From: Hugo SIMELIERE <[email protected]> Upstream-Status: Backport from https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
Signed-off-by: Bruno VERNAY <[email protected]> Signed-off-by: Hugo SIMELIERE <[email protected]> --- .../harfbuzz/files/CVE-2026-22693.patch | 33 +++++++++++++++++++ .../harfbuzz/harfbuzz_8.3.0.bb | 4 ++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch diff --git a/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch b/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch new file mode 100644 index 0000000000..c57859a7b3 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch @@ -0,0 +1,33 @@ +From 95d38abd1293cae1f2aa700a3949288fd2c9a4c4 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <[email protected]> +Date: Fri, 9 Jan 2026 04:54:42 -0700 +Subject: [PATCH] [cmap] malloc fail test (#5710) + +Fixes https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww + +Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae] +CVE: CVE-2026-22693 + +Signed-off-by: Hugo SIMELIERE <[email protected]> +--- + src/hb-ot-cmap-table.hh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/hb-ot-cmap-table.hh b/src/hb-ot-cmap-table.hh +index e2e258185..2f7d72700 100644 +--- a/src/hb-ot-cmap-table.hh ++++ b/src/hb-ot-cmap-table.hh +@@ -1534,6 +1534,10 @@ struct SubtableUnicodesCache { + { + SubtableUnicodesCache* cache = + (SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache)); ++ ++ if (unlikely (!cache)) ++ return nullptr; ++ + new (cache) SubtableUnicodesCache (source_table); + return cache; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb index d733342682..440ca1043d 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb @@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b98429b8e8e3c2a67cfef01e99e4893d \ file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc \ " -SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz" +SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz \ + file://CVE-2026-22693.patch \ + " SRC_URI[sha256sum] = "109501eaeb8bde3eadb25fab4164e993fbace29c3d775bcaa1c1e58e2f15f847" DEPENDS += "glib-2.0-native" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231518): https://lists.openembedded.org/g/openembedded-core/message/231518 Mute This Topic: https://lists.openembedded.org/mt/117910516/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
