ref: a3bab162b2ae616074c8877a04556932998aeacd
parent: 840ce58f94bafdd24a138a9f7920becb5a30695f
author: Werner Lemberg <wl@gnu.org>
date: Mon Oct 19 19:45:28 EDT 2020
[sfnt] Fix heap buffer overflow (#59308). This is CVE-2020-15999. * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2020-10-19 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Fix heap buffer overflow (#59308).
+
+ This is CVE-2020-15999.
+
+ * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
2020-10-17 Alexei Podtelezhnikov <apodtele@gmail.com>
* src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++.--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
@@ -332,6 +332,13 @@
if ( populate_map_and_metrics )
{+ /* reject too large bitmaps similarly to the rasterizer */
+ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+ {+ error = FT_THROW( Array_Too_Large );
+ goto DestroyExit;
+ }
+
metrics->width = (FT_UShort)imgWidth;
metrics->height = (FT_UShort)imgHeight;
@@ -340,13 +347,6 @@
map->pixel_mode = FT_PIXEL_MODE_BGRA;
map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
-
- /* reject too large bitmaps similarly to the rasterizer */
- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
- {- error = FT_THROW( Array_Too_Large );
- goto DestroyExit;
- }
}
/* convert palette/gray image to rgb */