diff --git a/backport-0001-CVE-2025-27363.patch b/backport-0001-CVE-2025-27363.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a122531bba16c8f5190b984b0b5d78f064653f2 --- /dev/null +++ b/backport-0001-CVE-2025-27363.patch @@ -0,0 +1,147 @@ +From ef636696524b081f1b8819eb0c6a0b932d35757d Mon Sep 17 00:00:00 2001 +From: Alexei Podtelezhnikov +Date: Fri, 17 Mar 2023 23:25:45 -0400 +Subject: [PATCH] [truetype] Clean up zeroing and local variables. + +* src/truetype/ttgload.c (TT_Process_Simple_Glyph): Avoid zeroing. +(load_truetype_glyph): Avoid zeroing and clean local variables. + +Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d +Conflict:context adaptation and points->outline.points + +--- + src/truetype/ttgload.c | 82 ++++++++++++++---------------------------- + 1 file changed, 26 insertions(+), 56 deletions(-) + +diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c +index 2ca63d6..8c1fbbf 100644 +--- a/src/truetype/ttgload.c ++++ b/src/truetype/ttgload.c +@@ -981,7 +981,7 @@ + + if ( !IS_DEFAULT_INSTANCE( FT_FACE( loader->face ) ) ) + { +- if ( FT_NEW_ARRAY( unrounded, n_points ) ) ++ if ( FT_QNEW_ARRAY( unrounded, n_points ) ) + goto Exit; + + /* Deltas apply to the unscaled data. */ +@@ -1948,10 +1948,7 @@ + short i, limit; + FT_SubGlyph subglyph; + +- FT_Outline outline; +- FT_Vector* points = NULL; +- char* tags = NULL; +- short* contours = NULL; ++ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 }; + FT_Vector* unrounded = NULL; + + +@@ -1959,19 +1956,14 @@ + + /* construct an outline structure for */ + /* communication with `TT_Vary_Apply_Glyph_Deltas' */ +- outline.n_points = (short)( gloader->current.num_subglyphs + 4 ); +- outline.n_contours = outline.n_points; +- +- outline.points = NULL; +- outline.tags = NULL; +- outline.contours = NULL; +- +- if ( FT_NEW_ARRAY( points, outline.n_points ) || +- FT_NEW_ARRAY( tags, outline.n_points ) || +- FT_NEW_ARRAY( contours, outline.n_points ) || +- FT_NEW_ARRAY( unrounded, outline.n_points ) ) ++ if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) || ++ FT_QNEW_ARRAY( outline.tags, limit ) || ++ FT_QNEW_ARRAY( outline.contours, limit ) || ++ FT_QNEW_ARRAY( unrounded, limit + 4 ) ) + goto Exit1; + ++ outline.n_contours = outline.n_points = limit; ++ + subglyph = gloader->current.subglyphs; + + for ( i = 0; i < limit; i++, subglyph++ ) +@@ -1979,38 +1971,16 @@ + /* applying deltas for anchor points doesn't make sense, */ + /* but we don't have to specially check this since */ + /* unused delta values are zero anyways */ +- points[i].x = subglyph->arg1; +- points[i].y = subglyph->arg2; +- tags[i] = 1; +- contours[i] = i; ++ outline.points[i].x = subglyph->arg1; ++ outline.points[i].y = subglyph->arg2; ++ outline.tags[i] = ON_CURVE_POINT; ++ outline.contours[i] = i; + } + +- points[i].x = loader->pp1.x; +- points[i].y = loader->pp1.y; +- tags[i] = 1; +- contours[i] = i; +- +- i++; +- points[i].x = loader->pp2.x; +- points[i].y = loader->pp2.y; +- tags[i] = 1; +- contours[i] = i; +- +- i++; +- points[i].x = loader->pp3.x; +- points[i].y = loader->pp3.y; +- tags[i] = 1; +- contours[i] = i; +- +- i++; +- points[i].x = loader->pp4.x; +- points[i].y = loader->pp4.y; +- tags[i] = 1; +- contours[i] = i; +- +- outline.points = points; +- outline.tags = tags; +- outline.contours = contours; ++ outline.points[i++] = loader->pp1; ++ outline.points[i++] = loader->pp2; ++ outline.points[i++] = loader->pp3; ++ outline.points[i ] = loader->pp4; + + /* this call provides additional offsets */ + /* for each component's translation */ +@@ -2028,20 +1998,20 @@ + { + if ( subglyph->flags & ARGS_ARE_XY_VALUES ) + { +- subglyph->arg1 = (FT_Int16)points[i].x; +- subglyph->arg2 = (FT_Int16)points[i].y; ++ subglyph->arg1 = (FT_Int16)outline.points[i].x; ++ subglyph->arg2 = (FT_Int16)outline.points[i].y; + } + } + +- loader->pp1.x = points[i + 0].x; +- loader->pp1.y = points[i + 0].y; +- loader->pp2.x = points[i + 1].x; +- loader->pp2.y = points[i + 1].y; ++ loader->pp1.x = outline.points[i + 0].x; ++ loader->pp1.y = outline.points[i + 0].y; ++ loader->pp2.x = outline.points[i + 1].x; ++ loader->pp2.y = outline.points[i + 1].y; + +- loader->pp3.x = points[i + 2].x; +- loader->pp3.y = points[i + 2].y; +- loader->pp4.x = points[i + 3].x; +- loader->pp4.y = points[i + 3].y; ++ loader->pp3.x = outline.points[i + 2].x; ++ loader->pp3.y = outline.points[i + 2].y; ++ loader->pp4.x = outline.points[i + 3].x; ++ loader->pp4.y = outline.points[i + 3].y; + + /* recalculate linear horizontal and vertical advances */ + /* if we don't have HVAR and VVAR, respectively */ +-- +2.33.0 + diff --git a/backport-0002-CVE-2025-27363.patch b/backport-0002-CVE-2025-27363.patch new file mode 100644 index 0000000000000000000000000000000000000000..85e22d6d04ed0dd7079686bfbb8080a266d5c08b --- /dev/null +++ b/backport-0002-CVE-2025-27363.patch @@ -0,0 +1,36 @@ +From 73720c7c9958e87b3d134a7574d1720ad2d24442 Mon Sep 17 00:00:00 2001 +From: Alexei Podtelezhnikov +Date: Sun, 23 Jun 2024 10:58:00 -0400 +Subject: [PATCH] * src/truetype/ttgload.c (load_truetype_glyph): Unsigned fix. + +Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442 +Conflict:NA + +--- + src/truetype/ttgload.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c +index 8cddc394c..b656ccf04 100644 +--- a/src/truetype/ttgload.c ++++ b/src/truetype/ttgload.c +@@ -1738,14 +1738,14 @@ + if ( FT_IS_NAMED_INSTANCE( FT_FACE( face ) ) || + FT_IS_VARIATION( FT_FACE( face ) ) ) + { +- short i, limit; ++ FT_UShort i, limit; + FT_SubGlyph subglyph; + + FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 }; + FT_Vector* unrounded = NULL; + + +- limit = (short)gloader->current.num_subglyphs; ++ limit = (FT_UShort)gloader->current.num_subglyphs; + + /* construct an outline structure for */ + /* communication with `TT_Vary_Apply_Glyph_Deltas' */ +-- +GitLab + diff --git a/freetype.spec b/freetype.spec index 49625a4895b96255d5185e637fb5ac8989a804e0..3b8031dc93db9ce24b603dbef68d46ebb4d7eada 100644 --- a/freetype.spec +++ b/freetype.spec @@ -4,7 +4,7 @@ Name: freetype Version: 2.12.1 -Release: 3 +Release: 4 Summary: FreeType is a freely available software library to render fonts License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org @@ -23,6 +23,8 @@ Patch6003: backport-freetype-2.8-multilib.patch Patch6004: backport-freetype-2.10.0-internal-outline.patch Patch6005: backport-freetype-2.10.1-debughook.patch Patch6006: backport-CVE-2023-2004.patch +Patch6007: backport-0001-CVE-2025-27363.patch +Patch6008: backport-0002-CVE-2025-27363.patch BuildRequires: gcc libX11-devel libpng-devel zlib-devel bzip2-devel meson @@ -71,6 +73,8 @@ popd %patch6004 -p1 %patch6005 -p1 %patch6006 -p1 +%patch6007 -p1 +%patch6008 -p1 %build %configure --disable-static --with-zlib=yes --with-bzip2=yes --with-png=yes --enable-freetype-config --with-harfbuzz=no @@ -151,6 +155,9 @@ meson test -C out %{_mandir}/man1/* %changelog +* Mon Mar 17 2025 zhangpan - 2.12.1-4 +- fix CVE-2025-27363 + * Tue Nov 14 2023 zhangpan - 2.12.1-3 - enable make check