From c832b3f0c58972e00641163adf474bc2444cd894 Mon Sep 17 00:00:00 2001
From: Jonathan Wright <jonathan@almalinux.org>
Date: Fri, 14 Mar 2025 10:06:17 -0500
Subject: [PATCH] Fix CVE-2025-27363 (rebase to simpler patch)
---
SOURCES/freetype-2.10.4-cve-2025-27363.patch | 173 ++-----------------
SPECS/freetype.spec | 17 +-
2 files changed, 24 insertions(+), 166 deletions(-)
diff --git a/SOURCES/freetype-2.10.4-cve-2025-27363.patch b/SOURCES/freetype-2.10.4-cve-2025-27363.patch
index 616da23..5b4aa38 100644
--- a/SOURCES/freetype-2.10.4-cve-2025-27363.patch
+++ b/SOURCES/freetype-2.10.4-cve-2025-27363.patch
@@ -1,168 +1,25 @@
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
-@@ -972,7 +972,7 @@
-
- if ( !IS_DEFAULT_INSTANCE( FT_FACE( loader->face ) ) )
- {
-- if ( FT_NEW_ARRAY( unrounded, n_points ) )
-+ if ( FT_QNEW_ARRAY( unrounded, n_points ) )
- goto Exit;
-
- /* Deltas apply to the unscaled data. */
-@@ -1941,33 +1941,25 @@
- if ( FT_IS_NAMED_INSTANCE( FT_FACE( face ) ) ||
- FT_IS_VARIATION( FT_FACE( face ) ) )
- {
-- short i, limit;
-+ FT_UShort i, limit;
+@@ -1944,7 +1944,7 @@
+ short i, limit;
FT_SubGlyph subglyph;
- FT_Outline outline;
-- FT_Vector* points = NULL;
-- char* tags = NULL;
-- short* contours = NULL;
+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 };
- FT_Vector* unrounded = NULL;
+ FT_Vector* points = NULL;
+ char* tags = NULL;
+ short* contours = NULL;
+@@ -1953,6 +1953,13 @@
+ limit = (short)gloader->current.num_subglyphs;
-- limit = (short)gloader->current.num_subglyphs;
-+ limit = (FT_UShort)gloader->current.num_subglyphs;
-
++ /* make sure this isn't negative as we're going to add 4 later */
++ if ( limit < 0 )
++ {
++ error = FT_THROW( Invalid_Argument );
++ goto Exit;
++ }
++
/* construct an outline structure for */
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
-- outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
-- outline.n_contours = outline.n_points;
--
-- outline.points = NULL;
-- outline.tags = NULL;
-- outline.contours = NULL;
--
-- if ( FT_NEW_ARRAY( points, outline.n_points ) ||
-- FT_NEW_ARRAY( tags, outline.n_points ) ||
-- FT_NEW_ARRAY( contours, outline.n_points ) ||
-- FT_NEW_ARRAY( unrounded, outline.n_points ) )
-+ if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) ||
-+ FT_QNEW_ARRAY( outline.tags, limit ) ||
-+ FT_QNEW_ARRAY( outline.contours, limit ) ||
-+ FT_QNEW_ARRAY( unrounded, limit + 4 ) )
- goto Exit1;
-
-+ outline.n_contours = outline.n_points = limit;
-+
- subglyph = gloader->current.subglyphs;
-
- for ( i = 0; i < limit; i++, subglyph++ )
-@@ -1975,38 +1967,16 @@
- /* applying deltas for anchor points doesn't make sense, */
- /* but we don't have to specially check this since */
- /* unused delta values are zero anyways */
-- points[i].x = subglyph->arg1;
-- points[i].y = subglyph->arg2;
-- tags[i] = 1;
-- contours[i] = i;
-+ outline.points[i].x = subglyph->arg1;
-+ outline.points[i].y = subglyph->arg2;
-+ outline.tags[i] = ON_CURVE_POINT;
-+ outline.contours[i] = i;
- }
-
-- points[i].x = loader->pp1.x;
-- points[i].y = loader->pp1.y;
-- tags[i] = 1;
-- contours[i] = i;
--
-- i++;
-- points[i].x = loader->pp2.x;
-- points[i].y = loader->pp2.y;
-- tags[i] = 1;
-- contours[i] = i;
--
-- i++;
-- points[i].x = loader->pp3.x;
-- points[i].y = loader->pp3.y;
-- tags[i] = 1;
-- contours[i] = i;
--
-- i++;
-- points[i].x = loader->pp4.x;
-- points[i].y = loader->pp4.y;
-- tags[i] = 1;
-- contours[i] = i;
--
-- outline.points = points;
-- outline.tags = tags;
-- outline.contours = contours;
-+ outline.points[i++] = loader->pp1;
-+ outline.points[i++] = loader->pp2;
-+ outline.points[i++] = loader->pp3;
-+ outline.points[i ] = loader->pp4;
-
- /* this call provides additional offsets */
- /* for each component's translation */
