* [dunfell][PATCH] freetype: fix CVE-2020-15999, backport from 2.10.4
@ 2020-11-11 17:57 Diego Santa Cruz
0 siblings, 0 replies; only message in thread
From: Diego Santa Cruz @ 2020-11-11 17:57 UTC (permalink / raw)
To: openembedded-core; +Cc: Diego Santa Cruz
Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
---
...-sfnt-Fix-heap-buffer-overflow-59308.patch | 51 +++++++++++++++++++
.../freetype/freetype_2.10.1.bb | 1 +
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
new file mode 100644
index 0000000000..fa8a29b798
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -0,0 +1,51 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
+
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+
+ if ( populate_map_and_metrics )
+ {
++ /* reject too large bitmaps similarly to the rasterizer */
++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto DestroyExit;
++ }
++
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
+
+@@ -340,13 +347,6 @@
+ map->pixel_mode = FT_PIXEL_MODE_BGRA;
+ map->pitch = (int)( map->width * 4 );
+ map->num_grays = 256;
+-
+- /* reject too large bitmaps similarly to the rasterizer */
+- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto DestroyExit;
+- }
+ }
+
+ /* convert palette/gray image to rgb */
+--
+2.18.4
+
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
index d1c093054b..2d444bbf19 100644
--- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
file://use-right-libtool.patch \
+ file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
"
SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"
--
2.18.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-11 17:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11 17:57 [dunfell][PATCH] freetype: fix CVE-2020-15999, backport from 2.10.4 Diego Santa Cruz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.