diff options
author | Werner Lemberg <wl@gnu.org> | 2022-03-19 09:37:28 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-03 10:08:35 +0000 |
commit | 022d99cafa44f119915c0b98ef40c02fe8a2cc96 (patch) | |
tree | 64f3a0ca1c29c3da6bdf5e48dd9c915cf777507e | |
parent | 4477a5086bada2bf8dc8b408808ef32a6337f935 (diff) | |
download | qtwebengine-chromium-022d99cafa44f119915c0b98ef40c02fe8a2cc96.tar.gz |
[Backport] CVE-2022-27406
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2:
* src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
Fixes #1140.
Change-Id: I41ea64c6e68e7c5697463ef205aaa6283ca57773
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/freetype/src/src/base/ftobjs.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/freetype/src/src/base/ftobjs.c b/chromium/third_party/freetype/src/src/base/ftobjs.c index 158dbc61adb..aca97543d08 100644 --- a/chromium/third_party/freetype/src/src/base/ftobjs.c +++ b/chromium/third_party/freetype/src/src/base/ftobjs.c @@ -3318,6 +3318,9 @@ if ( !face ) return FT_THROW( Invalid_Face_Handle ); + if ( !face->size ) + return FT_THROW( Invalid_Size_Handle ); + if ( !req || req->width < 0 || req->height < 0 || req->type >= FT_SIZE_REQUEST_TYPE_MAX ) return FT_THROW( Invalid_Argument ); |