From: Behdad Esfahbod Date: Mon, 6 Feb 2023 21:51:25 +0000 (-0700) Subject: [Tizen] [GPOS] Avoid O(n^2) behavior in mark-attachment X-Git-Tag: accepted/tizen/6.5/unified/20230622.095624^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_6.5;p=platform%2Fupstream%2Fharfbuzz.git [Tizen] [GPOS] Avoid O(n^2) behavior in mark-attachment Better implementation; avoids arbitrary limit on look-back. [CVE-2023-25193] hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. https://nvd.nist.gov/vuln/detail/CVE-2023-25193 Change-Id: I778490c8c94aae046e38cb07f04753cbc26b8e6a --- diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh index 2c06312..2b5d7b3 100644 --- a/src/hb-ot-layout-gsubgpos.hh +++ b/src/hb-ot-layout-gsubgpos.hh @@ -559,6 +559,9 @@ struct hb_ot_apply_context_t : uint32_t random_state; + signed last_base = -1; // GPOS uses + unsigned last_base_until = 0; // GPOS uses + hb_ot_apply_context_t (unsigned int table_index_, hb_font_t *font_, hb_buffer_t *buffer_) : @@ -592,7 +595,7 @@ struct hb_ot_apply_context_t : iter_context.init (this, true); } - void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); } + void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); } void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } void set_random (bool random_) { random = random_; }