diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-10-20 07:08:14 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-10-20 07:09:18 -0300 |
commit | 58141e176cb1a99d3495cbef2733359bb7d79fbf (patch) | |
tree | c27a86045cb3047fba8f42936538e80547510752 | |
parent | d7f4631808dde481f85b6b3ade46dca0a5d6e6ea (diff) |
main/freetype: fix CVE-2020-15999
-rw-r--r-- | main/freetype/APKBUILD | 8 | ||||
-rw-r--r-- | main/freetype/CVE-2020-15999.patch | 48 |
2 files changed, 54 insertions, 2 deletions
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD index 7e55119ea86..13dc7168188 100644 --- a/main/freetype/APKBUILD +++ b/main/freetype/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=freetype pkgver=2.10.0 -pkgrel=0 +pkgrel=1 pkgdesc="TrueType font rendering library" url="https://www.freetype.org/" arch="all" @@ -15,9 +15,12 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc" source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.bz2 0001-Enable-table-validation-modules.patch subpixel.patch + CVE-2020-15999.patch " # secfixes: +# 2.10.0-r1: +# - CVE-2020-15999 # 2.9-r1: # - CVE-2018-6942 # 2.7.1-r1: @@ -56,4 +59,5 @@ package() { sha512sums="dfad66f419ea9577f09932e0730c0c887bdcbdbc8152fa7477a0c39d69a5b68476761deed6864ddcc5cf18d100a7a3f728049768e24afcb04b1a74b25b6acf7e freetype-2.10.0.tar.bz2 580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763 0001-Enable-table-validation-modules.patch -72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch" +72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch +fe697a15777b44bb36c705aa4e13f352329c418de89e3d457381d0852ca2931dfa6d6b6ebc6c59322ba2af94e956f06a31e25f0d57db139f5ba2ce79fa5a8fd9 CVE-2020-15999.patch" diff --git a/main/freetype/CVE-2020-15999.patch b/main/freetype/CVE-2020-15999.patch new file mode 100644 index 00000000000..067aa7e4605 --- /dev/null +++ b/main/freetype/CVE-2020-15999.patch @@ -0,0 +1,48 @@ +From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 19 Oct 2020 23:45:28 +0200 +Subject: [sfnt] Fix heap buffer overflow (#59308). + +This is CVE-2020-15999. + +* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. +--- + src/sfnt/pngshim.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index 2e64e5846..f55016122 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -332,6 +332,13 @@ + + if ( populate_map_and_metrics ) + { ++ /* reject too large bitmaps similarly to the rasterizer */ ++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto DestroyExit; ++ } ++ + metrics->width = (FT_UShort)imgWidth; + metrics->height = (FT_UShort)imgHeight; + +@@ -340,13 +347,6 @@ + map->pixel_mode = FT_PIXEL_MODE_BGRA; + map->pitch = (int)( map->width * 4 ); + map->num_grays = 256; +- +- /* reject too large bitmaps similarly to the rasterizer */ +- if ( map->rows > 0x7FFF || map->width > 0x7FFF ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto DestroyExit; +- } + } + + /* convert palette/gray image to rgb */ +-- +cgit v1.2.1 + + |