{"id":"ASB-A-171232105","details":"In Load_SBit_Png of pngshim.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-171232105","CVE-2020-15999","GHSA-pv36-h7jh-qm62"],"modified":"2026-05-27T15:53:17.428190120Z","published":"2021-01-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-01-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"}],"affected":[{"package":{"name":"platform/external/freetype","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.0:0"},{"fixed":"8.0:2021-01-01"}]}],"versions":["8.0"],"ecosystem_specific":{"severity":"Moderate","spl":"2021-01-01","vanir_signatures":[{"deprecated":false,"id":"ASB-A-171232105-77115d1a","source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004","target":{"function":"Load_SBit_Png","file":"src/sfnt/pngshim.c"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"194011261781284787445973321418735434814","length":3189}},{"signature_version":"v1","id":"ASB-A-171232105-8aae99a6","digest":{"threshold":0.9,"line_hashes":["208860372010935151343063066297222324914","233030270906213514960881824988592192726","215268173661816570473557084426646208708","134347666717980172232860258622704214640","149472428944486004085391017137533156713","303862154618928232714109744889947985112","339779475924866474542854574324866011491","6017163583475985116083763327437696333","176004433254996303573680865909396220616","322771888159213265172234683524941889829","309209274501869294504350979542704920374","152300273129484813905548252616649177409"]},"target":{"file":"src/sfnt/pngshim.c"},"signature_type":"Line","deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-171232105.json"}},{"package":{"name":"platform/external/freetype","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.1:0"},{"fixed":"8.1:2021-01-01"}]}],"versions":["8.1"],"ecosystem_specific":{"spl":"2021-01-01","severity":"Moderate","vanir_signatures":[{"source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004","id":"ASB-A-171232105-97259488","signature_version":"v1","target":{"function":"Load_SBit_Png","file":"src/sfnt/pngshim.c"},"signature_type":"Function","digest":{"function_hash":"194011261781284787445973321418735434814","length":3189},"deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["208860372010935151343063066297222324914","233030270906213514960881824988592192726","215268173661816570473557084426646208708","134347666717980172232860258622704214640","149472428944486004085391017137533156713","303862154618928232714109744889947985112","339779475924866474542854574324866011491","6017163583475985116083763327437696333","176004433254996303573680865909396220616","322771888159213265172234683524941889829","309209274501869294504350979542704920374","152300273129484813905548252616649177409"]},"id":"ASB-A-171232105-af23209d","deprecated":false,"target":{"file":"src/sfnt/pngshim.c"},"signature_type":"Line","source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004","signature_version":"v1"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-171232105.json"}},{"package":{"name":"platform/external/freetype","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"9:0"},{"fixed":"9:2021-01-01"}]}],"versions":["9"],"ecosystem_specific":{"spl":"2021-01-01","severity":"Moderate","vanir_signatures":[{"deprecated":false,"id":"ASB-A-171232105-369de529","source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004","target":{"function":"Load_SBit_Png","file":"src/sfnt/pngshim.c"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"194011261781284787445973321418735434814","length":3189}},{"signature_version":"v1","id":"ASB-A-171232105-c2d61352","digest":{"threshold":0.9,"line_hashes":["208860372010935151343063066297222324914","233030270906213514960881824988592192726","215268173661816570473557084426646208708","134347666717980172232860258622704214640","149472428944486004085391017137533156713","303862154618928232714109744889947985112","339779475924866474542854574324866011491","6017163583475985116083763327437696333","176004433254996303573680865909396220616","322771888159213265172234683524941889829","309209274501869294504350979542704920374","152300273129484813905548252616649177409"]},"target":{"file":"src/sfnt/pngshim.c"},"signature_type":"Line","deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-171232105.json"}},{"package":{"name":"platform/external/freetype","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2021-01-01"}]}],"versions":["10"],"ecosystem_specific":{"spl":"2021-01-01","severity":"Moderate","vanir_signatures":[{"signature_version":"v1","id":"ASB-A-171232105-b258d5f8","digest":{"function_hash":"194011261781284787445973321418735434814","length":3189},"target":{"function":"Load_SBit_Png","file":"src/sfnt/pngshim.c"},"signature_type":"Function","deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"},{"digest":{"threshold":0.9,"line_hashes":["208860372010935151343063066297222324914","233030270906213514960881824988592192726","215268173661816570473557084426646208708","134347666717980172232860258622704214640","149472428944486004085391017137533156713","303862154618928232714109744889947985112","339779475924866474542854574324866011491","6017163583475985116083763327437696333","176004433254996303573680865909396220616","322771888159213265172234683524941889829","309209274501869294504350979542704920374","152300273129484813905548252616649177409"]},"id":"ASB-A-171232105-be87eb65","deprecated":false,"target":{"file":"src/sfnt/pngshim.c"},"signature_type":"Line","source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004","signature_version":"v1"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-171232105.json"}},{"package":{"name":"platform/external/freetype","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2021-01-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2021-01-01","severity":"Moderate","vanir_signatures":[{"signature_version":"v1","id":"ASB-A-171232105-633e02ed","digest":{"function_hash":"194011261781284787445973321418735434814","length":3189},"target":{"function":"Load_SBit_Png","file":"src/sfnt/pngshim.c"},"signature_type":"Function","deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"},{"digest":{"threshold":0.9,"line_hashes":["208860372010935151343063066297222324914","233030270906213514960881824988592192726","215268173661816570473557084426646208708","134347666717980172232860258622704214640","149472428944486004085391017137533156713","303862154618928232714109744889947985112","339779475924866474542854574324866011491","6017163583475985116083763327437696333","176004433254996303573680865909396220616","322771888159213265172234683524941889829","309209274501869294504350979542704920374","152300273129484813905548252616649177409"]},"id":"ASB-A-171232105-acff3cac","deprecated":false,"target":{"file":"src/sfnt/pngshim.c"},"signature_type":"Line","source":"https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004","signature_version":"v1"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/external/freetype/+/358c238408a1fdc357d9afef6811369a7701e004"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-171232105.json"}}],"schema_version":"1.7.5"}