We have some news to share for the request index beta feature. We’ve added more options to sort your requests, counters to the individual filters and documentation for the search functionality. Checkout the blog post for more details.

Overview

File fontforge-CVE-2025-15269.patch of Package fontforge

From 6aea6db5da332d8ac94e3501bb83c1b21f52074d Mon Sep 17 00:00:00 2001
From: Ahmet Furkan Kavraz
 <55850855+ahmetfurkankavraz@users.noreply.github.com>
Date: Sat, 10 Jan 2026 20:06:53 +0100
Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
 (#5722)

Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
the next pointer after shallow copy. The shallow copy propagates liga's
modified next pointer from previous iterations, creating a cycle that
causes double-free when the list is traversed and freed.

Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564

Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
---
 fontforge/sfd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fontforge/sfd.c b/fontforge/sfd.c
index 0590c119f..a349d0b2f 100644
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -4715,6 +4715,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) {
     while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
 	new = chunkalloc(sizeof( PST1 ));
 	*new = *liga;
+	new->pst.next = NULL;
 	new->pst.u.lig.components = copy(pt+1);
 	last->pst.next = (PST *) new;
 	last = new;
-- 
2.49.0
openSUSE Build Service is sponsored by
Places