-@@ -2024,20 +1994,20 @@
- {
- if ( subglyph->flags & ARGS_ARE_XY_VALUES )
- {
-- subglyph->arg1 = (FT_Int16)points[i].x;
-- subglyph->arg2 = (FT_Int16)points[i].y;
-+ subglyph->arg1 = (FT_Int16)outline.points[i].x;
-+ subglyph->arg2 = (FT_Int16)outline.points[i].y;
- }
- }
-
-- loader->pp1.x = points[i + 0].x;
-- loader->pp1.y = points[i + 0].y;
-- loader->pp2.x = points[i + 1].x;
-- loader->pp2.y = points[i + 1].y;
--
-- loader->pp3.x = points[i + 2].x;
-- loader->pp3.y = points[i + 2].y;
-- loader->pp4.x = points[i + 3].x;
-- loader->pp4.y = points[i + 3].y;
-+ loader->pp1.x = outline.points[i + 0].x;
-+ loader->pp1.y = outline.points[i + 0].y;
-+ loader->pp2.x = outline.points[i + 1].x;
-+ loader->pp2.y = outline.points[i + 1].y;
-+
-+ loader->pp3.x = outline.points[i + 2].x;
-+ loader->pp3.y = outline.points[i + 2].y;
-+ loader->pp4.x = outline.points[i + 3].x;
-+ loader->pp4.y = outline.points[i + 3].y;
-
- /* recalculate linear horizontal and vertical advances */
- /* if we don't have HVAR and VVAR, respectively */
---- a/include/freetype/internal/ftmemory.h
-+++ b/include/freetype/internal/ftmemory.h
-@@ -344,14 +344,13 @@ extern "C++"
- #define FT_RENEW_ARRAY( ptr, curcnt, newcnt ) \
- FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) )
-
--#define FT_QNEW( ptr ) \
-- FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) )
-+#define FT_QNEW( ptr ) FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) )
-
--#define FT_QNEW_ARRAY( ptr, count ) \
-- FT_MEM_SET_ERROR( FT_MEM_NEW_ARRAY( ptr, count ) )
-+#define FT_QNEW_ARRAY( ptr, count ) \
-+ FT_MEM_SET_ERROR( FT_MEM_QNEW_ARRAY( ptr, count ) )
-
--#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \
-- FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) )
-+#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \
-+ FT_MEM_SET_ERROR( FT_MEM_QRENEW_ARRAY( ptr, curcnt, newcnt ) )
-
-
- FT_BASE( FT_Pointer )
---- a/src/sfnt/ttload.c
-+++ b/src/sfnt/ttload.c
-@@ -987,6 +987,9 @@
- }
- }
-
-+ /* mark the string as not yet converted */
-+ entry->string = NULL;
-+
- entry++;
- }
-
-
+ outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec
index a9a96fe..7ce77c5 100644
--- a/SPECS/freetype.spec
+++ b/SPECS/freetype.spec
@@ -4,7 +4,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.10.4
-Release: 9%{?dist}.alma.1
+Release: 9%{?dist}.alma.2
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
URL: http://www.freetype.org
Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.xz
@@ -42,11 +42,8 @@ Patch10: freetype-2.10.4-properly-guard-face_index.patch
Patch11: freetype-2.10.4-guard-face-size.patch
# CVE-2025-27363
-# https://issues.redhat.com/browse/RHEL-83280
-# https://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8
-# backported from
-# https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
-# https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442
+# https://access.redhat.com/security/cve/cve-2025-27363
+# Patch by Marc Deslauriers of Canonical
Patch12: freetype-2.10.4-cve-2025-27363.patch
BuildRequires: gcc
@@ -258,12 +255,16 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
%{_mandir}/man1/*
%changelog
-* Wed Mar 12 2025 Jonathan Wright <jonathan@almalinux.org> - 20.10.4-9.alma.1
+* Fri Mar 14 2025 Jonathan Wright <jonathan@almalinux.org> - 2.10.4-9.alma.2
+- Rebase CVE-2025-27363 to simpler patch by Marc Deslauriers of Canonical
+- Resolves: RHEL-83280
+- Fix previous changelog version
+
+* Wed Mar 12 2025 Jonathan Wright <jonathan@almalinux.org> - 2.10.4-9.alma.1
- Backport from CentOS Stream 9 PR by Michel Lind <salimma@centosproject.org>
- TrueType clean up and unsigned fixes for CVE-2025-27363
- Resolves: RHEL-83280
-
* Tue May 31 2022 Marek Kasik <mkasik@redhat.com> - 2.10.4-9
- Guard face->size
- Resolves: #2079280
--
2.43.5