.rhbz1074549.CVE-2013-5907.patch37
2 files changed, 46 insertions, 1 deletions
diff --git a/icu-last.spec b/icu-last.spec
index c8ab926..27f8f40 100644
--- a/icu-last.spec
+++ b/icu-last.spec
@@ -12,7 +12,7 @@
Name: icu-last
Version: 50.1.2
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: International Components for Unicode
Group: Development/Tools
License: MIT and UCD and Public Domain
@@ -37,6 +37,7 @@ Patch5: gennorm2-man.patch
Patch6: icuinfo-man.patch
Patch7: icu.10143.memory.leak.crash.patch
Patch8: icu.10318.CVE-2013-2924_changeset_34076.patch
+Patch9: icu.rhbz1074549.CVE-2013-5907.patch
%description
Tools and utilities for developing with icu.
@@ -98,6 +99,7 @@ Provides: lib%{srcname}-doc = %{version}-%{release}
%endif
%patch7 -p1 -b .icu10143.memory.leak.crash.patch
%patch8 -p1 -b .icu10318.CVE-2013-2924_changeset_34076.patch
+%patch9 -p1 -b .icurhbz1074549.CVE-2013-5907.patch
%build
cd source
@@ -219,6 +221,12 @@ make %{?_smp_mflags} -C source check
%doc source/__docs/%{srcname}/html/*
%changelog
+* Tue Nov 25 2014 Remi Collet <rpms@famillecollet.com>- 50.1.2-11
+- backport RHEL-7 changes
+
+* Tue Mar 11 2014 Eike Rathke <erack@redhat.com> - 50.1.2-11
+- Resolves: rhbz#1074549 Layout Engine LookupProcessor insufficient input checks
+
* Sun Oct 27 2013 Remi Collet <rpms@famillecollet.com>- 50.1.2-10
- rename to icu-last
diff --git a/icu.rhbz1074549.CVE-2013-5907.patch b/icu.rhbz1074549.CVE-2013-5907.patch
new file mode 100644
index 0000000..beb22b3
--- /dev/null
+++ b/icu.rhbz1074549.CVE-2013-5907.patch
@@ -0,0 +1,37 @@
+
+# erAck: resolves https://bugzilla.redhat.com/show_bug.cgi?id=1074549
+# Based on http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/9d29c19f1de1
+# where a/src/share/native/sun/font/layout/LookupProcessor.cpp is
+# icu/source/layout/LookupProcessor.cpp
+# Adapted to LayoutEngine "patch" and subsequent patches.
+# Note that
+#@@ -246,7 +249,7 @@
+#- featureReferences += SWAPW(featureTable->lookupCount);
+#+ featureReferences += SWAPW(requiredFeatureTable->lookupCount);
+# was already applied with icu.8800.freeserif.crash.patch that also added
+#+ if (requiredFeatureTable.isValid()) {
+# and is a slightly enhanced version of
+# https://ssl.icu-project.org/trac/ticket/8800 and/or
+# https://ssl.icu-project.org/trac/ticket/8320
+
+--- prev.icu/source/layout/LookupProcessor.cpp 2014-03-11 20:46:53.288819882 +0100
++++ icu/source/layout/LookupProcessor.cpp 2014-03-11 20:54:43.153370234 +0100
+@@ -113,7 +113,7 @@
+ le_int32 LookupProcessor::selectLookups(const LEReferenceTo<FeatureTable> &featureTable, FeatureMask featureMask, le_int32 order, LEErrorCode &success)
+ {
+ le_uint16 lookupCount = featureTable.isValid()? SWAPW(featureTable->lookupCount) : 0;
+- le_int32 store = order;
++ le_uint32 store = (le_uint32)order;
+
+ LEReferenceToArrayOf<le_uint16> lookupListIndexArray(featureTable, success, featureTable->lookupListIndexArray, lookupCount);
+
+@@ -122,6 +122,9 @@
+ if (lookupListIndex >= lookupSelectCount) {
+ continue;
+ }
++ if (store >= lookupOrderCount) {
++ continue;
++ }
+
+ lookupSelectArray[lookupListIndex] |= featureMask;
+ lookupOrderArray[store++] = lookupListIndex;