2 files changed, 45 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
new file mode 100644
index 0000000000..335aa3f9a2
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
@@ -0,0 +1,44 @@
+From 647e17c1313b0be5159616e4345e6007e1f377a5 Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Sat, 31 Jan 2026 21:23:41 +0100
+Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
+ parsing (#5743)
+Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+CVE: CVE-2025-15270
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ fontforge/sfd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 894176254..3692973fe 100644
+--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
+@@ -8286,6 +8286,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+        for ( i=classstart; i<kc->first_cnt; ++i ) {
+          if (kernclassversion < 3) {
+            getint(sfd,&temp);
+           if (temp < 0) {
+             LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+             return false;
+           }
+            kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
+            nlgetc(sfd);        /* skip space */
+            fread(kc->firsts[i],1,temp,sfd);
+@@ -8303,6 +8307,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+        for ( i=1; i<kc->second_cnt; ++i ) {
+          if (kernclassversion < 3) {
+            getint(sfd,&temp);
+           if (temp < 0) {
+             LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+             return false;
+           }
+            kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
+            nlgetc(sfd);        /* skip space */
+            fread(kc->seconds[i],1,temp,sfd);
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb
index 7db8a66654..72d233fe0c 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
           file://CVE-2025-15279-2.patch \
           file://CVE-2025-15275.patch \
           file://CVE-2025-15269.patch \
+           file://CVE-2025-15270.patch \
           "
 EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"

diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch new file mode 100644 index 0000000000..335aa3f9a2 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
@@ -0,0 +1,44 @@
		1	From 647e17c1313b0be5159616e4345e6007e1f377a5 Mon Sep 17 00:00:00 2001
		2	From: Ahmet Furkan Kavraz
		3	<55850855+ahmetfurkankavraz@users.noreply.github.com>
		4	Date: Sat, 31 Jan 2026 21:23:41 +0100
		5	Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
		6	parsing (#5743)
		7
		8	Fixes: CVE-2025-15270 \| ZDI-25-1194 \| ZDI-CAN-28563
		9
		10	Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
		11
		12	CVE: CVE-2025-15270
		13	Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7]
		14	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		15	---
		16	fontforge/sfd.c \| 8 ++++++++
		17	1 file changed, 8 insertions(+)
		18
		19	diff --git a/fontforge/sfd.c b/fontforge/sfd.c
		20	index 894176254..3692973fe 100644
		21	--- a/fontforge/sfd.c
		22	+++ b/fontforge/sfd.c
		23	@@ -8286,6 +8286,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
		24	for ( i=classstart; i<kc->first_cnt; ++i ) {
		25	if (kernclassversion < 3) {
		26	getint(sfd,&temp);
		27	+ if (temp < 0) {
		28	+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
		29	+ return false;
		30	+ }
		31	kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
		32	nlgetc(sfd); /* skip space */
		33	fread(kc->firsts[i],1,temp,sfd);
		34	@@ -8303,6 +8307,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
		35	for ( i=1; i<kc->second_cnt; ++i ) {
		36	if (kernclassversion < 3) {
		37	getint(sfd,&temp);
		38	+ if (temp < 0) {
		39	+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
		40	+ return false;
		41	+ }
		42	kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
		43	nlgetc(sfd); /* skip space */
		44	fread(kc->seconds[i],1,temp,sfd);


diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb index 7db8a66654..72d233fe0c 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
25	file://CVE-2025-15279-2.patch \	25	file://CVE-2025-15279-2.patch \
26	file://CVE-2025-15275.patch \	26	file://CVE-2025-15275.patch \
27	file://CVE-2025-15269.patch \	27	file://CVE-2025-15269.patch \
		28	file://CVE-2025-15270.patch \
28	"	29	"
29		30
30	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"	31	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"