summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Lemberg <wl@gnu.org>2020-11-19 19:18:32 +0000
committerMoonchild <moonchild@palemoon.org>2020-11-19 22:47:19 +0000
commit459c36b9df31e28e04e49243754aa2ebcd02a92c (patch)
tree7b07327c2b15a5cec5460a0f0e7c41cebc7c7d1b
parentc9508464d5f54d57e89b6bbfbcd2b903bfd9edb2 (diff)
downloadUXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar
UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar.gz
UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar.lz
UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar.xz
UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.zip
[sfnt] Fix heap buffer overflow.
This is CVE-2020-15999. * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
-rw-r--r--modules/freetype2/src/sfnt/pngshim.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/modules/freetype2/src/sfnt/pngshim.c b/modules/freetype2/src/sfnt/pngshim.c
index 16020266a..1c2ce83df 100644
--- a/modules/freetype2/src/sfnt/pngshim.c
+++ b/modules/freetype2/src/sfnt/pngshim.c
@@ -327,6 +327,13 @@
if ( populate_map_and_metrics )
{
+ /* reject too large bitmaps similarly to the rasterizer */
+ if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto DestroyExit;
+ }
+
metrics->width = (FT_UShort)imgWidth;
metrics->height = (FT_UShort)imgHeight;
@@ -335,13 +342,6 @@
map->pixel_mode = FT_PIXEL_MODE_BGRA;
map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
-
- /* reject too large bitmaps similarly to the rasterizer */
- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
- {
- error = FT_THROW( Array_Too_Large );
- goto DestroyExit;
- }
}
/* convert palette/gray image to rgb */