From 6aea6db5da332d8ac94e3501bb83c1b21f52074d Mon Sep 17 00:00:00 2001
From: Ahmet Furkan Kavraz
 <55850855+ahmetfurkankavraz@users.noreply.github.com>
Date: Sat, 10 Jan 2026 20:06:53 +0100
Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
 (#5722)

Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
the next pointer after shallow copy. The shallow copy propagates liga's
modified next pointer from previous iterations, creating a cycle that
causes double-free when the list is traversed and freed.

Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564

Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
---
 fontforge/sfd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fontforge/sfd.c b/fontforge/sfd.c
index 0590c119f..a349d0b2f 100644
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -4715,6 +4715,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) {
     while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
 	new = chunkalloc(sizeof( PST1 ));
 	*new = *liga;
+	new->pst.next = NULL;
 	new->pst.u.lig.components = copy(pt+1);
 	last->pst.next = (PST *) new;
 	last = new;
-- 
2.49.0