new file mode 100644
@@ -0,0 +1,41 @@
+From 545b5eedf2a6866aecc04102f2e0853089cb760e Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Thu, 8 Jan 2026 15:47:43 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE
+ decompression (#5720)
+
+CVSS: 7.8 (High)
+ZDI-CAN-27517
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+
+CVE: CVE-2025-15279
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/7d67700cf8888e0bb37b453ad54ed932c8587073]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ gutils/gimagereadbmp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 5a137e28a..133336787 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+ int ii = 0;
+ while ( ii<head->height*head->width ) {
+ int cnt = getc(file);
++ if (cnt < 0 || ii + cnt > head->height * head->width) {
++ return 0;
++ }
+ if ( cnt!=0 ) {
+ int ch = getc(file);
+ while ( --cnt>=0 )
+ head->byte_pixels[ii++] = ch;
+ } else {
+ cnt = getc(file);
++ if (cnt < 0 || ii + cnt > head->height * head->width) {
++ return 0;
++ }
+ if ( cnt>= 3 ) {
+ int odd = cnt&1;
+ while ( --cnt>=0 )
new file mode 100644
@@ -0,0 +1,34 @@
+From 3bbdf6c7c161ff45d793e3bf5047720156e466ae Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Mon, 12 Jan 2026 22:45:16 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
+ (#5723)
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+
+CVE: CVE-2025-15279
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/720ea95020c964202928afd2e93b0f5fac11027e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ gutils/gimagereadbmp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 133336787..ad365158c 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+ head->byte_pixels[ii++] = ch;
+ } else {
+ cnt = getc(file);
+- if (cnt < 0 || ii + cnt > head->height * head->width) {
+- return 0;
+- }
+ if ( cnt>= 3 ) {
++ if (ii + cnt > head->height * head->width) {
++ return 0;
++ }
+ int odd = cnt&1;
+ while ( --cnt>=0 )
+ head->byte_pixels[ii++] = getc(file);
@@ -21,7 +21,9 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
file://0001-cmake-Use-alternate-way-to-detect-libm.patch \
file://0001-Fix-Translations-containing-invalid-directives-hs.patch \
file://CVE-2024-25081_CVE-2024-25082.patch \
-"
+ file://CVE-2025-15279-1.patch \
+ file://CVE-2025-15279-2.patch \
+ "
EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
PACKAGECONFIG = "readline"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279 Pick the patch that mentions this vulnerability ID explicitly. Also, this patch has caused some regression - pick the patch also that fixed that regression. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../fontforge/CVE-2025-15279-1.patch | 41 +++++++++++++++++++ .../fontforge/CVE-2025-15279-2.patch | 34 +++++++++++++++ .../fontforge/fontforge_20230101.bb | 4 +- 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch