# HG changeset patch
# User Werner Lemberg <wl@gnu.org>
# Date 1603223819 0
#      Tue Oct 20 19:56:59 2020 +0000
# Node ID 5c356dd9b0f31f612ce90b1f35b14d8cdb0b4ecb
# Parent  a2ed93bf78d53309eb234b72ce0bf60ad93a3ac3
Bug 1672223 - [sfnt] Fix heap buffer overflow. r=jfkthame

This is CVE-2020-15999.

* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.

Differential Revision: https://phabricator.services.mozilla.com/D94153

diff -r a2ed93bf78d5 -r 5c356dd9b0f3 modules/freetype2/src/sfnt/pngshim.c
--- a/modules/freetype2/src/sfnt/pngshim.c	Tue Oct 20 21:14:51 2020 +0000
+++ b/modules/freetype2/src/sfnt/pngshim.c	Tue Oct 20 19:56:59 2020 +0000
@@ -328,6 +328,13 @@
 
     if ( populate_map_and_metrics )
     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
       metrics->width  = (FT_UShort)imgWidth;
       metrics->height = (FT_UShort)imgHeight;
 
@@ -336,13 +343,6 @@
       map->pixel_mode = FT_PIXEL_MODE_BGRA;
       map->pitch      = (int)( map->width * 4 );
       map->num_grays  = 256;
-
-      /* reject too large bitmaps similarly to the rasterizer */
-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
-      {
-        error = FT_THROW( Array_Too_Large );
-        goto DestroyExit;
-      }
     }
 
     /* convert palette/gray image to rgb */