diff options
Diffstat (limited to 'icu.rhbz1074549.CVE-2013-5907.patch')
-rw-r--r-- | icu.rhbz1074549.CVE-2013-5907.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/icu.rhbz1074549.CVE-2013-5907.patch b/icu.rhbz1074549.CVE-2013-5907.patch new file mode 100644 index 0000000..beb22b3 --- /dev/null +++ b/icu.rhbz1074549.CVE-2013-5907.patch @@ -0,0 +1,37 @@ + +# erAck: resolves https://bugzilla.redhat.com/show_bug.cgi?id=1074549 +# Based on http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/9d29c19f1de1 +# where a/src/share/native/sun/font/layout/LookupProcessor.cpp is +# icu/source/layout/LookupProcessor.cpp +# Adapted to LayoutEngine "patch" and subsequent patches. +# Note that +#@@ -246,7 +249,7 @@ +#- featureReferences += SWAPW(featureTable->lookupCount); +#+ featureReferences += SWAPW(requiredFeatureTable->lookupCount); +# was already applied with icu.8800.freeserif.crash.patch that also added +#+ if (requiredFeatureTable.isValid()) { +# and is a slightly enhanced version of +# https://ssl.icu-project.org/trac/ticket/8800 and/or +# https://ssl.icu-project.org/trac/ticket/8320 + +--- prev.icu/source/layout/LookupProcessor.cpp 2014-03-11 20:46:53.288819882 +0100 ++++ icu/source/layout/LookupProcessor.cpp 2014-03-11 20:54:43.153370234 +0100 +@@ -113,7 +113,7 @@ + le_int32 LookupProcessor::selectLookups(const LEReferenceTo<FeatureTable> &featureTable, FeatureMask featureMask, le_int32 order, LEErrorCode &success) + { + le_uint16 lookupCount = featureTable.isValid()? SWAPW(featureTable->lookupCount) : 0; +- le_int32 store = order; ++ le_uint32 store = (le_uint32)order; + + LEReferenceToArrayOf<le_uint16> lookupListIndexArray(featureTable, success, featureTable->lookupListIndexArray, lookupCount); + +@@ -122,6 +122,9 @@ + if (lookupListIndex >= lookupSelectCount) { + continue; + } ++ if (store >= lookupOrderCount) { ++ continue; ++ } + + lookupSelectArray[lookupListIndex] |= featureMask; + lookupOrderArray[store++] = lookupListIndex; |