pool/fontforge
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity
Files
factory
fontforge/fontforge-CVE-2025-15269.patch
Takashi Iwai a795bf75a1 - Add fontforge-fix-multiple-crashes-in-Multiple-Masters.patch: 
Backport dfe5c803 from upstream, Fix multiple crashes in Multiple
  Masters.
- Add fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch:
  Backport 0df57ac0 from upstream, fix crash for content over 32767
  characters in GDraw multiline text field.
- Add fontforge-CVE-2025-15279-part02_720ea950.patch:
  Backport 720ea950 from upstream, Move bounds check inside
  cnt >= 3 block.
  (CVE-2025-15279, ZDI-CAN-27517, bsc#1256013)
- Add fontforge-CVE-2025-15269.patch:
  Backport 6aea6db5 from upstream, Use-after-free in SFD ligature
  parsing.
  (CVE-2025-15269, ZDI-25-1195, ZDI-CAN-28564, bsc#1256032)
- Add fontforge-CVE-2025-15275.patch:
  Backport 71954027 from upstream, Fix heap buffer overflow in SFD
  image parsing.
  (CVE-2025-15275 ZDI-25-1189 ZDI-CAN-28543 bsc#1256025)
- Add fontforge-CVE-2025-15279-part01_7d67700c.patch:
  Backport 7d67700c from upstream, Fix heap buffer overflow in BMP
  RLE decompression.
  (CVE-2025-15279, ZDI-CAN-27517, bsc#1256013)
- Add fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch:
  Backport aca4f524 from upstream, Metrics view: Fix crash on Up/Down
  keypress while in the feature list.
- Add fontforge-fix-crash-in-Metrics-View.patch
  Backport 46dc37435 from upstream, Fix crash in Metrics View.
- Add fontforge-fix-UFO-crash-for-empty-contours.patch
  Backport 77b1b148 from upstream, Fix UFO crash for empty contours.
- Add fontforge-fix-crash-issue-in-allmarkglyphs.patch:
  Backport 9d793fe9 from upstream, fix crash issue in allmarkglyphs.

OBS-URL: https://build.opensuse.org/package/show/M17N/fontforge?expand=0&rev=107
2026-01-28 15:58:17 +00:00

35 lines
1.1 KiB
Diff
Raw Permalink Blame History

From 6aea6db5da332d8ac94e3501bb83c1b21f52074d Mon Sep 17 00:00:00 2001
From: Ahmet Furkan Kavraz
<55850855+ahmetfurkankavraz@users.noreply.github.com>
Date: Sat, 10 Jan 2026 20:06:53 +0100
Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
(#5722)
Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
the next pointer after shallow copy. The shallow copy propagates liga's
modified next pointer from previous iterations, creating a cycle that
causes double-free when the list is traversed and freed.
Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564
Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
---
fontforge/sfd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fontforge/sfd.c b/fontforge/sfd.c
index 0590c119f..a349d0b2f 100644
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -4715,6 +4715,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) {
while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
new = chunkalloc(sizeof( PST1 ));
*new = *liga;
+ new->pst.next = NULL;
new->pst.u.lig.components = copy(pt+1);
last->pst.next = (PST *) new;
last = new;
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink