freetype: patch CVE-2025-27363

From [1]:
An out of bounds write exists in FreeType versions 2.13.0 and below
(newer versions of FreeType are not vulnerable) when attempting to
parse font subglyph structures related to TrueType GX and variable font
files. The vulnerable code assigns a signed short value to an unsigned
long and then adds a static value causing it to wrap around and
allocate too small of a heap buffer. The code then writes up to 6
signed long integers out of bounds relative to this buffer. This may
result in arbitrary code execution. This vulnerability may have been
exploited in the wild.

Per [2] patches [3] and [4] are needed.
Unfortunately, the code changed since 2.11.1 and it's not possible to do
backport without significant changes. Since Debian and Ubuntu have
already patched this CVE, take the patch from them - [5]/[6].
The patch is a combination of patch originally proposed in [7] and
follow-up patch [4].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-27363
[2] https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
[3] ef63669652
[4] 73720c7c99
[5] https://git.launchpad.net/ubuntu/+source/freetype/commit/?h=applied/ubuntu/jammy-devel&id=fc406fb02653852dfa5979672e3d8d56ed329186
[6] 13295227b5
[7] https://www.openwall.com/lists/oss-security/2025/03/14/3

(From OE-Core rev: 5a8d4c7a9a0e099da0294141cf5590b55f0503cd)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-graphics/freetype/freetype/CVE-2025-27363.patch

@@ -0,0 +1,44 @@
+From 26b83ec58c60ced0e6c423df438227fb33ccca2e Mon Sep 17 00:00:00 2001
+From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+Date: Thu, 13 Mar 2025 08:41:20 -0400
+Subject: [PATCH] fix OOB write when when attempting to parse font subglyph
+ structures
+
+Gbp-Pq: CVE-2025-27363.patch.
+
+Source: https://git.launchpad.net/ubuntu/+source/freetype/commit/?h=applied/ubuntu/jammy-devel&id=fc406fb02653852dfa5979672e3d8d56ed329186
+
+CVE: CVE-2025-27363
+Upstream-Status: Inappropriate [cannot do exact patch backport as the code changed too much]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/truetype/ttgload.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
+index 11968f6..f5aa292 100644
+--- a/src/truetype/ttgload.c
++++ b/src/truetype/ttgload.c
+@@ -1948,7 +1948,7 @@
+         short        i, limit;
+         FT_SubGlyph  subglyph;
+ 
+-        FT_Outline  outline;
++        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
+         FT_Vector*  points    = NULL;
+         char*       tags      = NULL;
+         short*      contours  = NULL;
+@@ -1957,6 +1957,13 @@
+ 
+         limit = (short)gloader->current.num_subglyphs;
+ 
++        /* make sure this isn't negative as we're going to add 4 later */
++        if ( limit < 0 )
++        {
++          error = FT_THROW( Invalid_Argument );
++          goto Exit;
++        }
++
+         /* construct an outline structure for              */
+         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
+         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );

meta/recipes-graphics/freetype/freetype_2.11.1.bb

@@ -17,6 +17,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \
            file://CVE-2022-27405.patch \
            file://CVE-2022-27406.patch \
            file://CVE-2023-2004.patch \
+           file://CVE-2025-27363.patch \
            "
 SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8"