diff options
| author | Werner Lemberg <wl@gnu.org> | 2020-10-19 23:45:28 +0200 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-20 09:13:08 +0000 |
| commit | 1357b9be19ff1b5c97ec6bb67c0d44677f93c5bb (patch) | |
| tree | 7da0ab158dba0cd6a7dec8f3dc75a83840cf7a3a | |
| parent | 4e06eb9f1cc3af892c18cf0ae690efcb616f0a21 (diff) | |
| download | qtwebengine-chromium-1357b9be19ff1b5c97ec6bb67c0d44677f93c5bb.tar.gz | |
[Backport] CVE-2020-15999: Heap buffer overflow in freetype
Manual cherry-pick of fix in freetype:
Fix heap buffer overflow (#59308).
This is CVE-2020-15999.
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
Change-Id: I4f5fd188f268de8929d2759f64cec7cb55644c42
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/freetype/src/src/sfnt/pngshim.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/chromium/third_party/freetype/src/src/sfnt/pngshim.c b/chromium/third_party/freetype/src/src/sfnt/pngshim.c index 0674bdaa9f1..ba9e5ffd1fb 100644 --- a/chromium/third_party/freetype/src/src/sfnt/pngshim.c +++ b/chromium/third_party/freetype/src/src/sfnt/pngshim.c @@ -327,6 +327,13 @@ if ( populate_map_and_metrics ) { + /* reject too large bitmaps similarly to the rasterizer */ + if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + metrics->width = (FT_UShort)imgWidth; metrics->height = (FT_UShort)imgHeight; @@ -335,13 +342,6 @@ map->pixel_mode = FT_PIXEL_MODE_BGRA; map->pitch = (int)( map->width * 4 ); map->num_grays = 256; - - /* reject too large bitmaps similarly to the rasterizer */ - if ( map->rows > 0x7FFF || map->width > 0x7FFF ) - { - error = FT_THROW( Array_Too_Large ); - goto DestroyExit; - } } /* convert palette/gray image to rgb */ |