* [dunfell][PATCH] freetype: fix CVE-2020-15999, backport from 2.10.4
@ 2020-11-11 17:57 Diego Santa Cruz
0 siblings, 0 replies; only message in thread
From: Diego Santa Cruz @ 2020-11-11 17:57 UTC (permalink / raw)
To: openembedded-core; +Cc: Diego Santa Cruz
Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
---
...-sfnt-Fix-heap-buffer-overflow-59308.patch | 51 +++++++++++++++++++
.../freetype/freetype_2.10.1.bb | 1 +
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
new file mode 100644
index 0000000000..fa8a29b798
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -0,0 +1,51 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
+
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+
+ if ( populate_map_and_metrics )
+ {
++ /* reject too large bitmaps similarly to the rasterizer */
++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto DestroyExit;
++ }
++
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
+
+@@ -340,13 +347,6 @@
+ map->pixel_mode = FT_PIXEL_MODE_BGRA;
+ map->pitch = (int)( map->width * 4 );
+ map->num_grays = 256;
+-
+- /* reject too large bitmaps similarly to the rasterizer */
+- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto DestroyExit;
+- }
+ }
+
+ /* convert palette/gray image to rgb */
+--
+2.18.4
+
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
index d1c093054b..2d444bbf19 100644
--- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
file://use-right-libtool.patch \
+ file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
"
SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"
--
2.18.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-11 17:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-11 17:57 [dunfell][PATCH] freetype: fix CVE-2020-15999, backport from 2.10.4 Diego Santa Cruz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox