From fe7a4f8b7334964c121df488c7c311060424d7ab Mon Sep 17 00:00:00 2001 From: ZacohZhen Date: Thu, 5 Mar 2026 11:25:25 +0800 Subject: [PATCH] add CVE-2026-23865 Signed-off-by: ZacohZhen --- CVE-2026-23865.patch | 35 +++++++++++++++++++++++++++++++++++ install.py | 4 +++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 CVE-2026-23865.patch diff --git a/CVE-2026-23865.patch b/CVE-2026-23865.patch new file mode 100644 index 0000000..a464e2a --- /dev/null +++ b/CVE-2026-23865.patch @@ -0,0 +1,35 @@ +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index 4f0083c..0e1e21f 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -609,7 +609,7 @@ + FT_UShort word_delta_count; + FT_UInt region_idx_count; + FT_UInt per_region_size; +- ++ FT_UInt delta_set_size; + + if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) ) + goto Exit; +@@ -666,7 +666,20 @@ + if ( long_words ) + per_region_size *= 2; + +- if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) ) ++ ++ /* Check for overflow (we actually test whether the */ ++ /* multiplication of two unsigned values wraps around). */ ++ delta_set_size = per_region_size * item_count; ++ if ( per_region_size && ++ delta_set_size / per_region_size != item_count ) ++ { ++ FT_TRACE2(( "tt_var_load_item_variation_store:" ++ " bad delta set array size\n" )); ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit; ++ } ++ ++ if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) ) + goto Exit; + if ( FT_Stream_Read( stream, + varData->deltaSet, diff --git a/install.py b/install.py index 609aab5..33656ec 100755 --- a/install.py +++ b/install.py @@ -39,6 +39,7 @@ def move_file(src_path, dst_path): "backport-freetype-2.10.0-internal-outline.patch", "backport-freetype-2.10.1-debughook.patch", "backport-freetype-2.12.1-enable-funcs.patch", + "CVE-2026-23865.patch", "ftconfig.h" ] for file in files: @@ -74,7 +75,8 @@ def do_patch(target_dir): "backport-freetype-2.8-multilib.patch", "backport-freetype-2.10.0-internal-outline.patch", "backport-freetype-2.10.1-debughook.patch", - "backport-freetype-2.12.1-enable-funcs.patch" + "backport-freetype-2.12.1-enable-funcs.patch", + "CVE-2026-23865.patch" ] for patch in patch_file: