1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CVE-2020-15999: Heap buffer overflow in freetype

Browse Source 
Manual cherry-pick of fix in freetype:
Fix heap buffer overflow (#59308).

This is CVE-2020-15999.

* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.

Pick-to: 5.15 5.12.10
Change-Id: I23824074f134802b3e4f737877d144b59e6b8151
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
This commit is contained in:
Werner Lemberg 2020-10-19 23:45:28 +02:00 committed by Michael Brüning
parent 5e43997a70
commit 0948846b42
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/3rdparty/freetype/src/sfnt/pngshim.c vendored
View File

@ -328,6 +328,13 @@
if ( populate_map_and_metrics )
{
/* reject too large bitmaps similarly to the rasterizer */
if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
{
error = FT_THROW( Array_Too_Large );
goto DestroyExit;
}
metrics->width = (FT_UShort)imgWidth;
metrics->height = (FT_UShort)imgHeight;
@ -336,13 +343,6 @@
map->pixel_mode = FT_PIXEL_MODE_BGRA;
map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
/* reject too large bitmaps similarly to the rasterizer */
if ( map->rows > 0x7FFF || map->width > 0x7FFF )
{
error = FT_THROW( Array_Too_Large );
goto DestroyExit;
}
}
/* convert palette/gray image to rgb */