From: Vijay Anusuri <[email protected]> Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23865 https://security-tracker.debian.org/tracker/CVE-2026-23865
Picked patch mentioned in NVD Signed-off-by: Vijay Anusuri <[email protected]> Signed-off-by: Yoann Congal <[email protected]> --- .../freetype/freetype/CVE-2026-23865.patch | 54 +++++++++++++++++++ .../freetype/freetype_2.13.3.bb | 4 +- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch new file mode 100644 index 00000000000..aa0d4326f83 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch @@ -0,0 +1,54 @@ +From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Sat, 3 Jan 2026 08:07:57 +0100 +Subject: [PATCH] [ttgxvar] Check for overflow in array size computation. + +Problem reported and analyzed by povcfe <[email protected]>. + +Fixes issue #1382. + +* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it. + +Upstream-Status: Backport [https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c] +CVE: CVE-2026-23865 +Signed-off-by: Vijay Anusuri <[email protected]> +--- + src/truetype/ttgxvar.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index 2ff40c9e8..96ddc04c8 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -628,6 +628,7 @@ + FT_UShort word_delta_count; + FT_UInt region_idx_count; + FT_UInt per_region_size; ++ FT_UInt delta_set_size; + + + if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) ) +@@ -697,7 +698,19 @@ + if ( long_words ) + per_region_size *= 2; + +- if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) ) ++ /* Check for overflow (we actually test whether the */ ++ /* multiplication of two unsigned values wraps around). */ ++ delta_set_size = per_region_size * item_count; ++ if ( per_region_size && ++ delta_set_size / per_region_size != item_count ) ++ { ++ FT_TRACE2(( "tt_var_load_item_variation_store:" ++ " bad delta set array size\n" )); ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit; ++ } ++ ++ if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) ) + goto Exit; + if ( FT_Stream_Read( stream, + varData->deltaSet, +-- +GitLab + diff --git a/meta/recipes-graphics/freetype/freetype_2.13.3.bb b/meta/recipes-graphics/freetype/freetype_2.13.3.bb index dbfffdb65fc..1fda9c57e78 100644 --- a/meta/recipes-graphics/freetype/freetype_2.13.3.bb +++ b/meta/recipes-graphics/freetype/freetype_2.13.3.bb @@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=843b6efc16f6b1652ec97f89d5a516c0 \ file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec \ " -SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz" +SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ + file://CVE-2026-23865.patch \ +" SRC_URI[sha256sum] = "0550350666d427c74daeb85d5ac7bb353acba5f76956395995311a9c6f063289" UPSTREAM_CHECK_REGEX = "freetype-(?P<pver>\d+(\.\d+)+)"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232904): https://lists.openembedded.org/g/openembedded-core/message/232904 Mute This Topic: https://lists.openembedded.org/mt/118266832/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
