File fontforge-CVE-2025-15275.patch of Package fontforge

From 7195402701ace7783753ef9424153eff48c9af44 Mon Sep 17 00:00:00 2001
From: Ahmet Furkan Kavraz
 <55850855+ahmetfurkankavraz@users.noreply.github.com>
Date: Fri, 9 Jan 2026 16:58:23 +0100
Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing
 (#5721)

Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543

Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
---
 fontforge/sfd.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fontforge/sfd.c b/fontforge/sfd.c
index 6b980a478..0590c119f 100644
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -3653,6 +3653,10 @@ static ImageList *SFDGetImage(FILE *sfd) {
     getint(sfd,&image_type);
     getint(sfd,&bpl);
     getint(sfd,&clutlen);
+    if ( clutlen < 0 || clutlen > 256 ) {
+        LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen);
+        return NULL;
+    }
     gethex(sfd,&trans);
     image = GImageCreate(image_type,width,height);
     base = image->list_len==0?image->u.image:image->u.images[0];
-- 
2.49.0

Places

File fontforge-CVE-2025-15275.patch of Package fontforge

Places