--- a/base-specs/pango.spec Mon Jul 18 05:42:15 2011 +0000
+++ b/base-specs/pango.spec Fri Jul 29 10:06:54 2011 +0000
@@ -35,6 +35,9 @@
Patch4: pango-04-sunstudio.diff
Patch5: pango-05-CVE-2011-0064.diff
+#owner: Praveen date:2011-07-29 type:feature bugster:7032373
+Patch6: pango-06-CVE-2011-0020.diff
+
URL: http://www.gtk.org
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -84,6 +87,7 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%build
%ifos linux
@@ -159,6 +163,8 @@
%{_mandir}/man3/*
%changelog
+* Fri Jul 29 2011 - [email protected]
+- Added a new patch pango-06-CVE-2011-0020.diff to fix CR 7032373
* Thu Mar 10 2011 - [email protected]
- Added a new patch pango-05-CVE-2011-0064.diff to fix CR#7019951.
* Sat Apr 3 2010 - [email protected]
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/pango-06-CVE-2011-0020.diff Fri Jul 29 10:06:54 2011 +0000
@@ -0,0 +1,40 @@
+--- pango-1.28.0.orig/pango/pangoft2-render.c.orig 2011-07-15 04:02:47.327201380 +0530
++++ pango-1.28.0/pango/pangoft2-render.c 2011-07-15 04:07:22.339777218 +0530
+@@ -121,9 +121,14 @@ pango_ft2_font_render_box_glyph (int
+
+ box->bitmap.width = width;
+ box->bitmap.rows = height;
+- box->bitmap.pitch = height;
++ box->bitmap.pitch = width;
+
+- box->bitmap.buffer = g_malloc0 (box->bitmap.rows * box->bitmap.pitch);
++ box->bitmap.buffer = g_malloc0_n (box->bitmap.rows, box->bitmap.pitch);
++
++ if (G_UNLIKELY (!box->bitmap.buffer)) {
++ g_slice_free (PangoFT2RenderedGlyph, box);
++ return NULL;
++ }
+
+ /* draw the box */
+ for (j = 0; j < line_width; j++)
+@@ -226,6 +231,11 @@ pango_ft2_font_render_glyph (PangoFont *
+ rendered->bitmap_left = face->glyph->bitmap_left;
+ rendered->bitmap_top = face->glyph->bitmap_top;
+
++ if (G_UNLIKELY (!rendered->bitmap.buffer)) {
++ g_slice_free (PangoFT2RenderedGlyph, rendered);
++ return NULL;
++ }
++
+ return rendered;
+ }
+ else
+@@ -276,6 +286,8 @@ pango_ft2_renderer_draw_glyph (PangoRend
+ if (rendered_glyph == NULL)
+ {
+ rendered_glyph = pango_ft2_font_render_glyph (font, glyph);
++ if (rendered_glyph == NULL)
++ return;
+ add_glyph_to_cache = TRUE;
+ }
+