backport-0001-CVE-2022-27405.patch

@@ -0,0 +1,39 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+GitLab
+

backport-0002-CVE-2022-27405.patch

@@ -0,0 +1,26 @@
+From d014387ad4a5dd04d8e7f99587c7dacb70261924 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:30:45 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Thinko.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/d014387ad4a5dd04d8e7f99587c7dacb70261924
+---
+ src/base/ftobjs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 10952a6c6..6492a1517 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2532,6 +2532,7 @@
+       face_index &= 0x7FFFFFFFL;
+     else
+     {
++      face_index  = -face_index;
+       face_index &= 0x7FFFFFFFL;
+       face_index  = -face_index;
+     }
+-- 
+GitLab
+

backport-CVE-2022-27404.patch

@@ -0,0 +1,45 @@
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+
+Fixes #1138.
+
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+---
+ src/sfnt/sfobjs.c  | 2 +-
+ src/sfnt/sfwoff2.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+ 
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
++    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= face->ttc_header.count )
+diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
+index cb1e0664a..165b875e5 100644
+--- a/src/sfnt/sfwoff2.c
++++ b/src/sfnt/sfwoff2.c
+@@ -2085,7 +2085,7 @@
+     /* Validate requested face index. */
+     *num_faces = woff2.num_fonts;
+     /* value -(N+1) requests information on index N */
+-    if ( *face_instance_index < 0 )
++    if ( *face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= woff2.num_fonts )
+-- 
+GitLab

backport-CVE-2022-27406.patch

@@ -0,0 +1,30 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+GitLab
+

backport-CVE-2023-2004.patch

@@ -1,37 +0,0 @@
-From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
-From: Werner Lemberg <wl@gnu.org>
-Date: Mon, 14 Nov 2022 19:18:19 +0100
-Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
- overflow.
-
-Reported as
-
-  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
----
- src/truetype/ttgxvar.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
-index aad3e29..a69a9b5 100644
---- a/src/truetype/ttgxvar.c
-+++ b/src/truetype/ttgxvar.c
-@@ -42,6 +42,7 @@
- #include <ft2build.h>
- #include <freetype/internal/ftdebug.h>
- #include FT_CONFIG_CONFIG_H
-+#include <freetype/internal/ftcalc.h>
- #include <freetype/internal/ftstream.h>
- #include <freetype/internal/sfnt.h>
- #include <freetype/tttags.h>
-@@ -1075,7 +1076,7 @@
-                 delta == 1 ? "" : "s",
-                 vertical ? "VVAR" : "HVAR" ));
- 
--    *avalue += delta;
-+    *avalue = ADD_INT(*avalue, delta );
- 
-   Exit:
-     return error;
--- 
-2.33.0
-

backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch

@@ -1,44 +0,0 @@
-From: Marc Deslauriers <marc.deslauriers@canonical.com>
-Date: Fri, 14 Mar 2025 08:55:06 -0400
-Subject: [PATCH] Minimal stop-gap fix for CVE-2025-27363
-Origin: https://www.openwall.com/lists/oss-security/2025/03/14/3
-Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27363
-
-Reference:https://salsa.debian.org/debian/freetype/-/merge_requests/4
-Conflict:NA
-
----
- src/truetype/ttgload.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
-index 2ca63d65a3a3..7ce6d2a6fb29 100644
---- a/src/truetype/ttgload.c
-+++ b/src/truetype/ttgload.c
-@@ -1948,7 +1948,7 @@
-         short        i, limit;
-         FT_SubGlyph  subglyph;
- 
--        FT_Outline  outline;
-+        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
-         FT_Vector*  points    = NULL;
-         char*       tags      = NULL;
-         short*      contours  = NULL;
-@@ -1957,6 +1957,13 @@
- 
-         limit = (short)gloader->current.num_subglyphs;
- 
-+        /* make sure this isn't negative as we're going to add 4 later */
-+        if ( limit < 0 )
-+        {
-+          error = FT_THROW( Invalid_Argument );
-+          goto Exit;
-+        }
-+
-         /* construct an outline structure for              */
-         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
-         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );
--- 
-2.47.2
-

freetype.spec

@@ -3,8 +3,8 @@
 %{!?with_xfree86:%define with_xfree86 1}
 
 Name:           freetype
-Version:        2.12.1
-Release:        5
+Version:        2.11.0
+Release:        2
 Summary:        FreeType is a freely available software library to render fonts
 License:        (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 URL:            http://www.freetype.org
@@ -12,8 +12,6 @@ Source0:        http://download.savannah.gnu.org/releases/freetype/freetype-%{ve
 Source1:        http://download.savannah.gnu.org/releases/freetype/freetype-doc-%{version}.tar.xz
 Source2:        http://download.savannah.gnu.org/releases/freetype/ft2demos-%{version}.tar.xz
 Source3:        ftconfig.h
-#from tests/scripts/download-test-fonts.py:https://github.com/python-pillow/Pillow/files/6622147/As.I.Lay.Dying.zip
-Source4:        As.I.Lay.Dying.ttf
 
 Patch1:         backport-freetype-2.5.2-more-demos.patch
 Patch6000:      backport-freetype-2.3.0-enable-spr.patch
@@ -22,10 +20,12 @@ Patch6002:      backport-freetype-2.6.5-libtool.patch
 Patch6003:      backport-freetype-2.8-multilib.patch
 Patch6004:      backport-freetype-2.10.0-internal-outline.patch
 Patch6005:      backport-freetype-2.10.1-debughook.patch
-Patch6006:      backport-CVE-2023-2004.patch
-Patch6007:      backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch
+Patch6006:      backport-CVE-2022-27404.patch
+Patch6007:      backport-0001-CVE-2022-27405.patch
+Patch6008:      backport-0002-CVE-2022-27405.patch
+Patch6009:      backport-CVE-2022-27406.patch
 
-BuildRequires:  gcc libX11-devel libpng-devel zlib-devel bzip2-devel meson
+BuildRequires:  gcc libX11-devel libpng-devel zlib-devel bzip2-devel
 
 Provides:       %{name}-bytecode 
 %if %{?_with_subpixel_rendering:1}%{!?_with_subpixel_rendering:0}
@@ -73,6 +73,8 @@ popd
 %patch6005 -p1
 %patch6006 -p1
 %patch6007 -p1
+%patch6008 -p1
+%patch6009 -p1
 
 %build
 %configure --disable-static --with-zlib=yes --with-bzip2=yes --with-png=yes --enable-freetype-config --with-harfbuzz=no
@@ -120,13 +122,6 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/co
 
 %postun  -p /sbin/ldconfig
 
-%check
-mkdir -p tests/data/
-cp %{SOURCE4} tests/data/
-meson setup out -Dtests=enabled
-meson compile -C out
-meson test -C out
-
 %files
 %{!?_licensedir:%global license %%doc}
 %license LICENSE.TXT docs/FTL.TXT docs/GPLv2.TXT
@@ -153,21 +148,6 @@ meson test -C out
 %{_mandir}/man1/*
 
 %changelog
-* Mon Apr 14 2025 zhangpan <zhangpan103@h-partners.com> - 2.12.1-5
-- update CVE-2025-27363 patch
-
-* Mon Mar 17 2025 zhangpan <zhangpan103@h-partners.com> - 2.12.1-4
-- fix CVE-2025-27363
-
-* Tue Nov 14 2023 zhangpan <zhangpan103@h-partners.com> - 2.12.1-3
-- enable make check
-
-* Mon Apr 17 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.12.1-2
-- fix CVE-2023-2004
-
-* Tue Nov 29 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2.12.1-1
-- update to 2.12.1
-
 * Sat May 14 2022 wangkerong <wangkerong@h-paerners.com> - 2.11.0-2
 - fix CVE-2022-27404,CVE-2022-27405,CVE-2022-27406