minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 4 Releases Wiki Activity

[sfnt] Fix heap buffer overflow (#59308). 

This is CVE-2020-15999.

* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
This commit is contained in:
Werner Lemberg 2020-10-19 23:45:28 +02:00
parent 840ce58f94
commit a3bab162b2
2 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -1,3 +1,11 @@
2020-10-19 Werner Lemberg <wl@gnu.org>
[sfnt] Fix heap buffer overflow (#59308).
This is CVE-2020-15999.
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
2020-10-17 Alexei Podtelezhnikov <apodtele@gmail.com>
* src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++.

14
src/sfnt/pngshim.c
View File

@ -332,6 +332,13 @@
if ( populate_map_and_metrics )
{
/* reject too large bitmaps similarly to the rasterizer */
if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
{
error = FT_THROW( Array_Too_Large );
goto DestroyExit;
}
metrics->width = (FT_UShort)imgWidth;
metrics->height = (FT_UShort)imgHeight;
@ -340,13 +347,6 @@
map->pixel_mode = FT_PIXEL_MODE_BGRA;
map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
/* reject too large bitmaps similarly to the rasterizer */
if ( map->rows > 0x7FFF || map->width > 0x7FFF )
{
error = FT_THROW( Array_Too_Large );
goto DestroyExit;
}
}
/* convert palette/gray image to rgb */