[Backport] CVE-2022-27406

Cherry-pick of patch originally submitted at https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2: * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`. Fixes #1140. Change-Id: I41ea64c6e68e7c5697463ef205aaa6283ca57773 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Werner Lemberg <wl@gnu.org> 2022-03-19 09:37:28 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2022-08-03 10:08:35 +0000
commit: 022d99cafa44f119915c0b98ef40c02fe8a2cc96 (patch)
tree: 64f3a0ca1c29c3da6bdf5e48dd9c915cf777507e
parent: 4477a5086bada2bf8dc8b408808ef32a6337f935 (diff)
download: qtwebengine-chromium-022d99cafa44f119915c0b98ef40c02fe8a2cc96.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/freetype/src/src/base/ftobjs.c b/chromium/third_party/freetype/src/src/base/ftobjs.c
index 158dbc61adb..aca97543d08 100644
--- a/chromium/third_party/freetype/src/src/base/ftobjs.c
+++ b/chromium/third_party/freetype/src/src/base/ftobjs.c
@@ -3318,6 +3318,9 @@
     if ( !face )
       return FT_THROW( Invalid_Face_Handle );
 
+    if ( !face->size )
+      return FT_THROW( Invalid_Size_Handle );
+
     if ( !req || req->width < 0 || req->height < 0 ||
          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
       return FT_THROW( Invalid_Argument );
author	Werner Lemberg <wl@gnu.org>	2022-03-19 09:37:28 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2022-08-03 10:08:35 +0000
commit	022d99cafa44f119915c0b98ef40c02fe8a2cc96 (patch)
tree	64f3a0ca1c29c3da6bdf5e48dd9c915cf777507e
parent	4477a5086bada2bf8dc8b408808ef32a6337f935 (diff)
download	qtwebengine-chromium-022d99cafa44f119915c0b98ef40c02fe8a2cc96.tar.gz