40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
From a04b3e4d72a1709d2cd7a7dfb6552ab1fe9a9d31 Mon Sep 17 00:00:00 2001
|
|
From: Ahmet Furkan Kavraz <kavraz@amazon.com>
|
|
Date: Fri, 30 Jan 2026 09:54:28 +0000
|
|
Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
|
|
parsing
|
|
|
|
Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
|
|
|
|
Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
|
|
---
|
|
fontforge/sfd.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/fontforge/sfd.c b/fontforge/sfd.c
|
|
index 6b980a4785..78df7a8ff3 100644
|
|
--- a/fontforge/sfd.c
|
|
+++ b/fontforge/sfd.c
|
|
@@ -8275,6 +8275,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
|
|
for ( i=classstart; i<kc->first_cnt; ++i ) {
|
|
if (kernclassversion < 3) {
|
|
getint(sfd,&temp);
|
|
+ if (temp < 0) {
|
|
+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
|
|
+ return false;
|
|
+ }
|
|
kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
|
|
nlgetc(sfd); /* skip space */
|
|
fread(kc->firsts[i],1,temp,sfd);
|
|
@@ -8292,6 +8296,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
|
|
for ( i=1; i<kc->second_cnt; ++i ) {
|
|
if (kernclassversion < 3) {
|
|
getint(sfd,&temp);
|
|
+ if (temp < 0) {
|
|
+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
|
|
+ return false;
|
|
+ }
|
|
kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
|
|
nlgetc(sfd); /* skip space */
|
|
fread(kc->seconds[i],1,temp,sfd);
|