diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 3 | ||||
-rw-r--r-- | gnu/packages/patches/icu4c-CVE-2014-6585.patch | 21 | ||||
-rw-r--r-- | gnu/packages/patches/icu4c-CVE-2015-1270.patch | 15 | ||||
-rw-r--r-- | gnu/packages/patches/icu4c-CVE-2015-4760.patch | 189 |
4 files changed, 0 insertions, 228 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 9fd5b0f45c..6e0c3eb42a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -657,9 +657,6 @@ dist_patch_DATA = \ %D%/packages/patches/hypre-ldflags.patch \ %D%/packages/patches/icecat-avoid-bundled-libraries.patch \ %D%/packages/patches/icecat-binutils.patch \ - %D%/packages/patches/icu4c-CVE-2014-6585.patch \ - %D%/packages/patches/icu4c-CVE-2015-1270.patch \ - %D%/packages/patches/icu4c-CVE-2015-4760.patch \ %D%/packages/patches/icu4c-reset-keyword-list-iterator.patch \ %D%/packages/patches/id3lib-CVE-2007-4460.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ diff --git a/gnu/packages/patches/icu4c-CVE-2014-6585.patch b/gnu/packages/patches/icu4c-CVE-2014-6585.patch deleted file mode 100644 index d21a0d0ba1..0000000000 --- a/gnu/packages/patches/icu4c-CVE-2014-6585.patch +++ /dev/null @@ -1,21 +0,0 @@ -Copied from Debian. - -description: out-of-bounds read -origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6585 - ---- a/source/layout/LETableReference.h -+++ b/source/layout/LETableReference.h -@@ -322,7 +322,12 @@ LE_TRACE_TR("INFO: new RTAO") - } - - const T& operator()(le_uint32 i, LEErrorCode &success) const { -- return *getAlias(i,success); -+ const T *ret = getAlias(i,success); -+ if (LE_FAILURE(success) || ret==NULL) { -+ return *(new T()); -+ } else { -+ return *ret; -+ } - } - - size_t getOffsetFor(le_uint32 i, LEErrorCode &success) const { diff --git a/gnu/packages/patches/icu4c-CVE-2015-1270.patch b/gnu/packages/patches/icu4c-CVE-2015-1270.patch deleted file mode 100644 index 2a7658d36e..0000000000 --- a/gnu/packages/patches/icu4c-CVE-2015-1270.patch +++ /dev/null @@ -1,15 +0,0 @@ -Copied from Debian. - -diff --git a/source/common/ucnv_io.cpp b/source/common/ucnv_io.cpp -index 5dd35d8..4424664 100644 ---- a/source/common/ucnv_io.cpp -+++ b/source/common/ucnv_io.cpp -@@ -744,7 +744,7 @@ ucnv_io_getConverterName(const char *alias, UBool *containsOption, UErrorCode *p - * the name begins with 'x-'. If it does, strip it off and try - * again. This behaviour is similar to how ICU4J does it. - */ -- if (aliasTmp[0] == 'x' || aliasTmp[1] == '-') { -+ if (aliasTmp[0] == 'x' && aliasTmp[1] == '-') { - aliasTmp = aliasTmp+2; - } else { - break; diff --git a/gnu/packages/patches/icu4c-CVE-2015-4760.patch b/gnu/packages/patches/icu4c-CVE-2015-4760.patch deleted file mode 100644 index 77da283b7b..0000000000 --- a/gnu/packages/patches/icu4c-CVE-2015-4760.patch +++ /dev/null @@ -1,189 +0,0 @@ -Copied from Debian. - -Description: missing boundary checks in layout engine - It was discovered that ICU Layout Engine was missing multiple boundary checks. - These could lead to buffer overflows and memory corruption. A specially - crafted file could cause an application using ICU to parse untrusted font - files to crash and, possibly, execute arbitrary code. -Author: Laszlo Boszormenyi (GCS) <gcs@debian.org> -Origin: upstream, http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/3f9845510b47 -Reviewed-By: srl, bae, mschoene -Forwarded: not-needed -Last-Update: 2015-07-30 - ---- - ---- icu-52.1.orig/source/layout/ContextualGlyphInsertionProc2.cpp -+++ icu-52.1/source/layout/ContextualGlyphInsertionProc2.cpp -@@ -82,6 +82,10 @@ le_uint16 ContextualGlyphInsertionProces - - le_int16 markIndex = SWAPW(entry->markedInsertionListIndex); - if (markIndex > 0) { -+ if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } - le_int16 count = (flags & cgiMarkedInsertCountMask) >> 5; - le_bool isKashidaLike = (flags & cgiMarkedIsKashidaLike); - le_bool isBefore = (flags & cgiMarkInsertBefore); -@@ -90,6 +94,10 @@ le_uint16 ContextualGlyphInsertionProces - - le_int16 currIndex = SWAPW(entry->currentInsertionListIndex); - if (currIndex > 0) { -+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } - le_int16 count = flags & cgiCurrentInsertCountMask; - le_bool isKashidaLike = (flags & cgiCurrentIsKashidaLike); - le_bool isBefore = (flags & cgiCurrentInsertBefore); ---- icu-52.1.orig/source/layout/ContextualGlyphSubstProc.cpp -+++ icu-52.1/source/layout/ContextualGlyphSubstProc.cpp -@@ -51,6 +51,10 @@ ByteOffset ContextualGlyphSubstitutionPr - WordOffset currOffset = SWAPW(entry->currOffset); - - if (markOffset != 0 && LE_SUCCESS(success)) { -+ if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } - LEGlyphID mGlyph = glyphStorage[markGlyph]; - TTGlyphID newGlyph = SWAPW(int16Table.getObject(markOffset + LE_GET_GLYPH(mGlyph), success)); // whew. - -@@ -58,6 +62,10 @@ ByteOffset ContextualGlyphSubstitutionPr - } - - if (currOffset != 0) { -+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } - LEGlyphID thisGlyph = glyphStorage[currGlyph]; - TTGlyphID newGlyph = SWAPW(int16Table.getObject(currOffset + LE_GET_GLYPH(thisGlyph), success)); // whew. - ---- icu-52.1.orig/source/layout/ContextualGlyphSubstProc2.cpp -+++ icu-52.1/source/layout/ContextualGlyphSubstProc2.cpp -@@ -45,17 +45,25 @@ le_uint16 ContextualGlyphSubstitutionPro - if(LE_FAILURE(success)) return 0; - le_uint16 newState = SWAPW(entry->newStateIndex); - le_uint16 flags = SWAPW(entry->flags); -- le_int16 markIndex = SWAPW(entry->markIndex); -- le_int16 currIndex = SWAPW(entry->currIndex); -+ le_uint16 markIndex = SWAPW(entry->markIndex); -+ le_uint16 currIndex = SWAPW(entry->currIndex); - -- if (markIndex != -1) { -+ if (markIndex != 0x0FFFF) { -+ if (markGlyph < 0 || markGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } - le_uint32 offset = SWAPL(perGlyphTable(markIndex, success)); - LEGlyphID mGlyph = glyphStorage[markGlyph]; - TTGlyphID newGlyph = lookup(offset, mGlyph, success); - glyphStorage[markGlyph] = LE_SET_GLYPH(mGlyph, newGlyph); - } - -- if (currIndex != -1) { -+ if (currIndex != 0x0FFFF) { -+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } - le_uint32 offset = SWAPL(perGlyphTable(currIndex, success)); - LEGlyphID thisGlyph = glyphStorage[currGlyph]; - TTGlyphID newGlyph = lookup(offset, thisGlyph, success); ---- icu-52.1.orig/source/layout/IndicRearrangementProcessor.cpp -+++ icu-52.1/source/layout/IndicRearrangementProcessor.cpp -@@ -45,6 +45,11 @@ ByteOffset IndicRearrangementProcessor:: - ByteOffset