freetype: patch CVE-2020-15999

We can't backport #101199 as it
would break freetype API, but this patch should fix the issue.

pkgs/development/libraries/freetype/CVE-2020-15999.patch

@@ -0,0 +1,44 @@
+commit b9f8cadcf7ade71b9486a6c2a3846306aa5c7368
+Author: Werner Lemberg <wl@gnu.org>
+Date:   Mon Oct 19 23:45:28 2020 +0200
+
+    [sfnt] Fix heap buffer overflow (#59308).
+
+    This is CVE-2020-15999.
+
+    * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
+    (cherry picked from commit a3bab162b2ae616074c8877a04556932998aeacd)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index ca85d9751..15f4e1631 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -327,6 +327,13 @@
+
+     if ( populate_map_and_metrics )
+     {
++      /* reject too large bitmaps similarly to the rasterizer */
++      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++      {
++        error = FT_THROW( Array_Too_Large );
++        goto DestroyExit;
++      }
++
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+
+@@ -335,13 +342,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+
+     /* convert palette/gray image to rgb */

pkgs/development/libraries/freetype/default.nix

@@ -45,6 +45,7 @@ in stdenv.mkDerivation rec {
 
   patches =
     [ ./enable-table-validation.patch
+      ./CVE-2020-15999.patch
     ] ++
     optional useEncumberedCode ./enable-subpixel-rendering.patch;