main/freetype: fix CVE-2020-15999

2026-05-05 20:36:40 +02:00 · 2020-10-20 07:08:14 -03:00 · 2020-10-20 07:08:14 -03:00 · 58141e176c
commit 58141e176c
parent d7f4631808
2 changed files with 54 additions and 2 deletions
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=freetype
 pkgver=2.10.0
-pkgrel=0
+pkgrel=1
 pkgdesc="TrueType font rendering library"
 url="https://www.freetype.org/"
 arch="all"
@ -15,9 +15,12 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
 source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.bz2
 	0001-Enable-table-validation-modules.patch
 	subpixel.patch
+	CVE-2020-15999.patch
 	"

 # secfixes:
+#   2.10.0-r1:
+#     - CVE-2020-15999
 #   2.9-r1:
 #     - CVE-2018-6942
 #   2.7.1-r1:
@ -56,4 +59,5 @@ package() {

 sha512sums="dfad66f419ea9577f09932e0730c0c887bdcbdbc8152fa7477a0c39d69a5b68476761deed6864ddcc5cf18d100a7a3f728049768e24afcb04b1a74b25b6acf7e  freetype-2.10.0.tar.bz2
 580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763  0001-Enable-table-validation-modules.patch
-72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190  subpixel.patch"
+72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190  subpixel.patch
+fe697a15777b44bb36c705aa4e13f352329c418de89e3d457381d0852ca2931dfa6d6b6ebc6c59322ba2af94e956f06a31e25f0d57db139f5ba2ce79fa5a8fd9  CVE-2020-15999.patch"
--- a/main/freetype/CVE-2020-15999.patch
+++ b/main/freetype/CVE-2020-15999.patch
@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -340,13 +347,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */
+-- 
+cgit v1.2.1
+
+