commit d01333a5bfa2ac4ed698c24b323d02107deacad7 (HEAD, 20260131_CVE-2025-15270_bsc#1256031_tag_None_d01333a5bfa2ac4ed698c24b323d02107deacad7)
Author: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
Date:   Sat Jan 31 21:23:41 2026 +0100

    Fix CVE-2025-15270: Heap buffer overflow in SFD kern class parsing (#5743)
    
    Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
    
    Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>

diff a/fontforge/sfd.c b/fontforge/sfd.c
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -8147,6 +8147,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
 	for ( i=classstart; i<kc->first_cnt; ++i ) {
 	  if (kernclassversion < 3) {
 	    getint(sfd,&temp);
+	    if (temp < 0) {
+	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+	      return false;
+	    }
 	    kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
 	    nlgetc(sfd);	/* skip space */
 	    fread(kc->firsts[i],1,temp,sfd);
@@ -8164,6 +8168,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
 	for ( i=1; i<kc->second_cnt; ++i ) {
 	  if (kernclassversion < 3) {
 	    getint(sfd,&temp);
+	    if (temp < 0) {
+	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+	      return false;
+	    }
 	    kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
 	    nlgetc(sfd);	/* skip space */
 	    fread(kc->seconds[i],1,temp,sfd);