new file mode 100644
@@ -0,0 +1,71 @@
+From 85be877925ddbf34f74a1229f3ca1716bb6170dc Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Wed, 1 Feb 2023 20:00:43 -0700
+Subject: [PATCH] [layout] Limit how far we skip when looking back
+
+Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc]
+CVE: CVE-2023-25193
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/hb-ot-layout-common.hh | 7 +++++++
+ src/hb-ot-layout-gsubgpos.hh | 19 ++++++++++++++++---
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
+index 60a1906..f7f8d5f 100644
+--- a/src/hb-ot-layout-common.hh
++++ b/src/hb-ot-layout-common.hh
+@@ -72,6 +72,13 @@
+ #define HB_MAX_LOOKUP_VISIT_COUNT 35000
+ #endif
+
++#ifndef HB_MAX_NESTING_LEVEL
++#define HB_MAX_NESTING_LEVEL 6
++#endif
++#ifndef HB_MAX_CONTEXT_LENGTH
++#define HB_MAX_CONTEXT_LENGTH 64
++#endif
++
+
+ namespace OT {
+
+diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
+index 65de131..891d96a 100644
+--- a/src/hb-ot-layout-gsubgpos.hh
++++ b/src/hb-ot-layout-gsubgpos.hh
+@@ -525,7 +525,10 @@ struct hb_ot_apply_context_t :
+ bool next (unsigned *unsafe_to = nullptr)
+ {
+ assert (num_items > 0);
+- while (idx + num_items < end)
++ unsigned stop = end - num_items;
++ if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)
++ stop = end - 1;
++ while (idx < stop)
+ {
+ idx++;
+ const hb_glyph_info_t &info = c->buffer->info[idx];
+@@ -557,8 +560,18 @@ struct hb_ot_apply_context_t :
+ }
+ bool prev (unsigned *unsafe_from = nullptr)
+ {
+- assert (num_items > 0);
+- while (idx > num_items - 1)
++ assert (num_items > 0);
++ unsigned stop = 1 - num_items;
++ if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)
++ stop = 1 - 1;
++
++ /* When looking back, limit how far we search; this function is mostly
++ * used for looking back for base glyphs when attaching marks. If we
++ * don't limit, we can get O(n^2) behavior where n is the number of
++ * consecutive marks. */
++ stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH);
++
++ while (idx > stop)
+ {
+ idx--;
+ const hb_glyph_info_t &info = c->buffer->out_info[idx];
+--
+2.25.1
+
@@ -13,7 +13,9 @@ UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"
SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz \
file://CVE-2022-33068.patch \
- file://0001-Fix-conditional.patch"
+ file://0001-Fix-conditional.patch \
+ file://CVE-2023-25193.patch \
+ "
SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49"
inherit meson pkgconfig lib_package gtk-doc gobject-introspection
[layout] Limit how far we skip when looking back Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> --- .../harfbuzz/harfbuzz/CVE-2023-25193.patch | 71 +++++++++++++++++++ .../harfbuzz/harfbuzz_4.0.1.bb | 4 +- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch