1574dd6d48
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences. https://nvd.nist.gov/vuln/detail/CVE-2018-15120 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
From 71aaeaf020340412b8d012fe23a556c0420eda5f Mon Sep 17 00:00:00 2001
|
|
From: Matthias Clasen <mclasen@redhat.com>
|
|
Date: Fri, 17 Aug 2018 22:29:36 -0400
|
|
Subject: [PATCH] Prevent an assertion with invalid Unicode sequences
|
|
|
|
Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f,
|
|
can trick the Emoji iter code into returning an empty
|
|
segment, which then triggers an assertion in the itemizer.
|
|
|
|
Prevent this by ensuring that we make progress.
|
|
|
|
This issue was reported by Jeffrey M.
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
pango/pango-emoji.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/pango/pango-emoji.c b/pango/pango-emoji.c
|
|
index 0e332dff..29472452 100644
|
|
--- a/pango/pango-emoji.c
|
|
+++ b/pango/pango-emoji.c
|
|
@@ -253,6 +253,12 @@ _pango_emoji_iter_next (PangoEmojiIter *iter)
|
|
if (iter->is_emoji == PANGO_EMOJI_TYPE_IS_EMOJI (current_emoji_type))
|
|
{
|
|
iter->is_emoji = !PANGO_EMOJI_TYPE_IS_EMOJI (current_emoji_type);
|
|
+
|
|
+ /* Make sure we make progress. Weird sequences, like a VC15 followed
|
|
+ * by VC16, can trick us into stalling otherwise. */
|
|
+ if (iter->start == iter->end)
|
|
+ iter->end = g_utf8_next_char (iter->end);
|
|
+
|
|
return TRUE;
|
|
}
|
|
}
|
|
--
|
|
2.11.0
|
|
|