diff options
author | Werner Lemberg <wl@gnu.org> | 2020-10-19 23:45:28 +0200 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-10-20 15:00:21 +0000 |
commit | 322ada57e91e2e38d26efb88f7250c3c2bfb49cc (patch) | |
tree | 67a32dfd6ae3d6e884f20ed1c5f7e2cb67f08220 | |
parent | 013f5ca939e5d86061af1f9056e3d844c3eb8e59 (diff) |
CVE-2020-15999: Heap buffer overflow in freetype
Manual cherry-pick of fix in freetype:
Fix heap buffer overflow (#59308).
This is CVE-2020-15999.
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
Change-Id: I23824074f134802b3e4f737877d144b59e6b8151
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 0948846b42e0009ed2c9211c6995ce228db07032)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/3rdparty/freetype/src/sfnt/pngshim.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/src/3rdparty/freetype/src/sfnt/pngshim.c b/src/3rdparty/freetype/src/sfnt/pngshim.c index fc78b6d5df..2e0904ffd2 100644 --- a/src/3rdparty/freetype/src/sfnt/pngshim.c +++ b/src/3rdparty/freetype/src/sfnt/pngshim.c @@ -328,6 +328,13 @@ if ( populate_map_and_metrics ) { + /* reject too large bitmaps similarly to the rasterizer */ + if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + metrics->width = (FT_UShort)imgWidth; metrics->height = (FT_UShort)imgHeight; @@ -336,13 +343,6 @@ map->pixel_mode = FT_PIXEL_MODE_BGRA; map->pitch = (int)( map->width * 4 ); map->num_grays = 256; - - /* reject too large bitmaps similarly to the rasterizer */ - if ( map->rows > 0x7FFF || map->width > 0x7FFF ) - { - error = FT_THROW( Array_Too_Large ); - goto DestroyExit; - } } /* convert palette/gray image to rgb */ |