[sfnt] Fix heap buffer overflow.

This is CVE-2020-15999. * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
author: Werner Lemberg <wl@gnu.org> 2020-11-19 19:18:32 +0000
committer: Moonchild <moonchild@palemoon.org> 2020-11-19 19:18:32 +0000
commit: 76d62cfc38da29bd3d0179bc209526bbf9feb3f2 (patch)
tree: 7c8e3d49217e923fc501050220cd50b580baf88d
parent: eefaee9064be68c5012d9e5c092012efb1fc2514 (diff)
download: uxp-76d62cfc38da29bd3d0179bc209526bbf9feb3f2.tar.gz
1 files changed, 7 insertions, 7 deletions
diff --git a/modules/freetype2/src/sfnt/pngshim.c b/modules/freetype2/src/sfnt/pngshim.c
index 16020266af..1c2ce83df6 100644
--- a/modules/freetype2/src/sfnt/pngshim.c
+++ b/modules/freetype2/src/sfnt/pngshim.c
@@ -327,6 +327,13 @@
 
     if ( populate_map_and_metrics )
     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
       metrics->width  = (FT_UShort)imgWidth;
       metrics->height = (FT_UShort)imgHeight;
 
@@ -335,13 +342,6 @@
       map->pixel_mode = FT_PIXEL_MODE_BGRA;
       map->pitch      = (int)( map->width * 4 );
       map->num_grays  = 256;
-
-      /* reject too large bitmaps similarly to the rasterizer */
-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
-      {
-        error = FT_THROW( Array_Too_Large );
-        goto DestroyExit;
-      }
     }
 
     /* convert palette/gray image to rgb */
author	Werner Lemberg <wl@gnu.org>	2020-11-19 19:18:32 +0000
committer	Moonchild <moonchild@palemoon.org>	2020-11-19 19:18:32 +0000
commit	76d62cfc38da29bd3d0179bc209526bbf9feb3f2 (patch)
tree	7c8e3d49217e923fc501050220cd50b580baf88d
parent	eefaee9064be68c5012d9e5c092012efb1fc2514 (diff)
download	uxp-76d62cfc38da29bd3d0179bc209526bbf9feb3f2.tar.gz