CVE-2020-15999: Heap buffer overflow in freetype

Manual cherry-pick of fix in freetype: Fix heap buffer overflow (#59308). This is CVE-2020-15999. * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. Pick-to: 5.15 5.12.10 Change-Id: I23824074f134802b3e4f737877d144b59e6b8151 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Werner Lemberg <wl@gnu.org> 2020-10-19 23:45:28 +0200
committer: Michael Brüning <michael.bruning@qt.io> 2020-10-20 10:43:10 +0000
commit: 0948846b42e0009ed2c9211c6995ce228db07032 (patch)
tree: 17708696c57bb39fba598c7ee1be07f06d49bbe8 /src/3rdparty/freetype
parent: 5e43997a705a449f0596d36b93948da3b71c4567 (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/src/3rdparty/freetype/src/sfnt/pngshim.c b/src/3rdparty/freetype/src/sfnt/pngshim.c
index fc78b6d5df..2e0904ffd2 100644
--- a/src/3rdparty/freetype/src/sfnt/pngshim.c
+++ b/src/3rdparty/freetype/src/sfnt/pngshim.c
@@ -328,6 +328,13 @@
 
     if ( populate_map_and_metrics )
     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
       metrics->width  = (FT_UShort)imgWidth;
       metrics->height = (FT_UShort)imgHeight;
 
@@ -336,13 +343,6 @@
       map->pixel_mode = FT_PIXEL_MODE_BGRA;
       map->pitch      = (int)( map->width * 4 );
       map->num_grays  = 256;
-
-      /* reject too large bitmaps similarly to the rasterizer */
-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
-      {
-        error = FT_THROW( Array_Too_Large );
-        goto DestroyExit;
-      }
     }
 
     /* convert palette/gray image to rgb */
author	Werner Lemberg <wl@gnu.org>	2020-10-19 23:45:28 +0200
committer	Michael Brüning <michael.bruning@qt.io>	2020-10-20 10:43:10 +0000
commit	0948846b42e0009ed2c9211c6995ce228db07032 (patch)
tree	17708696c57bb39fba598c7ee1be07f06d49bbe8 /src/3rdparty/freetype
parent	5e43997a705a449f0596d36b93948da3b71c4567 (diff)