From 1379b610b6f416ebedfb23b8549a926ad99c331c Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 31 Mar 2025 18:33:03 +0000
Subject: [PATCH] import UBI freetype-2.9.1-10.el8_10

---
 SOURCES/freetype-2.9.1-cve-2025-27363.patch | 27 +++++++++++++++++++++
 SPECS/freetype.spec                         | 12 ++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/freetype-2.9.1-cve-2025-27363.patch

diff --git a/SOURCES/freetype-2.9.1-cve-2025-27363.patch b/SOURCES/freetype-2.9.1-cve-2025-27363.patch
new file mode 100644
index 0000000..295f716
--- /dev/null
+++ b/SOURCES/freetype-2.9.1-cve-2025-27363.patch
@@ -0,0 +1,27 @@
+diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
+index 39d9c3f..d36cbe9 100644
+--- a/src/truetype/ttgload.c
++++ b/src/truetype/ttgload.c
+@@ -1840,7 +1840,7 @@
+         short        i, limit;
+         FT_SubGlyph  subglyph;
+
+-        FT_Outline  outline;
++        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
+         FT_Vector*  points   = NULL;
+         char*       tags     = NULL;
+         short*      contours = NULL;
+@@ -1848,6 +1848,13 @@
+
+         limit = (short)gloader->current.num_subglyphs;
+
++        /* make sure this isn't negative as we're going to add 4 later */
++        if ( limit < 0 )
++        {
++          error = FT_THROW( Invalid_Argument );
++          goto Exit;
++        }
++
+         /* construct an outline structure for              */
+         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
+         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );
diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec
index ba024a6..34f6931 100644
--- a/SPECS/freetype.spec
+++ b/SPECS/freetype.spec
@@ -3,7 +3,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.9.1
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -42,6 +42,11 @@ Patch11:  freetype-2.9.1-properly-guard-face-index.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2077985
 Patch12:  freetype-2.9.1-guard-face-size.patch
 
+# CVE-2025-27363
+# https://access.redhat.com/security/cve/cve-2025-27363
+# Patch by Marc Deslauriers of Canonical
+Patch13: freetype-2.9.1-cve-2025-27363.patch
+
 BuildRequires: libX11-devel
 BuildRequires: libpng-devel
 BuildRequires: zlib-devel
@@ -106,6 +111,7 @@ popd
 %patch10 -p1 -b .windres
 %patch11 -p1 -b .properly-guard-face-index
 %patch12 -p1 -b .guard-face-size
+%patch13 -p1 -b .cve-2025-27363
 
 %build
 
@@ -218,6 +224,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
 %{_mandir}/man1/*
 
 %changelog
+* Fri Mar 14 2025 Jonathan Wright <jonathan@almalinux.org> - 2.9.1-10
+- Fix CVE-2025-27363 Out-of-bounds Write
+- Resolves: RHEL-83094
+
 * Fri May 27 2022 Marek Kasik <mkasik@redhat.com> - 2.9.1-9
 - Guard face->size
 - Resolves: #2079279