mirror of
https://github.com/openharmony/third_party_freetype.git
synced 2026-07-01 10:22:10 -04:00
add CVE-2026-23865
Signed-off-by: ZacohZhen <kouzhenrong@h-partners.com>
This commit is contained in:
@@ -0,0 +1,35 @@
|
||||
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
|
||||
index 4f0083c..0e1e21f 100644
|
||||
--- a/src/truetype/ttgxvar.c
|
||||
+++ b/src/truetype/ttgxvar.c
|
||||
@@ -609,7 +609,7 @@
|
||||
FT_UShort word_delta_count;
|
||||
FT_UInt region_idx_count;
|
||||
FT_UInt per_region_size;
|
||||
-
|
||||
+ FT_UInt delta_set_size;
|
||||
|
||||
if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )
|
||||
goto Exit;
|
||||
@@ -666,7 +666,20 @@
|
||||
if ( long_words )
|
||||
per_region_size *= 2;
|
||||
|
||||
- if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
|
||||
+
|
||||
+ /* Check for overflow (we actually test whether the */
|
||||
+ /* multiplication of two unsigned values wraps around). */
|
||||
+ delta_set_size = per_region_size * item_count;
|
||||
+ if ( per_region_size &&
|
||||
+ delta_set_size / per_region_size != item_count )
|
||||
+ {
|
||||
+ FT_TRACE2(( "tt_var_load_item_variation_store:"
|
||||
+ " bad delta set array size\n" ));
|
||||
+ error = FT_THROW( Array_Too_Large );
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
+ if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )
|
||||
goto Exit;
|
||||
if ( FT_Stream_Read( stream,
|
||||
varData->deltaSet,
|
||||
+3
-1
@@ -39,6 +39,7 @@ def move_file(src_path, dst_path):
|
||||
"backport-freetype-2.10.0-internal-outline.patch",
|
||||
"backport-freetype-2.10.1-debughook.patch",
|
||||
"backport-freetype-2.12.1-enable-funcs.patch",
|
||||
"CVE-2026-23865.patch",
|
||||
"ftconfig.h"
|
||||
]
|
||||
for file in files:
|
||||
@@ -74,7 +75,8 @@ def do_patch(target_dir):
|
||||
"backport-freetype-2.8-multilib.patch",
|
||||
"backport-freetype-2.10.0-internal-outline.patch",
|
||||
"backport-freetype-2.10.1-debughook.patch",
|
||||
"backport-freetype-2.12.1-enable-funcs.patch"
|
||||
"backport-freetype-2.12.1-enable-funcs.patch",
|
||||
"CVE-2026-23865.patch"
|
||||
]
|
||||
|
||||
for patch in patch_file:
|
||||
|
||||
Reference in New Issue
Block a user