diff --git a/SOURCES/freetype-2.8-png-bitmap-size.patch b/SOURCES/freetype-2.8-png-bitmap-size.patch
new file mode 100644
index 0000000..6a675c5
--- /dev/null
+++ b/SOURCES/freetype-2.8-png-bitmap-size.patch
@@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ ChangeLog | 8 ++++++++
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+
+ if ( populate_map_and_metrics )
+ {
++ /* reject too large bitmaps similarly to the rasterizer */
++ if ( imgHeight > 0x4FFF || imgWidth > 0x4FFF )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto DestroyExit;
++ }
++
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
+
+@@ -340,13 +347,6 @@
+ map->pixel_mode = FT_PIXEL_MODE_BGRA;
+ map->pitch = (int)( map->width * 4 );
+ map->num_grays = 256;
+-
+- /* reject too large bitmaps similarly to the rasterizer */
+- if ( map->rows > 0x4FFF || map->width > 0x4FFF )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto DestroyExit;
+- }
+ }
+
+ /* convert palette/gray image to rgb */
+--
+2.26.2
+
diff --git a/SOURCES/freetype-2.8-png-memory-leak.patch b/SOURCES/freetype-2.8-png-memory-leak.patch
new file mode 100644
index 0000000..66f962f
--- /dev/null
+++ b/SOURCES/freetype-2.8-png-memory-leak.patch
@@ -0,0 +1,28 @@
+From 007c109b4594c5e63948bd08b4d5011ad76ffb10 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <bungeman@google.com>
+Date: Fri, 23 Oct 2020 08:29:14 +0200
+Subject: [PATCH] * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak
+ (#59322).
+
+The issue is that `rows` is allocated but will not be freed in the
+event that the call to `png_read_image` fails and calls `longjmp`.
+---
+ ChangeLog | 7 +++++++
+ src/sfnt/pngshim.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index f55016122..d4e43a9f4 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -443,6 +443,7 @@
+ png_read_end( png, info );
+
+ DestroyExit:
++ FT_FREE( rows );
+ png_destroy_read_struct( &png, &info, NULL );
+ FT_Stream_Close( &stream );
+
+--
+2.26.2
+
diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec
index 3a027dc..444c1a1 100644
--- a/SPECS/freetype.spec
+++ b/SPECS/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.8
-Release: 14%{?dist}
+Release: 14%{?dist}.1
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -50,6 +50,10 @@ Patch11: freetype-2.8-avar-table-load.patch
Patch12: freetype-2.8-bw-rendering.patch
Patch13: freetype-2.8-bw-hinting.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1890210
+Patch14: freetype-2.8-png-bitmap-size.patch
+Patch15: freetype-2.8-png-memory-leak.patch
+
BuildRequires: libX11-devel
BuildRequires: libpng-devel
BuildRequires: zlib-devel
@@ -119,6 +123,8 @@ popd
%patch11 -p1 -b .avar-table-load
%patch12 -p1 -b .bw-rendering
%patch13 -p1 -b .bw-hinting
+%patch14 -p1 -b .png-bitmap-size
+%patch15 -p1 -b .png-memory-leak
%build
@@ -234,6 +240,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
%{_mandir}/man1/*
%changelog
+* Fri Oct 30 2020 Marek Kasik <mkasik@redhat.com> - 2.8-14.el7_9.1
+- Test bitmap size earlier for PNGs
+- Fix memory leak in pngshim.c
+- Resolves: #1891635
+
* Mon Mar 11 2019 Marek Kasik <mkasik@redhat.com> - 2.8-14
- Fix rendering in monochrome mode
- Resolves: #1657479