[tbb-commits] [tor-browser/tor-browser-68.12.0esr-9.5-1] Bug 1672223 - [sfnt] Fix heap buffer overflow. r=jfkthame
sysrqb at torproject.org
sysrqb at torproject.org
Wed Oct 21 13:42:27 UTC 2020
commit 324751877ea62d526cfda8e581a4ba1a1f431769
Author: Werner Lemberg <wl at gnu.org>
Date: Tue Oct 20 19:56:59 2020 +0000
Bug 1672223 - [sfnt] Fix heap buffer overflow. r=jfkthame
This is CVE-2020-15999.
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
Differential Revision: https://phabricator.services.mozilla.com/D94153
---
modules/freetype2/src/sfnt/pngshim.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/modules/freetype2/src/sfnt/pngshim.c b/modules/freetype2/src/sfnt/pngshim.c
index 16020266afd5..7d856af53922 100644
--- a/modules/freetype2/src/sfnt/pngshim.c
+++ b/modules/freetype2/src/sfnt/pngshim.c
@@ -327,6 +327,13 @@
if ( populate_map_and_metrics )
{
+ /* reject too large bitmaps similarly to the rasterizer */
+ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto DestroyExit;
+ }
+
metrics->width = (FT_UShort)imgWidth;
metrics->height = (FT_UShort)imgHeight;
@@ -335,13 +342,6 @@
map->pixel_mode = FT_PIXEL_MODE_BGRA;
map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
-
- /* reject too large bitmaps similarly to the rasterizer */
- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
- {
- error = FT_THROW( Array_Too_Large );
- goto DestroyExit;
- }
}
/* convert palette/gray image to rgb */
More information about the tbb-commits
mailing list