diff -u freetype-2.6.1/debian/changelog freetype-2.6.1/debian/changelog
--- freetype-2.6.1/debian/changelog
+++ freetype-2.6.1/debian/changelog
@@ -1,3 +1,14 @@
+freetype (2.6.1-0.1ubuntu2.5) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: heap buffer overflow via integer truncation in
+    Load_SBit_Png
+    - debian/patches-freetype/CVE-2020-15999.patch: Update
+      src/sfnt/pngshim.c to test and reject invalid bitmap size earlier in
+      Load_SBit_Png. Based on upstream patch.
+    - CVE-2020-15999
+
+ -- Alex Murray <alex.murray@canonical.com>  Tue, 20 Oct 2020 12:53:06 +1030
+
 freetype (2.6.1-0.1ubuntu2.4) xenial-security; urgency=medium
 
   * SECURITY UPDATE: heap-based buffer over-read
diff -u freetype-2.6.1/debian/patches-freetype/series freetype-2.6.1/debian/patches-freetype/series
--- freetype-2.6.1/debian/patches-freetype/series
+++ freetype-2.6.1/debian/patches-freetype/series
@@ -12,0 +13 @@
+CVE-2020-15999.patch
only in patch2:
unchanged:
--- freetype-2.6.1.orig/debian/patches-freetype/CVE-2020-15999.patch
+++ freetype-2.6.1/debian/patches-freetype/CVE-2020-15999.patch
@@ -0,0 +1,42 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ ChangeLog          |  8 ++++++++
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -260,6 +260,12 @@
+     {
+       FT_ULong  size;
+ 
++      /* reject too large bitmaps similarly to the rasterizer */
++      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++      {
++        error = FT_THROW( Array_Too_Large );
++        goto DestroyExit;
++      }
+ 
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+@@ -270,13 +276,6 @@
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+ 
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+-
+       /* this doesn't overflow: 0x7FFF * 0x7FFF * 4 < 2^32 */
+       size = map->rows * (FT_ULong)map->pitch;
+