Fix CVE-2020-15999 Heap overflow in the freetype library.

patch/patch.cfg

@@ -517,5 +517,11 @@ patches = [
     # https://crrev.com/6fc3c027c3
     # https://bitbucket.org/chromiumembedded/cef/issues/2980
     'name': 'win_screen_2980',
+  },
+  {
+    # Fix CVE-2020-15999 Heap overflow in the freetype library.
+    # https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/refs/heads/chromium/branch-heads/4240%5E%21/
+    'name': 'freetype_1139963',
+    'path': 'third_party/freetype/src',
   }
 ]

patch/patches/freetype_1139963.patch

@@ -0,0 +1,32 @@
+diff --git src/sfnt/pngshim.c src/sfnt/pngshim.c
+index 2e64e5846..3cfedd8f5 100644
+--- src/sfnt/pngshim.c
++++ src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
++      /* reject too large bitmaps similarly to the rasterizer */
++      if ( imgWidth > 0x7FFF || imgHeight > 0x7FFF )
++      {
++        error = FT_THROW( Array_Too_Large );
++        goto DestroyExit;
++      }
++
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -340,13 +347,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */