diff options
author | Werner Lemberg <wl@gnu.org> | 2020-11-19 19:18:32 +0000 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2020-11-19 22:47:19 +0000 |
commit | 459c36b9df31e28e04e49243754aa2ebcd02a92c (patch) | |
tree | 7b07327c2b15a5cec5460a0f0e7c41cebc7c7d1b | |
parent | c9508464d5f54d57e89b6bbfbcd2b903bfd9edb2 (diff) | |
download | UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar.gz UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar.lz UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.tar.xz UXP-459c36b9df31e28e04e49243754aa2ebcd02a92c.zip |
[sfnt] Fix heap buffer overflow.
This is CVE-2020-15999.
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
-rw-r--r-- | modules/freetype2/src/sfnt/pngshim.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/modules/freetype2/src/sfnt/pngshim.c b/modules/freetype2/src/sfnt/pngshim.c index 16020266a..1c2ce83df 100644 --- a/modules/freetype2/src/sfnt/pngshim.c +++ b/modules/freetype2/src/sfnt/pngshim.c @@ -327,6 +327,13 @@ if ( populate_map_and_metrics ) { + /* reject too large bitmaps similarly to the rasterizer */ + if ( map->rows > 0x7FFF || map->width > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + metrics->width = (FT_UShort)imgWidth; metrics->height = (FT_UShort)imgHeight; @@ -335,13 +342,6 @@ map->pixel_mode = FT_PIXEL_MODE_BGRA; map->pitch = (int)( map->width * 4 ); map->num_grays = 256; - - /* reject too large bitmaps similarly to the rasterizer */ - if ( map->rows > 0x7FFF || map->width > 0x7FFF ) - { - error = FT_THROW( Array_Too_Large ); - goto DestroyExit; - } } /* convert palette/gray image to rgb */ |