summaryrefslogtreecommitdiff
path: root/CVE-2022-33068-sbix-Limit-glyph-extents.patch
diff options
context:
space:
mode:
Diffstat (limited to 'CVE-2022-33068-sbix-Limit-glyph-extents.patch')
-rw-r--r--CVE-2022-33068-sbix-Limit-glyph-extents.patch30
1 files changed, 30 insertions, 0 deletions
diff --git a/CVE-2022-33068-sbix-Limit-glyph-extents.patch b/CVE-2022-33068-sbix-Limit-glyph-extents.patch
new file mode 100644
index 0000000..c229a3c
--- /dev/null
+++ b/CVE-2022-33068-sbix-Limit-glyph-extents.patch
@@ -0,0 +1,30 @@
+From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Wed, 1 Jun 2022 07:38:21 -0600
+Subject: [PATCH 001/363] [sbix] Limit glyph extents
+
+Fixes https://github.com/harfbuzz/harfbuzz/issues/3557
+---
+ src/hb-ot-color-sbix-table.hh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
+index 9741ebd45..6efae43cd 100644
+--- a/src/hb-ot-color-sbix-table.hh
++++ b/src/hb-ot-color-sbix-table.hh
+@@ -298,6 +298,12 @@ struct sbix
+
+ const PNGHeader &png = *blob->as<PNGHeader>();
+
++ if ((png.IHDR.height >= 65536) | (png.IHDR.width >= 65536))
++ {
++ hb_blob_destroy (blob);
++ return false;
++ }
++
+ extents->x_bearing = x_offset;
+ extents->y_bearing = png.IHDR.height + y_offset;
+ extents->width = png.IHDR.width;
+--
+2.36.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-25 17:30:51 +0000