mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
fontforge: patch CVE-2025-15270
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270 Pick the patch that mentions this vulnerbaility explicitly in its description. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
@@ -0,0 +1,44 @@
|
|||||||
|
From c36b95c57f85a34ad85ca2be34f62ff1100d52f1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ahmet Furkan Kavraz
|
||||||
|
<55850855+ahmetfurkankavraz@users.noreply.github.com>
|
||||||
|
Date: Sat, 31 Jan 2026 21:23:41 +0100
|
||||||
|
Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
|
||||||
|
parsing (#5743)
|
||||||
|
|
||||||
|
Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
|
||||||
|
|
||||||
|
Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
|
||||||
|
|
||||||
|
CVE: CVE-2025-15270
|
||||||
|
Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
fontforge/sfd.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/fontforge/sfd.c b/fontforge/sfd.c
|
||||||
|
index 940627a3b..99d92b051 100644
|
||||||
|
--- a/fontforge/sfd.c
|
||||||
|
+++ b/fontforge/sfd.c
|
||||||
|
@@ -8276,6 +8276,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
|
||||||
|
for ( i=classstart; i<kc->first_cnt; ++i ) {
|
||||||
|
if (kernclassversion < 3) {
|
||||||
|
getint(sfd,&temp);
|
||||||
|
+ if (temp < 0) {
|
||||||
|
+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
|
||||||
|
nlgetc(sfd); /* skip space */
|
||||||
|
fread(kc->firsts[i],1,temp,sfd);
|
||||||
|
@@ -8293,6 +8297,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
|
||||||
|
for ( i=1; i<kc->second_cnt; ++i ) {
|
||||||
|
if (kernclassversion < 3) {
|
||||||
|
getint(sfd,&temp);
|
||||||
|
+ if (temp < 0) {
|
||||||
|
+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
|
||||||
|
nlgetc(sfd); /* skip space */
|
||||||
|
fread(kc->seconds[i],1,temp,sfd);
|
||||||
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
|
|||||||
file://CVE-2020-25690-2.patch \
|
file://CVE-2020-25690-2.patch \
|
||||||
file://CVE-2024-25081-25082.patch \
|
file://CVE-2024-25081-25082.patch \
|
||||||
file://CVE-2025-15269.patch \
|
file://CVE-2025-15269.patch \
|
||||||
|
file://CVE-2025-15270.patch \
|
||||||
"
|
"
|
||||||
S = "${WORKDIR}/git"
|
S = "${WORKDIR}/git"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user