From f555c3b2effa24a1dfc5a76fec146bf987ee8ed0 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Tue, 25 Nov 2014 18:55:12 +0100
Subject: icu-last: 5.1.2-11 (backport changes, but still FTBFS)

---
 icu-last.spec                       | 10 +++++++++-
 icu.rhbz1074549.CVE-2013-5907.patch | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 icu.rhbz1074549.CVE-2013-5907.patch

diff --git a/icu-last.spec b/icu-last.spec
index c8ab926..27f8f40 100644
--- a/icu-last.spec
+++ b/icu-last.spec
@@ -12,7 +12,7 @@
 
 Name:      icu-last
 Version:   50.1.2
-Release:   10%{?dist}
+Release:   11%{?dist}
 Summary:   International Components for Unicode
 Group:     Development/Tools
 License:   MIT and UCD and Public Domain
@@ -37,6 +37,7 @@ Patch5: gennorm2-man.patch
 Patch6: icuinfo-man.patch
 Patch7: icu.10143.memory.leak.crash.patch
 Patch8: icu.10318.CVE-2013-2924_changeset_34076.patch
+Patch9: icu.rhbz1074549.CVE-2013-5907.patch
 
 %description
 Tools and utilities for developing with icu.
@@ -98,6 +99,7 @@ Provides:  lib%{srcname}-doc = %{version}-%{release}
 %endif
 %patch7 -p1 -b .icu10143.memory.leak.crash.patch
 %patch8 -p1 -b .icu10318.CVE-2013-2924_changeset_34076.patch
+%patch9 -p1 -b .icurhbz1074549.CVE-2013-5907.patch
 
 %build
 cd source
@@ -219,6 +221,12 @@ make %{?_smp_mflags} -C source check
 %doc source/__docs/%{srcname}/html/*
 
 %changelog
+* Tue Nov 25 2014 Remi Collet <rpms@famillecollet.com>- 50.1.2-11
+- backport RHEL-7 changes
+
+* Tue Mar 11 2014 Eike Rathke <erack@redhat.com> - 50.1.2-11
+- Resolves: rhbz#1074549 Layout Engine LookupProcessor insufficient input checks
+
 * Sun Oct 27 2013 Remi Collet <rpms@famillecollet.com>- 50.1.2-10
 - rename to icu-last
 
diff --git a/icu.rhbz1074549.CVE-2013-5907.patch b/icu.rhbz1074549.CVE-2013-5907.patch
new file mode 100644
index 0000000..beb22b3
--- /dev/null
+++ b/icu.rhbz1074549.CVE-2013-5907.patch
@@ -0,0 +1,37 @@
+
+# erAck: resolves https://bugzilla.redhat.com/show_bug.cgi?id=1074549
+# Based on http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/9d29c19f1de1
+# where a/src/share/native/sun/font/layout/LookupProcessor.cpp is
+# icu/source/layout/LookupProcessor.cpp
+# Adapted to LayoutEngine "patch" and subsequent patches.
+# Note that
+#@@ -246,7 +249,7 @@
+#-      featureReferences += SWAPW(featureTable->lookupCount);
+#+      featureReferences += SWAPW(requiredFeatureTable->lookupCount);
+# was already applied with icu.8800.freeserif.crash.patch that also added
+#+      if (requiredFeatureTable.isValid()) {
+# and is a slightly enhanced version of
+# https://ssl.icu-project.org/trac/ticket/8800 and/or
+# https://ssl.icu-project.org/trac/ticket/8320
+
+--- prev.icu/source/layout/LookupProcessor.cpp	2014-03-11 20:46:53.288819882 +0100
++++ icu/source/layout/LookupProcessor.cpp	2014-03-11 20:54:43.153370234 +0100
+@@ -113,7 +113,7 @@
+ le_int32 LookupProcessor::selectLookups(const LEReferenceTo<FeatureTable> &featureTable, FeatureMask featureMask, le_int32 order, LEErrorCode &success)
+ {
+   le_uint16 lookupCount = featureTable.isValid()? SWAPW(featureTable->lookupCount) : 0;
+-    le_int32  store = order;
++    le_uint32  store = (le_uint32)order;
+     
+     LEReferenceToArrayOf<le_uint16> lookupListIndexArray(featureTable, success, featureTable->lookupListIndexArray, lookupCount);
+ 
+@@ -122,6 +122,9 @@
+       if (lookupListIndex >= lookupSelectCount) {
+         continue;
+       }
++      if (store >= lookupOrderCount) {
++        continue;
++      }
+       
+       lookupSelectArray[lookupListIndex] |= featureMask;
+       lookupOrderArray[store++] = lookupListIndex;
-- 
cgit