fix CVE-2020-15999

2020-12-08 14:28:02 +08:00 · 2020-12-08 14:28:02 +08:00 · 5a4b46f54f
commit 5a4b46f54f
parent 33db65d057
2 changed files with 54 additions and 1 deletions
--- a/CVE-2020-15999.patch
+++ b/CVE-2020-15999.patch
@ -0,0 +1,45 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [sfnt] Fix heap buffer overflow (#59308).
+ This is CVE-2020-15999.
+ * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+reference：https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 523b30a..5502108 100644
+--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
+@@ -328,6 +328,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -336,13 +343,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */
+-- 
+2.27.0
--- a/freetype.spec
+++ b/freetype.spec
@ -4,7 +4,7 @@

 Name:           freetype
 Version:        2.10.2
-Release:        1
+Release:        2
 Summary:        FreeType is a freely available software library to render fonts
 License:        (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 URL:            http://www.freetype.org
@ -14,6 +14,7 @@ Source2:        http://download.savannah.gnu.org/releases/freetype/ft2demos-%{ve
 Source3:        ftconfig.h

 Patch1:         freetype-2.5.2-more-demos.patch
+Patch2:         CVE-2020-15999.patch

 BuildRequires:  gcc libX11-devel libpng-devel zlib-devel bzip2-devel

@ -50,6 +51,7 @@ Man pages and other related for freetype documents.
 pushd ft2demos-%{version}
 %patch1  -p1 -b .more-demos
 popd
+%patch2 -p1

 %build
 %configure --disable-static --with-zlib=yes --with-bzip2=yes --with-png=yes --enable-freetype-config --with-harfbuzz=no
@ -121,6 +123,12 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/co
 %{_mandir}/man1/*

 %changelog
+* Tue Dec 08 2020 zhanzhimin <zhanzhimin@huawei.com> - 2.10.2-2
+- Type:CVE
+- CVE:CVE-2020-15999
+- SUG:NA
+- DESC:fix CVE-2020-15999
+
 * Mon Jul 20 2020 wangye <wangye70@huawei.com> - 2.10.2-1
 - Type:enhancement
 - Id:NA