49 lines
1.3 KiB
Diff
49 lines
1.3 KiB
Diff
From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
|
|
From: Werner Lemberg <wl@gnu.org>
|
|
Date: Mon, 19 Oct 2020 23:45:28 +0200
|
|
Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
|
|
|
|
This is CVE-2020-15999.
|
|
|
|
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
|
|
---
|
|
ChangeLog | 8 ++++++++
|
|
src/sfnt/pngshim.c | 14 +++++++-------
|
|
2 files changed, 15 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
|
|
index 2e64e5846..f55016122 100644
|
|
--- a/src/sfnt/pngshim.c
|
|
+++ b/src/sfnt/pngshim.c
|
|
@@ -332,6 +332,13 @@
|
|
|
|
if ( populate_map_and_metrics )
|
|
{
|
|
+ /* reject too large bitmaps similarly to the rasterizer */
|
|
+ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
|
|
+ {
|
|
+ error = FT_THROW( Array_Too_Large );
|
|
+ goto DestroyExit;
|
|
+ }
|
|
+
|
|
metrics->width = (FT_UShort)imgWidth;
|
|
metrics->height = (FT_UShort)imgHeight;
|
|
|
|
@@ -340,13 +347,6 @@
|
|
map->pixel_mode = FT_PIXEL_MODE_BGRA;
|
|
map->pitch = (int)( map->width * 4 );
|
|
map->num_grays = 256;
|
|
-
|
|
- /* reject too large bitmaps similarly to the rasterizer */
|
|
- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
|
|
- {
|
|
- error = FT_THROW( Array_Too_Large );
|
|
- goto DestroyExit;
|
|
- }
|
|
}
|
|
|
|
/* convert palette/gray image to rgb */
|
|
--
|
|
2.26.2
|
|
|