[oe] [meta-oe][kirkstone][PATCH 6/7] fontforge: patch CVE-2020-5395, CVE-2020-25690 and CVE-2020-5496

Gyorgy Sarvari via lists.openembedded.org Sun, 30 Nov 2025 11:44:28 -0800

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-5395
https://nvd.nist.gov/vuln/detail/CVE-2020-25690
https://nvd.nist.gov/vuln/detail/CVE-2020-5496


The same patch fixes all three.
The patch for CVE-2020-25690 is mentioned in the RedHat bug, which is
referenced in the nvd report.
The patch for CVE-2020-5395 is mentioned in the Github issue that
is referenced in the nvd report.
The patch for CVE-2020-5496 is mentioned in the comments of the issue
that is linked in the nvd report.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../fontforge/CVE-2020-25690-1.patch          | 81 +++++++++++++++++++
 .../fontforge/CVE-2020-25690-2.patch          | 32 ++++++++
 .../fontforge/fontforge_20190801.bb           |  4 +-
 3 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100644 
meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch
 create mode 100644 
meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch

diff --git 
a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch 
b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch
new file mode 100644
index 0000000000..b41bc1088a
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch
@@ -0,0 +1,81 @@
+From 169bfc28246c10493ac085c9e9ed5b0ab58ac979 Mon Sep 17 00:00:00 2001
+From: Skef Iterum <unknown>
+Date: Mon, 6 Jan 2020 03:05:06 -0800
+Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the
+ SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the
+ SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the
+ SFD_AssignLookups() function Add empty sf->fontname string if it isn't set,
+ fixing #4089 #4090 and many other potential issues (many downstream calls to
+ strlen() on the value).
+
+CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496
+Upstream-Status: Backport 
[https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ fontforge/sfd.c  | 19 ++++++++++++++-----
+ fontforge/sfd1.c |  2 +-
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 214163343..cdce0b08a 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
+     while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
+       if ( cur!=NULL ) {
+           if ( cur->spiro_cnt>=cur->spiro_max )
+-              cur->spiros = 
realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
++              cur->spiros = realloc(cur->spiros,
++                                    (cur->spiro_max+=10)*sizeof(spiro_cp));
+           cur->spiros[cur->spiro_cnt++] = cp;
+       }
+     }
+-    if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
++    if (    cur!=NULL && cur->spiro_cnt>0
++         && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
+       if ( cur->spiro_cnt>=cur->spiro_max )
+-          cur->spiros = 
realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
++          cur->spiros = realloc(cur->spiros,
++                                (cur->spiro_max+=1)*sizeof(spiro_cp));
+       memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
+       cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
+     }
+@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
+     else if ( strmatch(tok,"LayerCount:")==0 )
+     {
+       d->had_layer_cnt = true;
+-      getint(sfd,&sf->layer_cnt);
+-      if ( sf->layer_cnt>2 ) {
++      int layer_cnt_tmp;
++      getint(sfd,&layer_cnt_tmp);
++      if ( layer_cnt_tmp>2 ) {
+           sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
+           memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
++          sf->layer_cnt = layer_cnt_tmp;
+       }
+     }
+     else if ( strmatch(tok,"Layer:")==0 )
+@@ -8948,6 +8953,10 @@ exit( 1 );
+       }
+     }
+ 
++    // Many downstream functions assume this isn't NULL (use strlen, etc.)
++    if ( sf->fontname==NULL)
++      sf->fontname = copy("");
++
+     if ( fromdir )
+       sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
+     else if ( sf->subfontcnt!=0 ) {
+diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
+index cf931059d..b42f83267 100644
+--- a/fontforge/sfd1.c
++++ b/fontforge/sfd1.c
+@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
+ 
+     /* Fix up some gunk from really old versions of the sfd format */
+     SFDCleanupAnchorClasses(&sf->sf);
+-    if ( sf->sf.uni_interp==ui_unset )
++    if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
+       sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
+ 
+     /* Fixup for an old bug */
diff --git 
a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch 
b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch
new file mode 100644
index 0000000000..bbd3854eee
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch
@@ -0,0 +1,32 @@
+From c169022972d82ee0da4812e77aa8f560d173fcd7 Mon Sep 17 00:00:00 2001
+From: Fredrick Brennan <[email protected]>
+Date: Tue, 21 Jan 2020 15:16:00 +0800
+Subject: [PATCH] Fix crash on exit introduced in previous commit
+
+When the number of layers is greater than 2, as in Chomsky.sfd and most
+of my other fonts, FontForge will crash on exiting.
+
+This is just a simple mistake @skef made.
+
+CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496
+Upstream-Status: Backport 
[https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ fontforge/sfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index cdce0b08a..132f9fa0c 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -7998,9 +7998,9 @@ bool SFD_GetFontMetaData( FILE *sfd,
+       int layer_cnt_tmp;
+       getint(sfd,&layer_cnt_tmp);
+       if ( layer_cnt_tmp>2 ) {
++          sf->layer_cnt = layer_cnt_tmp;
+           sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
+           memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
+-          sf->layer_cnt = layer_cnt_tmp;
+       }
+     }
+     else if ( strmatch(tok,"Layer:")==0 )
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb 
b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
index 84644f2560..7686b04fb3 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
@@ -17,7 +17,9 @@ REQUIRED_DISTRO_FEATURES:append:class-target = " x11"
 SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e"
 SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
            file://0001-include-sys-select-on-non-glibc-platforms.patch \
-"
+           file://CVE-2020-25690-1.patch \
+           file://CVE-2020-25690-2.patch \
+           "
 S = "${WORKDIR}/git"
 
 EXTRA_OECONF += "--without-libuninameslist  --enable-python-scripting 
--enable-python-extension"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122179): 
https://lists.openembedded.org/g/openembedded-devel/message/122179
Mute This Topic: https://lists.openembedded.org/mt/116543625/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[oe] [meta-oe][kirkstone][PATCH 6/7] fontforge: patch CVE-2020-5395, CVE-2020-25690 and CVE-2020-5496

Reply via email to