fontforge: patch CVE-2020-5395, CVE-2020-25690 and CVE-2020-5496

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-5395
https://nvd.nist.gov/vuln/detail/CVE-2020-25690
https://nvd.nist.gov/vuln/detail/CVE-2020-5496

The same patch fixes all three.
The patch for CVE-2020-25690 is mentioned in the RedHat bug, which is
referenced in the nvd report.
The patch for CVE-2020-5395 is mentioned in the Github issue that
is referenced in the nvd report.
The patch for CVE-2020-5496 is mentioned in the comments of the issue
that is linked in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch

@@ -0,0 +1,81 @@
+From 169bfc28246c10493ac085c9e9ed5b0ab58ac979 Mon Sep 17 00:00:00 2001
+From: Skef Iterum <unknown>
+Date: Mon, 6 Jan 2020 03:05:06 -0800
+Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the
+ SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the
+ SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the
+ SFD_AssignLookups() function Add empty sf->fontname string if it isn't set,
+ fixing #4089 #4090 and many other potential issues (many downstream calls to
+ strlen() on the value).
+
+CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ fontforge/sfd.c  | 19 ++++++++++++++-----
+ fontforge/sfd1.c |  2 +-
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 214163343..cdce0b08a 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
+     while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
+ 	if ( cur!=NULL ) {
+ 	    if ( cur->spiro_cnt>=cur->spiro_max )
+-		cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
++		cur->spiros = realloc(cur->spiros,
++		                      (cur->spiro_max+=10)*sizeof(spiro_cp));
+ 	    cur->spiros[cur->spiro_cnt++] = cp;
+ 	}
+     }
+-    if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
++    if (    cur!=NULL && cur->spiro_cnt>0
++         && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
+ 	if ( cur->spiro_cnt>=cur->spiro_max )
+-	    cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
++	    cur->spiros = realloc(cur->spiros,
++	                          (cur->spiro_max+=1)*sizeof(spiro_cp));
+ 	memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
+ 	cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
+     }
+@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
+     else if ( strmatch(tok,"LayerCount:")==0 )
+     {
+ 	d->had_layer_cnt = true;
+-	getint(sfd,&sf->layer_cnt);
+-	if ( sf->layer_cnt>2 ) {
++	int layer_cnt_tmp;
++	getint(sfd,&layer_cnt_tmp);
++	if ( layer_cnt_tmp>2 ) {
+ 	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
+ 	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
++	    sf->layer_cnt = layer_cnt_tmp;
+ 	}
+     }
+     else if ( strmatch(tok,"Layer:")==0 )
+@@ -8948,6 +8953,10 @@ exit( 1 );
+ 	}
+     }
+ 
++    // Many downstream functions assume this isn't NULL (use strlen, etc.)
++    if ( sf->fontname==NULL)
++	sf->fontname = copy("");
++
+     if ( fromdir )
+ 	sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
+     else if ( sf->subfontcnt!=0 ) {
+diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
+index cf931059d..b42f83267 100644
+--- a/fontforge/sfd1.c
++++ b/fontforge/sfd1.c
+@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
+ 
+     /* Fix up some gunk from really old versions of the sfd format */
+     SFDCleanupAnchorClasses(&sf->sf);
+-    if ( sf->sf.uni_interp==ui_unset )
++    if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
+ 	sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
+ 
+     /* Fixup for an old bug */

meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch

@@ -0,0 +1,32 @@
+From c169022972d82ee0da4812e77aa8f560d173fcd7 Mon Sep 17 00:00:00 2001
+From: Fredrick Brennan <copypaste@kittens.ph>
+Date: Tue, 21 Jan 2020 15:16:00 +0800
+Subject: [PATCH] Fix crash on exit introduced in previous commit
+
+When the number of layers is greater than 2, as in Chomsky.sfd and most
+of my other fonts, FontForge will crash on exiting.
+
+This is just a simple mistake @skef made.
+
+CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ fontforge/sfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index cdce0b08a..132f9fa0c 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -7998,9 +7998,9 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	int layer_cnt_tmp;
+ 	getint(sfd,&layer_cnt_tmp);
+ 	if ( layer_cnt_tmp>2 ) {
++	    sf->layer_cnt = layer_cnt_tmp;
+ 	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
+ 	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
+-	    sf->layer_cnt = layer_cnt_tmp;
+ 	}
+     }
+     else if ( strmatch(tok,"Layer:")==0 )

meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb

@@ -17,7 +17,9 @@ REQUIRED_DISTRO_FEATURES:append:class-target = " x11"
 SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e"
 SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
            file://0001-include-sys-select-on-non-glibc-platforms.patch \
-"
+           file://CVE-2020-25690-1.patch \
+           file://CVE-2020-25690-2.patch \
+           "
 S = "${WORKDIR}/git"
 
 EXTRA_OECONF += "--without-libuninameslist  --enable-python-scripting --enable-python-extension"