add CVE-2026-23865

Signed-off-by: ZacohZhen <kouzhenrong@h-partners.com>
This commit is contained in:
ZacohZhen
2026-03-05 11:25:25 +08:00
parent d26fe8acda
commit fe7a4f8b73
2 changed files with 38 additions and 1 deletions
+35
View File
@@ -0,0 +1,35 @@
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 4f0083c..0e1e21f 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -609,7 +609,7 @@
FT_UShort word_delta_count;
FT_UInt region_idx_count;
FT_UInt per_region_size;
-
+ FT_UInt delta_set_size;
if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )
goto Exit;
@@ -666,7 +666,20 @@
if ( long_words )
per_region_size *= 2;
- if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
+
+ /* Check for overflow (we actually test whether the */
+ /* multiplication of two unsigned values wraps around). */
+ delta_set_size = per_region_size * item_count;
+ if ( per_region_size &&
+ delta_set_size / per_region_size != item_count )
+ {
+ FT_TRACE2(( "tt_var_load_item_variation_store:"
+ " bad delta set array size\n" ));
+ error = FT_THROW( Array_Too_Large );
+ goto Exit;
+ }
+
+ if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )
goto Exit;
if ( FT_Stream_Read( stream,
varData->deltaSet,
+3 -1
View File
@@ -39,6 +39,7 @@ def move_file(src_path, dst_path):
"backport-freetype-2.10.0-internal-outline.patch",
"backport-freetype-2.10.1-debughook.patch",
"backport-freetype-2.12.1-enable-funcs.patch",
"CVE-2026-23865.patch",
"ftconfig.h"
]
for file in files:
@@ -74,7 +75,8 @@ def do_patch(target_dir):
"backport-freetype-2.8-multilib.patch",
"backport-freetype-2.10.0-internal-outline.patch",
"backport-freetype-2.10.1-debughook.patch",
"backport-freetype-2.12.1-enable-funcs.patch"
"backport-freetype-2.12.1-enable-funcs.patch",
"CVE-2026-23865.patch"
]
for patch in patch_file: