From: Marc Deslauriers <marc.deslauriers@canonical.com>
Date: Fri, 14 Mar 2025 08:55:06 -0400
Subject: [PATCH] Minimal stop-gap fix for CVE-2025-27363
Origin: https://www.openwall.com/lists/oss-security/2025/03/14/3
Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27363

Reference:https://salsa.debian.org/debian/freetype/-/merge_requests/4
Conflict:NA

---
 src/truetype/ttgload.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 2ca63d65a3a3..7ce6d2a6fb29 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1948,7 +1948,7 @@
         short        i, limit;
         FT_SubGlyph  subglyph;
 
-        FT_Outline  outline;
+        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
         FT_Vector*  points    = NULL;
         char*       tags      = NULL;
         short*      contours  = NULL;
@@ -1957,6 +1957,13 @@
 
         limit = (short)gloader->current.num_subglyphs;
 
+        /* make sure this isn't negative as we're going to add 4 later */
+        if ( limit < 0 )
+        {
+          error = FT_THROW( Invalid_Argument );
+          goto Exit;
+        }
+
         /* construct an outline structure for              */
         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );
-- 
2.47.2