[sfnt] Fix heap buffer overflow (#59308).

This is CVE-2020-15999. * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
4 years ago · a3bab162b2
parent 840ce58f94
commit a3bab162b2
2 changed files with 15 additions and 7 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2020-10-19  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix heap buffer overflow (#59308).
+
+	This is CVE-2020-15999.
+
+	* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
 2020-10-17  Alexei Podtelezhnikov  <apodtele@gmail.com>

 	* src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++.
--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
@ -332,6 +332,13 @@

    if ( populate_map_and_metrics )
    {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
      metrics->width  = (FT_UShort)imgWidth;
      metrics->height = (FT_UShort)imgHeight;

@ -340,13 +347,6 @@
      map->pixel_mode = FT_PIXEL_MODE_BGRA;
      map->pitch      = (int)( map->width * 4 );
      map->num_grays  = 256;
-
-      /* reject too large bitmaps similarly to the rasterizer */
-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
-      {
-        error = FT_THROW( Array_Too_Large );
-        goto DestroyExit;
-      }
    }

    /* convert palette/gray image to rgb */