fontforge: patch CVE-2025-15279

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279 Pick the patch that mentions this vulnerability ID explicitly. Also, this patch has caused some regression - pick the patch also that fixed that regression. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-27 07:50:16 +0100
committer: Khem Raj <raj.khem@gmail.com> 2026-01-30 23:59:10 -0800
commit: 922de306a6578d5317fe05845f04465a6e9d14cc (patch)
tree: 401ae8a6b399b4f8ce4e19d64ceac9e4ddab4282 /meta-oe/recipes-graphics
parent: c42dac1f0813caafd308c9965aa3259dae045848 (diff)
download: meta-openembedded-922de306a6578d5317fe05845f04465a6e9d14cc.tar.gz
3 files changed, 80 insertions, 1 deletions
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch
new file mode 100644
index 0000000000..17f33f41ff
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch
@@ -0,0 +1,42 @@
+From ce71f0cdce556f56c5207a33a1be3830a73cc04f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 8 Jan 2026 15:47:43 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE
+ decompression (#5720)
+From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
+CVSS: 7.8 (High)
+ZDI-CAN-27517
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+CVE: CVE-2025-15279
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/7d67700cf8888e0bb37b453ad54ed932c8587073]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ gutils/gimagereadbmp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 5a137e28a..133336787 100644
+--- a/gutils/gimagereadbmp.c
+++ b/gutils/gimagereadbmp.c
+@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+        int ii = 0;
+        while ( ii<head->height*head->width ) {
+            int cnt = getc(file);
+           if (cnt < 0 || ii + cnt > head->height * head->width) {
+               return 0;
+           }
+            if ( cnt!=0 ) {
+                int ch = getc(file);
+                while ( --cnt>=0 )
+                    head->byte_pixels[ii++] = ch;
+            } else {
+                cnt = getc(file);
+               if (cnt < 0 || ii + cnt > head->height * head->width) {
+                   return 0;
+               }
+                if ( cnt>= 3 ) {
+                    int odd = cnt&1;
+                    while ( --cnt>=0 )
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch
new file mode 100644
index 0000000000..840a37a8a9
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch
@@ -0,0 +1,35 @@
+From 4cd078071e2487f052ec997ee13bb910d796587b Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Mon, 12 Jan 2026 22:45:16 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
+ (#5723)
+From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+CVE: CVE-2025-15279
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/720ea95020c964202928afd2e93b0f5fac11027e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ gutils/gimagereadbmp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 133336787..ad365158c 100644
+--- a/gutils/gimagereadbmp.c
+++ b/gutils/gimagereadbmp.c
+@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+                    head->byte_pixels[ii++] = ch;
+            } else {
+                cnt = getc(file);
+-               if (cnt < 0 || ii + cnt > head->height * head->width) {
+-                   return 0;
+-               }
+                if ( cnt>= 3 ) {
+                   if (ii + cnt > head->height * head->width) {
+                       return 0;
+                   }
+                    int odd = cnt&1;
+                    while ( --cnt>=0 )
+                        head->byte_pixels[ii++] = getc(file);
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
index ab3af19cda..e6533079d5 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@@ -18,7 +18,9 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
           file://0001-include-sys-select-on-non-glibc-platforms.patch \
           file://0001-fontforgeexe-Use-env-to-find-fontforge.patch \
           file://0001-cmake-Use-alternate-way-to-detect-libm.patch \
-"
+           file://CVE-2025-15279-1.patch \
+           file://CVE-2025-15279-2.patch \
+           "
 EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-27 07:50:16 +0100
committer	Khem Raj <raj.khem@gmail.com>	2026-01-30 23:59:10 -0800
commit	922de306a6578d5317fe05845f04465a6e9d14cc (patch)
tree	401ae8a6b399b4f8ce4e19d64ceac9e4ddab4282 /meta-oe/recipes-graphics
parent	c42dac1f0813caafd308c9965aa3259dae045848 (diff)
download	meta-openembedded-922de306a6578d5317fe05845f04465a6e9d14cc.tar.gz

diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch new file mode 100644 index 0000000000..17f33f41ff --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch
@@ -0,0 +1,42 @@
		1	From ce71f0cdce556f56c5207a33a1be3830a73cc04f Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Thu, 8 Jan 2026 15:47:43 +0100
		4	Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE
		5	decompression (#5720)
		6
		7	From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
		8
		9	CVSS: 7.8 (High)
		10	ZDI-CAN-27517
		11	Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
		12
		13	CVE: CVE-2025-15279
		14	Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/7d67700cf8888e0bb37b453ad54ed932c8587073]
		15	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		16	---
		17	gutils/gimagereadbmp.c \| 6 ++++++
		18	1 file changed, 6 insertions(+)
		19
		20	diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
		21	index 5a137e28a..133336787 100644
		22	--- a/gutils/gimagereadbmp.c
		23	+++ b/gutils/gimagereadbmp.c
		24	@@ -181,12 +181,18 @@ static int readpixels(FILE file,struct bmpheader head) {
		25	int ii = 0;
		26	while ( ii<head->height*head->width ) {
		27	int cnt = getc(file);
		28	+ if (cnt < 0 \|\| ii + cnt > head->height * head->width) {
		29	+ return 0;
		30	+ }
		31	if ( cnt!=0 ) {
		32	int ch = getc(file);
		33	while ( --cnt>=0 )
		34	head->byte_pixels[ii++] = ch;
		35	} else {
		36	cnt = getc(file);
		37	+ if (cnt < 0 \|\| ii + cnt > head->height * head->width) {
		38	+ return 0;
		39	+ }
		40	if ( cnt>= 3 ) {
		41	int odd = cnt&1;
		42	while ( --cnt>=0 )


diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch new file mode 100644 index 0000000000..840a37a8a9 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch
@@ -0,0 +1,35 @@
		1	From 4cd078071e2487f052ec997ee13bb910d796587b Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Mon, 12 Jan 2026 22:45:16 +0100
		4	Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
		5	(#5723)
		6
		7	From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
		8
		9	Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
		10
		11	CVE: CVE-2025-15279
		12	Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/720ea95020c964202928afd2e93b0f5fac11027e]
		13	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		14	---
		15	gutils/gimagereadbmp.c \| 6 +++---
		16	1 file changed, 3 insertions(+), 3 deletions(-)
		17
		18	diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
		19	index 133336787..ad365158c 100644
		20	--- a/gutils/gimagereadbmp.c
		21	+++ b/gutils/gimagereadbmp.c
		22	@@ -190,10 +190,10 @@ static int readpixels(FILE file,struct bmpheader head) {
		23	head->byte_pixels[ii++] = ch;
		24	} else {
		25	cnt = getc(file);
		26	- if (cnt < 0 \|\| ii + cnt > head->height * head->width) {
		27	- return 0;
		28	- }
		29	if ( cnt>= 3 ) {
		30	+ if (ii + cnt > head->height * head->width) {
		31	+ return 0;
		32	+ }
		33	int odd = cnt&1;
		34	while ( --cnt>=0 )
		35	head->byte_pixels[ii++] = getc(file);


diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb index ab3af19cda..e6533079d5 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@@ -18,7 +18,9 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
18	file://0001-include-sys-select-on-non-glibc-platforms.patch \	18	file://0001-include-sys-select-on-non-glibc-platforms.patch \
19	file://0001-fontforgeexe-Use-env-to-find-fontforge.patch \	19	file://0001-fontforgeexe-Use-env-to-find-fontforge.patch \
20	file://0001-cmake-Use-alternate-way-to-detect-libm.patch \	20	file://0001-cmake-Use-alternate-way-to-detect-libm.patch \
21	"	21	file://CVE-2025-15279-1.patch \
		22	file://CVE-2025-15279-2.patch \
		23	"
22		24
23	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"	25	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
24		26