42 lines
1.2 KiB
Diff
42 lines
1.2 KiB
Diff
From 61fdf05f0ed8e2332ee20a44e392a14cf71d2162 Mon Sep 17 00:00:00 2001
|
|
From: Michel Lind <salimma@centosproject.org>
|
|
Date: Fri, 14 Mar 2025 12:57:35 -0500
|
|
Subject: [PATCH] Fix for CVE-2025-27363 out-of-bound write vulnerability
|
|
|
|
Resolves: RHEL-83104
|
|
Resolves: RHEL-83109
|
|
|
|
Signed-off-by: Michel Lind <salimma@centosproject.org>
|
|
|
|
Reference:https://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8
|
|
Conflict:NA
|
|
|
|
---
|
|
|
|
--- a/src/truetype/ttgload.c
|
|
+++ b/src/truetype/ttgload.c
|
|
@@ -1944,7 +1944,7 @@
|
|
short i, limit;
|
|
FT_SubGlyph subglyph;
|
|
|
|
- FT_Outline outline;
|
|
+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 };
|
|
FT_Vector* points = NULL;
|
|
char* tags = NULL;
|
|
short* contours = NULL;
|
|
@@ -1953,6 +1953,13 @@
|
|
|
|
limit = (short)gloader->current.num_subglyphs;
|
|
|
|
+ /* make sure this isn't negative as we're going to add 4 later */
|
|
+ if ( limit < 0 )
|
|
+ {
|
|
+ error = FT_THROW( Invalid_Argument );
|
|
+ goto Exit;
|
|
+ }
|
|
+
|
|
/* construct an outline structure for */
|
|
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
|
|
outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
|
|
|