diff --git a/ChangeLog b/ChangeLog index e89f4c9e7..7c4b057a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2020-10-19 Werner Lemberg + + [sfnt] Fix heap buffer overflow (#59308). + + This is CVE-2020-15999. + + * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. + 2020-10-17 Alexei Podtelezhnikov * src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++. diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c index 2e64e5846..f55016122 100644 --- a/src/sfnt/pngshim.c +++ b/src/sfnt/pngshim.c @@ -332,6 +332,13 @@ if ( populate_map_and_metrics ) { + /* reject too large bitmaps similarly to the rasterizer */ + if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + metrics->width = (FT_UShort)imgWidth; metrics->height = (FT_UShort)imgHeight; @@ -340,13 +347,6 @@ map->pixel_mode = FT_PIXEL_MODE_BGRA; map->pitch = (int)( map->width * 4 ); map->num_grays = 256; - - /* reject too large bitmaps similarly to the rasterizer */ - if ( map->rows > 0x7FFF || map->width > 0x7FFF ) - { - error = FT_THROW( Array_Too_Large ); - goto DestroyExit; - } } /* convert palette/gray image to rgb */