Re: [OE-core][kirkstone 05/27] harfbuzz: fix CVE-2022-33068

[Pavel Zhukov <pavel@zhukoff.net>]

This breaks build with clang:

| In file included from ../harfbuzz-4.0.1/src/hb-ot-face.cc:39:
4429| ../harfbuzz-4.0.1/src/hb-ot-color-sbix-table.hh:301:11: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical]
4430|       if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
4431|           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4432|                                    ||
4433| ../harfbuzz-4.0.1/src/hb-ot-color-sbix-table.hh:301:11: note: cast one or both operands to int to silence this warning
4434| 1 error generated.


"Steve Sakoman" <steve@sakoman.com> writes:

> From: Wentao Zhang <wentao.zhang@windriver.com>
>
> Backport patch from
> https://github.com/harfbuzz/harfbuzz/commit/62e803b36173fd096d7ad460dd1d1db9be542593
>
> The 'tff' file in upstream patch is for testing only which cause error during do_patch so need be dropped.
> File test/fuzzing/fonts/sbix-extents.ttf: git binary diffs are not supported.
>
> Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  .../harfbuzz/harfbuzz/CVE-2022-33068.patch    | 35 +++++++++++++++++++
>  .../harfbuzz/harfbuzz_4.0.1.bb                |  3 +-
>  2 files changed, 37 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch
>
> diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch
> new file mode 100644
> index 0000000000..931b9abe1e
> --- /dev/null
> +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch
> @@ -0,0 +1,35 @@
> +From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001
> +From: Behdad Esfahbod <behdad@behdad.org>
> +Date: Wed, 1 Jun 2022 07:38:21 -0600
> +Subject: [PATCH] [sbix] Limit glyph extents
> +
> +Fixes https://github.com/harfbuzz/harfbuzz/issues/3557
> +
> +Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/62e803b36173fd096d7ad460dd1d1db9be542593]
> +CVE:CVE-2022-33068
> +Signed-off-by: Wentao Zhang<Wentao.Zhang@windriver.com>
> +
> +---
> + src/hb-ot-color-sbix-table.hh | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
> +index 9741ebd45..6efae43cd 100644
> +--- a/src/hb-ot-color-sbix-table.hh
> ++++ b/src/hb-ot-color-sbix-table.hh
> +@@ -298,6 +298,12 @@ struct sbix
> + 
> +       const PNGHeader &png = *blob->as<PNGHeader>();
> + 
> ++      if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
> ++      {
> ++	hb_blob_destroy (blob);
> ++	return false;
> ++      }
> ++
> +       extents->x_bearing = x_offset;
> +       extents->y_bearing = png.IHDR.height + y_offset;
> +       extents->width     = png.IHDR.width;
> +-- 
> +2.25.1
> +
> diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
> index bf77a5e56c..81518a53ea 100644
> --- a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
> +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
> @@ -11,7 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6ee0f16281694fb6aa689cca1e0fb3da \
>  UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
>  UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"
>  
> -SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz"
> +SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz\
> +           file://CVE-2022-33068.patch"
>  SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49"
>  
>  inherit meson pkgconfig lib_package gtk-doc gobject-introspection