From: Behdad Esfahbod <behdad@behdad.org>
Date: Mon, 6 Feb 2023 21:51:25 +0000 (-0700)
Subject: [Tizen] [GPOS] Avoid O(n^2) behavior in mark-attachment
X-Git-Tag: accepted/tizen/6.5/unified/20230622.095624
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=15a73b6311bb5ca767552bd66546882462027e5b;p=platform%2Fupstream%2Fharfbuzz.git

[Tizen] [GPOS] Avoid O(n^2) behavior in mark-attachment

Better implementation; avoids arbitrary limit on look-back.

[CVE-2023-25193]
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0
allows attackers to trigger O(n^2) growth via consecutive marks
during the process of looking back for base glyphs when attaching marks.
https://nvd.nist.gov/vuln/detail/CVE-2023-25193

Change-Id: I778490c8c94aae046e38cb07f04753cbc26b8e6a
---

diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
index 2c06312..2b5d7b3 100644
--- a/src/hb-ot-layout-gsubgpos.hh
+++ b/src/hb-ot-layout-gsubgpos.hh
@@ -559,6 +559,9 @@ struct hb_ot_apply_context_t :
   uint32_t random_state;
 
 
+  signed last_base = -1; // GPOS uses
+  unsigned last_base_until = 0; // GPOS uses
+
   hb_ot_apply_context_t (unsigned int table_index_,
 		      hb_font_t *font_,
 		      hb_buffer_t *buffer_) :
@@ -592,7 +595,7 @@ struct hb_ot_apply_context_t :
     iter_context.init (this, true);
   }
 
-  void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); }
+  void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); }
   void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); }
   void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); }
   void set_random (bool random_) { random = random_; }