diff options
| author |   Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | 2020-11-11 18:57:33 +0100 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2020-11-13 05:57:16 -1000 |
| commit | b4a92a20a683a74423fd5a833d5c016f63dba2b4 (patch) | |
| tree | a9813aefcf916e817b7fd2f2f816edc57e989207 | |
| parent | 49955248b6011450a8767496783fb9f4738c9a99 (diff) | |
| download | openembedded-core-contrib-b4a92a20a683a74423fd5a833d5c016f63dba2b4.tar.gz | |
freetype: fix CVE-2020-15999, backport from 2.10.4
Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch | 51 | ||||
| -rw-r--r-- | meta/recipes-graphics/freetype/freetype_2.10.1.bb | 1 |
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch new file mode 100644 index 0000000000..fa8a29b798 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch @@ -0,0 +1,51 @@ +From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 19 Oct 2020 23:45:28 +0200 +Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308). + +This is CVE-2020-15999. + +* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd] + +Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> +--- + src/sfnt/pngshim.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index 2e64e5846..f55016122 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -332,6 +332,13 @@ + + if ( populate_map_and_metrics ) + { ++ /* reject too large bitmaps similarly to the rasterizer */ ++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto DestroyExit; ++ } ++ + metrics->width = (FT_UShort)imgWidth; + metrics->height = (FT_UShort)imgHeight; + +@@ -340,13 +347,6 @@ + map->pixel_mode = FT_PIXEL_MODE_BGRA; + map->pitch = (int)( map->width * 4 ); + map->num_grays = 256; +- +- /* reject too large bitmaps similarly to the rasterizer */ +- if ( map->rows > 0x7FFF || map->width > 0x7FFF ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto DestroyExit; +- } + } + + /* convert palette/gray image to rgb */ +-- +2.18.4 + diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb index d1c093054b..2d444bbf19 100644 --- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb @@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ file://use-right-libtool.patch \ + file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \ " SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" |