1From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001 2From: Behdad Esfahbod <behdad@behdad.org> 3Date: Wed, 1 Jun 2022 07:38:21 -0600 4Subject: [PATCH] [sbix] Limit glyph extents 5 6Fixes https://github.com/harfbuzz/harfbuzz/issues/3557 7 8Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/62e803b36173fd096d7ad460dd1d1db9be542593] 9CVE:CVE-2022-33068 10Signed-off-by: Wentao Zhang<Wentao.Zhang@windriver.com> 11 12--- 13 src/hb-ot-color-sbix-table.hh | 6 ++++++ 14 1 file changed, 6 insertions(+) 15 16diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh 17index 9741ebd45..6efae43cd 100644 18--- a/src/hb-ot-color-sbix-table.hh 19+++ b/src/hb-ot-color-sbix-table.hh 20@@ -298,6 +298,12 @@ struct sbix 21 22 const PNGHeader &png = *blob->as<PNGHeader>(); 23 24+ if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536) 25+ { 26+ hb_blob_destroy (blob); 27+ return false; 28+ } 29+ 30 extents->x_bearing = x_offset; 31 extents->y_bearing = png.IHDR.height + y_offset; 32 extents->width = png.IHDR.width; 33-- 342.25.1 35 36