From 31f1d335c312388b5e30da9a7aa522f7cd3ef985 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Tue, 3 Mar 2026 09:17:05 +0000
Subject: [PATCH] Patch freetype for CVE-2026-23865

---
 SPECS/freetype/CVE-2026-23865.patch | 53 +++++++++++++++++++++++++++++
 SPECS/freetype/freetype.spec        |  6 +++-
 2 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/freetype/CVE-2026-23865.patch

diff --git a/SPECS/freetype/CVE-2026-23865.patch b/SPECS/freetype/CVE-2026-23865.patch
new file mode 100644
index 00000000000..2cc5dadb2e9
--- /dev/null
+++ b/SPECS/freetype/CVE-2026-23865.patch
@@ -0,0 +1,53 @@
+From 95b7cce818383e36883633aebd4b908092cb34a2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 3 Jan 2026 08:07:57 +0100
+Subject: [PATCH] Check for overflow in array size computation.
+
+Problem reported and analyzed by povcfe <povcfe2sec@gmail.com>.
+
+Fixes issue #1382.
+
+* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c.patch
+---
+ src/truetype/ttgxvar.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index ad4f266..7fa8256 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -625,6 +625,7 @@
+       FT_UShort  word_delta_count;
+       FT_UInt    region_idx_count;
+       FT_UInt    per_region_size;
++      FT_UInt    delta_set_size;
+ 
+ 
+       if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )
+@@ -682,7 +683,19 @@
+       if ( long_words )
+         per_region_size *= 2;
+ 
+-      if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
++      /* Check for overflow (we actually test whether the     */
++      /* multiplication of two unsigned values wraps around). */
++      delta_set_size = per_region_size * item_count;
++      if ( per_region_size                                &&
++           delta_set_size / per_region_size != item_count )
++      {
++        FT_TRACE2(( "tt_var_load_item_variation_store:"
++                    " bad delta set array size\n" ));
++        error = FT_THROW( Array_Too_Large );
++        goto Exit;
++      }
++
++      if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )
+         goto Exit;
+       if ( FT_Stream_Read( stream,
+                            varData->deltaSet,
+-- 
+2.45.4
+
diff --git a/SPECS/freetype/freetype.spec b/SPECS/freetype/freetype.spec
index c96f318b846..c3aff72fb97 100644
--- a/SPECS/freetype/freetype.spec
+++ b/SPECS/freetype/freetype.spec
@@ -1,7 +1,7 @@
 Summary:        software font engine.
 Name:           freetype
 Version:        2.13.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD/GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -9,6 +9,7 @@ Group:          System Environment/Libraries
 URL:            https://www.freetype.org/
 Source0:        https://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.gz
 Source1:        https://download.savannah.gnu.org/releases/freetype/freetype-doc-%{version}.tar.gz
+Patch0:         CVE-2026-23865.patch
 BuildRequires:  brotli-devel
 BuildRequires:  bzip2-devel
 BuildRequires:  gcc
@@ -80,6 +81,9 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
 %{_bindir}/freetype-config
 
 %changelog
+* Tue Mar 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.13.2-2
+- Patch for CVE-2026-23865
+
 * Thu Nov 02 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.13.2-1
 - Auto-upgrade to 2.13.2 - Azure Linux 3.0 - package upgrades