qt4/patches/qt-4.8.1-fix-buffer-overflow.patch

From 827e5c4c689d4ecb4f8c1ab48c9a7ab712fe2ca7 Mon Sep 17 00:00:00 2001
From: John Tapsell <john.tapsell.ext@basyskom.com>
Date: Mon, 12 Mar 2012 22:07:47 +0000
Subject: [PATCH] Harfbuzz-thai - fix buffer overflow when setting item
 attributes

Change-Id: I19eeb4ec25a7c6cb3f584e6290169f9f327b8713
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@nokia.com>
---
 src/3rdparty/harfbuzz/src/harfbuzz-thai.c          |    9 +++++-
 .../qtextscriptengine/tst_qtextscriptengine.cpp    |   29 ++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/3rdparty/harfbuzz/src/harfbuzz-thai.c b/src/3rdparty/harfbuzz/src/harfbuzz-thai.c
index bf6c35b..3c0ffe8 100644
--- a/src/3rdparty/harfbuzz/src/harfbuzz-thai.c
+++ b/src/3rdparty/harfbuzz/src/harfbuzz-thai.c
@@ -263,8 +263,13 @@ static HB_Bool HB_ThaiConvertStringToGlyphIndices (HB_ShaperItem *item)
                 // The only glyphs that should be passed to this function that cannot be mapped to
                 // tis620 are the ones of type Inherited class.  Pass these glyphs untouched.
                 glyphString[slen++] = string[i];
-                if (string[i] == 0x200D || string[i] == 0x200C)
-                    item->attributes[slen-1].dontPrint = true; // Hide ZWJ and ZWNJ characters
+                if (string[i] == 0x200D || string[i] == 0x200C) {
+                    // Check that we do not run out of bounds when setting item->attributes.  If we do
+                    // run out of bounds then this function will return false, the necessary amount of
+                    // memory is reallocated, and this function will then be called again.
+                    if (slen <= item->num_glyphs)
+                        item->attributes[slen-1].dontPrint = true; // Hide ZWJ and ZWNJ characters
+                }
             } else {
                 glyphString[slen++] = (HB_UChar16) thai_get_glyph_index (font_type, rglyphs[lgi]);
             }
1	From 827e5c4c689d4ecb4f8c1ab48c9a7ab712fe2ca7 Mon Sep 17 00:00:00 2001
2	From: John Tapsell <john.tapsell.ext@basyskom.com>
3	Date: Mon, 12 Mar 2012 22:07:47 +0000
4	Subject: [PATCH] Harfbuzz-thai - fix buffer overflow when setting item
5	attributes
6
7	Change-Id: I19eeb4ec25a7c6cb3f584e6290169f9f327b8713
8	Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@nokia.com>
9	---
10	src/3rdparty/harfbuzz/src/harfbuzz-thai.c \| 9 +++++-
11	.../qtextscriptengine/tst_qtextscriptengine.cpp \| 29 ++++++++++++++++++++
12	2 files changed, 36 insertions(+), 2 deletions(-)
13
14	diff --git a/src/3rdparty/harfbuzz/src/harfbuzz-thai.c b/src/3rdparty/harfbuzz/src/harfbuzz-thai.c
15	index bf6c35b..3c0ffe8 100644
16	--- a/src/3rdparty/harfbuzz/src/harfbuzz-thai.c
17	+++ b/src/3rdparty/harfbuzz/src/harfbuzz-thai.c
18	@@ -263,8 +263,13 @@ static HB_Bool HB_ThaiConvertStringToGlyphIndices (HB_ShaperItem *item)
19	// The only glyphs that should be passed to this function that cannot be mapped to
20	// tis620 are the ones of type Inherited class. Pass these glyphs untouched.
21	glyphString[slen++] = string[i];
22	- if (string[i] == 0x200D \|\| string[i] == 0x200C)
23	- item->attributes[slen-1].dontPrint = true; // Hide ZWJ and ZWNJ characters
24	+ if (string[i] == 0x200D \|\| string[i] == 0x200C) {
25	+ // Check that we do not run out of bounds when setting item->attributes. If we do
26	+ // run out of bounds then this function will return false, the necessary amount of
27	+ // memory is reallocated, and this function will then be called again.
28	+ if (slen <= item->num_glyphs)
29	+ item->attributes[slen-1].dontPrint = true; // Hide ZWJ and ZWNJ characters
30	+ }
31	} else {
32	glyphString[slen++] = (HB_UChar16) thai_get_glyph_index (font_type, rglyphs[lgi]);
33	}