From d2b39d2d1a0cd448d72cf12d7b5540412fff04f6 Mon Sep 17 00:00:00 2001
From: Parag Nemade <pnemade AT redhat DOT com>
Date: Tue, 24 Mar 2026 11:28:58 +0530
Subject: [PATCH] Resolves: RHEL-138222

  CVE-2025-15270 SFD File Parsing Remote Code Execution Vulnerability
---
 5743.patch     | 39 +++++++++++++++++++++++++++++++++++++++
 fontforge.spec |  9 ++++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 5743.patch

diff --git a/5743.patch b/5743.patch
new file mode 100644
index 0000000..dd3c7ca
--- /dev/null
+++ b/5743.patch
@@ -0,0 +1,39 @@
+From a04b3e4d72a1709d2cd7a7dfb6552ab1fe9a9d31 Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz <kavraz@amazon.com>
+Date: Fri, 30 Jan 2026 09:54:28 +0000
+Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
+ parsing
+
+Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+---
+ fontforge/sfd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 6b980a4785..78df7a8ff3 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -8275,6 +8275,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	for ( i=classstart; i<kc->first_cnt; ++i ) {
+ 	  if (kernclassversion < 3) {
+ 	    getint(sfd,&temp);
++	    if (temp < 0) {
++	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
++	      return false;
++	    }
+ 	    kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
+ 	    nlgetc(sfd);	/* skip space */
+ 	    fread(kc->firsts[i],1,temp,sfd);
+@@ -8292,6 +8296,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	for ( i=1; i<kc->second_cnt; ++i ) {
+ 	  if (kernclassversion < 3) {
+ 	    getint(sfd,&temp);
++	    if (temp < 0) {
++	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
++	      return false;
++	    }
+ 	    kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
+ 	    nlgetc(sfd);	/* skip space */
+ 	    fread(kc->seconds[i],1,temp,sfd);
diff --git a/fontforge.spec b/fontforge.spec
index df87f3e..824cc52 100644
--- a/fontforge.spec
+++ b/fontforge.spec
@@ -2,7 +2,7 @@
 
 Name:           fontforge
 Version:        20201107
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Outline and bitmap font editor
 
 License:        GPLv3+
@@ -26,6 +26,9 @@ Patch4:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge
 # CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5723
 # https://sourceforge.net/p/fontforge/patches/32/
 Patch5:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5723.patch
+# CVE-2025-15270 https://github.com/fontforge/fontforge/pull/5743
+# https://sourceforge.net/p/fontforge/patches/41/
+Patch6:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5743.patch
 
 Requires:       xdg-utils
 Requires:       autotrace
@@ -145,6 +148,10 @@ popd
 %doc %{_pkgdocdir}
 
 %changelog
+* Tue Mar 24 2026 Parag Nemade <pnemade AT redhat DOT com> - 20201107-8
+- Resolves: RHEL-138222
+  CVE-2025-15270 SFD File Parsing Remote Code Execution Vulnerability
+
 * Tue Jan 27 2026 Parag Nemade <pnemade AT redhat DOT com> - 20201107-7
 - Resolves: RHEL-138206
   CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow