diff options
Diffstat (limited to 'media-libs/freetype/files/freetype-2.10.3-CVE-2020-15999.patch')
-rw-r--r-- | media-libs/freetype/files/freetype-2.10.3-CVE-2020-15999.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/media-libs/freetype/files/freetype-2.10.3-CVE-2020-15999.patch b/media-libs/freetype/files/freetype-2.10.3-CVE-2020-15999.patch new file mode 100644 index 000000000000..215b03b2d3d5 --- /dev/null +++ b/media-libs/freetype/files/freetype-2.10.3-CVE-2020-15999.patch @@ -0,0 +1,51 @@ +http://git.savannah.nongnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd +https://bugs.gentoo.org/750275 +---- +From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 19 Oct 2020 23:45:28 +0200 +Subject: [sfnt] Fix heap buffer overflow (#59308). + +This is CVE-2020-15999. + +* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. +--- + ChangeLog | 8 ++++++++ + src/sfnt/pngshim.c | 14 +++++++------- + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index 2e64e5846..f55016122 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -332,6 +332,13 @@ + + if ( populate_map_and_metrics ) + { ++ /* reject too large bitmaps similarly to the rasterizer */ ++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto DestroyExit; ++ } ++ + metrics->width = (FT_UShort)imgWidth; + metrics->height = (FT_UShort)imgHeight; + +@@ -340,13 +347,6 @@ + map->pixel_mode = FT_PIXEL_MODE_BGRA; + map->pitch = (int)( map->width * 4 ); + map->num_grays = 256; +- +- /* reject too large bitmaps similarly to the rasterizer */ +- if ( map->rows > 0x7FFF || map->width > 0x7FFF ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto DestroyExit; +- } + } + + /* convert palette/gray image to rgb */ +-- +cgit v1.2.1 + |