summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDiego Santa Cruz <diego.santacruz@spinetix.com>2020-11-11 18:56:01 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-11-20 10:53:20 +0000
commit7d58c8bed682d3069d877060940a38a8989aa57d (patch)
treed649feb9a4d63851f1f3042cbeef7212d39b28a0
parent5232b03e22a49c368fbf4d79e05519ad5e48db4a (diff)
downloadpoky-7d58c8bed682d3069d877060940a38a8989aa57d.tar.gz
freetype: fix CVE-2020-15999, backport from 2.10.4
(From OE-Core rev: 95b928e68325218508cff8def10e72bbe0051c83) Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch51
-rw-r--r--meta/recipes-graphics/freetype/freetype_2.10.2.bb1
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
new file mode 100644
index 0000000000..fa8a29b798
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -0,0 +1,51 @@
1From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Mon, 19 Oct 2020 23:45:28 +0200
4Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
5
6This is CVE-2020-15999.
7
8* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
9
10Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
11
12Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
13---
14 src/sfnt/pngshim.c | 14 +++++++-------
15 1 file changed, 7 insertions(+), 7 deletions(-)
16
17diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
18index 2e64e5846..f55016122 100644
19--- a/src/sfnt/pngshim.c
20+++ b/src/sfnt/pngshim.c
21@@ -332,6 +332,13 @@
22
23 if ( populate_map_and_metrics )
24 {
25+ /* reject too large bitmaps similarly to the rasterizer */
26+ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
27+ {
28+ error = FT_THROW( Array_Too_Large );
29+ goto DestroyExit;
30+ }
31+
32 metrics->width = (FT_UShort)imgWidth;
33 metrics->height = (FT_UShort)imgHeight;
34
35@@ -340,13 +347,6 @@
36 map->pixel_mode = FT_PIXEL_MODE_BGRA;
37 map->pitch = (int)( map->width * 4 );
38 map->num_grays = 256;
39-
40- /* reject too large bitmaps similarly to the rasterizer */
41- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
42- {
43- error = FT_THROW( Array_Too_Large );
44- goto DestroyExit;
45- }
46 }
47
48 /* convert palette/gray image to rgb */
49--
502.18.4
51
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.2.bb b/meta/recipes-graphics/freetype/freetype_2.10.2.bb
index 1034ddc0d7..cb0006b23e 100644
--- a/meta/recipes-graphics/freetype/freetype_2.10.2.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.10.2.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
14 14
15SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ 15SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
16 file://use-right-libtool.patch \ 16 file://use-right-libtool.patch \
17 file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
17 " 18 "
18SRC_URI[md5sum] = "7c0d5a39f232d7eb9f9d7da76bf08074" 19SRC_URI[md5sum] = "7c0d5a39f232d7eb9f9d7da76bf08074"
19SRC_URI[sha256sum] = "1543d61025d2e6312e0a1c563652555f17378a204a61e99928c9fcef030a2d8b" 20SRC_URI[sha256sum] = "1543d61025d2e6312e0a1c563652555f17378a204a61e99928c9fcef030a2d8b"