newState = SWAPW(entry->newStateOffset); - IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags); - -+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } -+ - if (flags & irfMarkFirst) { - firstGlyph = currGlyph; - } ---- icu-52.1.orig/source/layout/IndicRearrangementProcessor2.cpp -+++ icu-52.1/source/layout/IndicRearrangementProcessor2.cpp -@@ -43,6 +43,11 @@ le_uint16 IndicRearrangementProcessor2:: - le_uint16 newState = SWAPW(entry->newStateIndex); // index to the new state - IndicRearrangementFlags flags = (IndicRearrangementFlags) SWAPW(entry->flags); - -+ if (currGlyph < 0 || currGlyph >= glyphStorage.getGlyphCount()) { -+ success = LE_INDEX_OUT_OF_BOUNDS_ERROR; -+ return 0; -+ } -+ - if (flags & irfMarkFirst) { - firstGlyph = currGlyph; - } ---- icu-52.1.orig/source/layout/LigatureSubstProc.cpp -+++ icu-52.1/source/layout/LigatureSubstProc.cpp -@@ -48,7 +48,7 @@ ByteOffset LigatureSubstitutionProcessor - const LigatureSubstitutionStateEntry *entry = entryTable.getAlias(index, success); - - ByteOffset newState = SWAPW(entry->newStateOffset); -- le_int16 flags = SWAPW(entry->flags); -+ le_uint16 flags = SWAPW(entry->flags); - - if (flags & lsfSetComponent) { - if (++m >= nComponents) { ---- icu-52.1.orig/source/layout/StateTableProcessor.cpp -+++ icu-52.1/source/layout/StateTableProcessor.cpp -@@ -60,6 +60,7 @@ void StateTableProcessor::process(LEGlyp - if (currGlyph == glyphCount) { - // XXX: How do we handle EOT vs. EOL? - classCode = classCodeEOT; -+ break; - } else { - TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]); - ---- icu-52.1.orig/source/layout/StateTableProcessor2.cpp -+++ icu-52.1/source/layout/StateTableProcessor2.cpp -@@ -78,6 +78,7 @@ void StateTableProcessor2::process(LEGly - if (currGlyph == glyphCount || currGlyph == -1) { - // XXX: How do we handle EOT vs. EOL? - classCode = classCodeEOT; -+ break; - } else { - LEGlyphID gid = glyphStorage[currGlyph]; - TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid); -@@ -109,6 +110,7 @@ void StateTableProcessor2::process(LEGly - if (currGlyph == glyphCount || currGlyph == -1) { - // XXX: How do we handle EOT vs. EOL? - classCode = classCodeEOT; -+ break; - } else { - LEGlyphID gid = glyphStorage[currGlyph]; - TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(gid); -@@ -146,6 +148,7 @@ void StateTableProcessor2::process(LEGly - if (currGlyph == glyphCount || currGlyph == -1) { - // XXX: How do we handle EOT vs. EOL? - classCode = classCodeEOT; -+ break; - } else if(currGlyph > glyphCount) { - // note if > glyphCount, we've run off the end (bad font) - currGlyph = glyphCount; -@@ -186,6 +189,7 @@ void StateTableProcessor2::process(LEGly - if (currGlyph == glyphCount || currGlyph == -1) { - // XXX: How do we handle EOT vs. EOL? - classCode = classCodeEOT; -+ break; - } else { - TTGlyphID glyphCode = (TTGlyphID) LE_GET_GLYPH(glyphStorage[currGlyph]); - if (glyphCode == 0xFFFF) { ---- icu-52.1.orig/source/layout/StateTables.h -+++ icu-52.1/source/layout/StateTables.h -@@ -101,7 +101,7 @@ typedef le_uint8 EntryTableIndex; - struct StateEntry - { - ByteOffset newStateOffset; -- le_int16 flags; -+ le_uint16 flags; - }; - - typedef le_uint16 EntryTableIndex2; |