From a95ba487373414153df228677060e4f29f3b097b Mon Sep 17 00:00:00 2001
From: zhangpan <zp1224248514@163.com>
Date: Tue, 18 Mar 2025 01:58:24 +0000
Subject: [PATCH] fix CVE-2025-27363

---
 backport-CVE-2025-27363.patch | 41 +++++++++++++++++++++++++++++++++++
 freetype.spec                 |  7 +++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-27363.patch

diff --git a/backport-CVE-2025-27363.patch b/backport-CVE-2025-27363.patch
new file mode 100644
index 0000000..3854943
--- /dev/null
+++ b/backport-CVE-2025-27363.patch
@@ -0,0 +1,41 @@
+From 61fdf05f0ed8e2332ee20a44e392a14cf71d2162 Mon Sep 17 00:00:00 2001
+From: Michel Lind <salimma@centosproject.org>
+Date: Fri, 14 Mar 2025 12:57:35 -0500
+Subject: [PATCH] Fix for CVE-2025-27363 out-of-bound write vulnerability
+
+Resolves: RHEL-83104
+Resolves: RHEL-83109
+
+Signed-off-by: Michel Lind <salimma@centosproject.org>
+
+Reference:https://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8
+Conflict:NA
+
+---
+
+--- a/src/truetype/ttgload.c
++++ b/src/truetype/ttgload.c
+@@ -1944,7 +1944,7 @@
+         short        i, limit;
+         FT_SubGlyph  subglyph;
+ 
+-        FT_Outline  outline;
++        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
+         FT_Vector*  points    = NULL;
+         char*       tags      = NULL;
+         short*      contours  = NULL;
+@@ -1953,6 +1953,13 @@
+ 
+         limit = (short)gloader->current.num_subglyphs;
+ 
++        /* make sure this isn't negative as we're going to add 4 later */
++        if ( limit < 0 )
++        {
++          error = FT_THROW( Invalid_Argument );
++          goto Exit;
++        }
++
+         /* construct an outline structure for              */
+         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
+         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );
+
diff --git a/freetype.spec b/freetype.spec
index 8bb6dd1..c7232e2 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -4,7 +4,7 @@
 
 Name:           freetype
 Version:        2.10.2
-Release:        5
+Release:        6
 Summary:        FreeType is a freely available software library to render fonts
 License:        (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 URL:            http://www.freetype.org
@@ -26,6 +26,7 @@ Patch6007:      backport-0001-CVE-2022-27405.patch
 Patch6008:      backport-0002-CVE-2022-27405.patch
 Patch6009:      backport-CVE-2022-27406.patch
 Patch6010:      backport-CVE-2023-2004.patch
+Patch6011:      backport-CVE-2025-27363.patch
 
 BuildRequires:  gcc libX11-devel libpng-devel zlib-devel bzip2-devel
 
@@ -74,6 +75,7 @@ popd
 %patch6008 -p1
 %patch6009 -p1
 %patch6010 -p1
+%patch6011 -p1
 
 %build
 %configure --disable-static --with-zlib=yes --with-bzip2=yes --with-png=yes --enable-freetype-config --with-harfbuzz=no
@@ -148,6 +150,9 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/co
 %{_mandir}/man1/*
 
 %changelog
+* Tue Mar 18 2025 zhangpan <zhangpan103@h-partners.com> - 2.10.2-6
+- fix CVE-2025-27363
+
 * Mon Apr 17 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.10.2-5
 - fix CVE-2023-2004
 
-- 
Gitee