[sfnt] Fix heap buffer overflow (#59308). This is CVE-2020-15999. * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
diff --git a/ChangeLog b/ChangeLog
index e89f4c9..7c4b057 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2020-10-19 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Fix heap buffer overflow (#59308).
+
+ This is CVE-2020-15999.
+
+ * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
2020-10-17 Alexei Podtelezhnikov <apodtele@gmail.com>
* src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++.
diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
index 2e64e58..f550161 100644
--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
@@ -332,6 +332,13 @@
if ( populate_map_and_metrics )
{
+ /* reject too large bitmaps similarly to the rasterizer */
+ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto DestroyExit;
+ }
+
metrics->width = (FT_UShort)imgWidth;
metrics->height = (FT_UShort)imgHeight;
@@ -340,13 +347,6 @@
map->pixel_mode = FT_PIXEL_MODE_BGRA;
map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
-
- /* reject too large bitmaps similarly to the rasterizer */
- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
- {
- error = FT_THROW( Array_Too_Large );
- goto DestroyExit;
- }
}
/* convert palette/gray image to rgb */