File raylib-CVE-2025-15533-CVE-2025-15534.patch of Package raylib
Fix CVE-2025-15533 and CVE-2025-15534
Based on 5a3391fdce046bc5473e52afbd835dd2dc127146.
Change glyphs[k] -> chars[i].
Index: raylib-5.5/src/rtext.c
===================================================================
--- raylib-5.5.orig/src/rtext.c
+++ raylib-5.5/src/rtext.c
@@ -695,8 +695,11 @@ GlyphInfo *LoadFontData(const unsigned c
stbtt_GetCodepointHMetrics(&fontInfo, ch, &chars[i].advanceX, NULL);
chars[i].advanceX = (int)((float)chars[i].advanceX*scaleFactor);
+ if (chars[i].advanceX < 0) chars[i].advanceX = 0;
+
Image imSpace = {
.data = RL_CALLOC(chars[i].advanceX*fontSize, 2),
+ .data = (chars[i].advanceX > 0) ? RL_CALLOC(chars[i].advanceX*fontSize, 2) : NULL,
.width = chars[i].advanceX,
.height = fontSize,
.mipmaps = 1,
@@ -796,7 +799,8 @@ Image GenImageFontAtlas(const GlyphInfo
}
#endif
- atlas.data = (unsigned char *)RL_CALLOC(1, atlas.width*atlas.height); // Create a bitmap to store characters (8 bpp)
+ int atlasDataSize = atlas.width * atlas.height; // Save total size for bounds checking
+ atlas.data = (unsigned char *)RL_CALLOC(1, atlasDataSize); // Create a bitmap to store characters (8 bpp)
atlas.format = PIXELFORMAT_UNCOMPRESSED_GRAYSCALE;
atlas.mipmaps = 1;
@@ -841,7 +845,17 @@ Image GenImageFontAtlas(const GlyphInfo
{
for (int x = 0; x < glyphs[i].image.width; x++)
{
- ((unsigned char *)atlas.data)[(offsetY + y)*atlas.width + (offsetX + x)] = ((unsigned char *)glyphs[i].image.data)[y*glyphs[i].image.width + x];
+ int destX = offsetX + x;
+ int destY = offsetY + y;
+
+ // Security fix: check both lower and upper bounds
+ // destX >= 0: prevent heap underflow (#5434)
+ // destX < atlas.width: prevent heap overflow (#5433)
+ if (destX >= 0 && destX < atlas.width && destY >= 0 && destY < atlas.height)
+ {
+ ((unsigned char *)atlas.data)[destY * atlas.width + destX] =
+ ((unsigned char *)glyphs[i].image.data)[y * glyphs[i].image.width + x];
+ }
}
}
@@ -889,7 +903,15 @@ Image GenImageFontAtlas(const GlyphInfo
{
for (int x = 0; x < glyphs[i].image.width; x++)
{
- ((unsigned char *)atlas.data)[(rects[i].y + padding + y)*atlas.width + (rects[i].x + padding + x)] = ((unsigned char *)glyphs[i].image.data)[y*glyphs[i].image.width + x];
+ int destX = rects[i].x + padding + x;
+ int destY = rects[i].y + padding + y;
+
+ // Security fix: check both lower and upper bounds
+ if (destX >= 0 && destX < atlas.width && destY >= 0 && destY < atlas.height)
+ {
+ ((unsigned char *)atlas.data)[destY * atlas.width + destX] =
+ ((unsigned char *)glyphs[i].image.data)[y * glyphs[i].image.width + x];
+ }
}
}
}
@@ -903,14 +925,18 @@ Image GenImageFontAtlas(const GlyphInfo
#if defined(SUPPORT_FONT_ATLAS_WHITE_REC)
// Add a 3x3 white rectangle at the bottom-right corner of the generated atlas,
- // useful to use as the white texture to draw shapes with raylib, using this rectangle
- // shapes and text can be backed into a single draw call: SetShapesTexture()
- for (int i = 0, k = atlas.width*atlas.height - 1; i < 3; i++)
- {
- ((unsigned char *)atlas.data)[k - 0] = 255;
- ((unsigned char *)atlas.data)[k - 1] = 255;
- ((unsigned char *)atlas.data)[k - 2] = 255;
- k -= atlas.width;
+ // useful to use as the white texture to draw shapes with raylib.
+ // [Security Fix] Ensure the atlas is large enough to hold a 3x3 rectangle.
+ // This prevents heap underflow when width < 3 or height < 3 (Fixes #5434 variant)
+ if (atlas.width >= 3 && atlas.height >= 3)
+ {
+ for (int i = 0, k = atlas.width*atlas.height - 1; i < 3; i++)
+ {
+ ((unsigned char *)atlas.data)[k - 0] = 255;
+ ((unsigned char *)atlas.data)[k - 1] = 255;
+ ((unsigned char *)atlas.data)[k - 2] = 255;
+ k -= atlas.width;
+ }
}
#endif
