diff options
| author | Werner Lemberg <wl@gnu.org> | 2020-11-19 19:18:32 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2020-11-19 19:18:32 +0000 |
| commit | 5264bd727d29b27d3090f4f14d96d4fafc416fc9 (patch) | |
| tree | 7c8e3d49217e923fc501050220cd50b580baf88d /modules | |
| parent | 35269ff84e40f305f20b0c569b34aa06b211a8c6 (diff) | |
| download | aura-central-5264bd727d29b27d3090f4f14d96d4fafc416fc9.tar.gz | |
[sfnt] Fix heap buffer overflow.
This is CVE-2020-15999.
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/freetype2/src/sfnt/pngshim.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/modules/freetype2/src/sfnt/pngshim.c b/modules/freetype2/src/sfnt/pngshim.c index 16020266a..1c2ce83df 100644 --- a/modules/freetype2/src/sfnt/pngshim.c +++ b/modules/freetype2/src/sfnt/pngshim.c @@ -327,6 +327,13 @@ if ( populate_map_and_metrics ) { + /* reject too large bitmaps similarly to the rasterizer */ + if ( map->rows > 0x7FFF || map->width > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + metrics->width = (FT_UShort)imgWidth; metrics->height = (FT_UShort)imgHeight; @@ -335,13 +342,6 @@ map->pixel_mode = FT_PIXEL_MODE_BGRA; map->pitch = (int)( map->width * 4 ); map->num_grays = 256; - - /* reject too large bitmaps similarly to the rasterizer */ - if ( map->rows > 0x7FFF || map->width > 0x7FFF ) - { - error = FT_THROW( Array_Too_Large ); - goto DestroyExit; - } } /* convert palette/gray image to rgb */ |