diff --git a/SOURCES/freetype-2.9.1-png-bitmap-size.patch b/SOURCES/freetype-2.9.1-png-bitmap-size.patch
new file mode 100644
index 0000000..bd01ed2
--- /dev/null
+++ b/SOURCES/freetype-2.9.1-png-bitmap-size.patch
@@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ ChangeLog | 8 ++++++++
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+
+ if ( populate_map_and_metrics )
+ {
++ /* reject too large bitmaps similarly to the rasterizer */
++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto DestroyExit;
++ }
++
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
+
+@@ -340,13 +347,6 @@
+ map->pixel_mode = FT_PIXEL_MODE_BGRA;
+ map->pitch = (int)( map->width * 4 );
+ map->num_grays = 256;
+-
+- /* reject too large bitmaps similarly to the rasterizer */
+- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto DestroyExit;
+- }
+ }
+
+ /* convert palette/gray image to rgb */
+--
+2.26.2
+
diff --git a/SOURCES/freetype-2.9.1-png-memory-leak.patch b/SOURCES/freetype-2.9.1-png-memory-leak.patch
new file mode 100644
index 0000000..66f962f
--- /dev/null
+++ b/SOURCES/freetype-2.9.1-png-memory-leak.patch
@@ -0,0 +1,28 @@
+From 007c109b4594c5e63948bd08b4d5011ad76ffb10 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <bungeman@google.com>
+Date: Fri, 23 Oct 2020 08:29:14 +0200
+Subject: [PATCH] * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak
+ (#59322).
+
+The issue is that `rows` is allocated but will not be freed in the
+event that the call to `png_read_image` fails and calls `longjmp`.
+---
+ ChangeLog | 7 +++++++
+ src/sfnt/pngshim.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index f55016122..d4e43a9f4 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -443,6 +443,7 @@
+ png_read_end( png, info );
+
+ DestroyExit:
++ FT_FREE( rows );
+ png_destroy_read_struct( &png, &info, NULL );
+ FT_Stream_Close( &stream );
+
+--
+2.26.2
+
diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec
index 699307f..3c124bf 100644
--- a/SPECS/freetype.spec
+++ b/SPECS/freetype.spec
@@ -3,7 +3,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.9.1
-Release: 4%{?dist}
+Release: 4%{?dist}.1
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -28,6 +28,10 @@ Patch5: freetype-2.9-ftsmooth.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1602501
Patch6: freetype-2.9.1-covscan.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1890210
+Patch7: freetype-2.9.1-png-bitmap-size.patch
+Patch8: freetype-2.9.1-png-memory-leak.patch
+
BuildRequires: libX11-devel
BuildRequires: libpng-devel
BuildRequires: zlib-devel
@@ -86,6 +90,8 @@ popd
%patch4 -p1 -b .multilib
%patch5 -p1 -b .ftsmooth
%patch6 -p1 -b .covscan
+%patch7 -p1 -b .png-bitmap-size
+%patch8 -p1 -b .png-memory-leak
%build
@@ -198,6 +204,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
%{_mandir}/man1/*
%changelog
+* Fri Oct 30 2020 Marek Kasik <mkasik@redhat.com> - 2.9.1-4.el8_3.1
+- Test bitmap size earlier for PNGs
+- Fix memory leak in pngshim.c
+- Resolves: #1891905
+
* Fri Dec 7 2018 Marek Kasik <mkasik@redhat.com> - 2.9.1-4
- Use pkgconf in freetype-config.in directly (RPMDiff)
- Related: #1651252