From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 3 Jan 2026 08:07:57 +0100
Subject: [PATCH] [ttgxvar] Check for overflow in array size computation.

Problem reported and analyzed by povcfe <povcfe2sec@gmail.com>.

Fixes issue #1382.

* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it.

Upstream-Status: Backport [https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c]
CVE: CVE-2026-23865
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 src/truetype/ttgxvar.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 2ff40c9e8..96ddc04c8 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -628,6 +628,7 @@
       FT_UShort  word_delta_count;
       FT_UInt    region_idx_count;
       FT_UInt    per_region_size;
+      FT_UInt    delta_set_size;
 
 
       if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )
@@ -697,7 +698,19 @@
       if ( long_words )
         per_region_size *= 2;
 
-      if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
+      /* Check for overflow (we actually test whether the     */
+      /* multiplication of two unsigned values wraps around). */
+      delta_set_size = per_region_size * item_count;
+      if ( per_region_size                                &&
+           delta_set_size / per_region_size != item_count )
+      {
+        FT_TRACE2(( "tt_var_load_item_variation_store:"
+                    " bad delta set array size\n" ));
+        error = FT_THROW( Array_Too_Large );
+        goto Exit;
+      }
+
+      if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )
         goto Exit;
       if ( FT_Stream_Read( stream,
                            varData->deltaSet,
-- 
GitLab