Overview

File CVE-2020-15999.patch of Package freetype2.38427

From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 19 Oct 2020 23:45:28 +0200
Subject: [sfnt] Fix heap buffer overflow (#59308).

This is CVE-2020-15999.

* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
---
 src/sfnt/pngshim.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'src/sfnt')

diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
index 2e64e5846..f55016122 100644
--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
@@ -258,6 +258,14 @@
 
     if ( populate_map_and_metrics )
     {
+
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
       FT_ULong  size;
 
 
@@ -270,13 +278,6 @@
       map->pitch      = (int)( map->width * 4 );
       map->num_grays  = 256;
 
-      /* reject too large bitmaps similarly to the rasterizer */
-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
-      {
-        error = FT_THROW( Array_Too_Large );
-        goto DestroyExit;
-      }
-
       /* this doesn't overflow: 0x7FFF * 0x7FFF * 4 < 2^32 */
       size = map->rows * (FT_ULong)map->pitch;
openSUSE Build Service is sponsored by
Places