Mercurial > mozilla-central / changeset / 003e0d6ec5a943d71dc8dd670a0654a504dcb5df
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix Savannah bug #31310. r=stuart a=blocking-fennec
authorWerner Lemberg <wl@gnu.org>
Thu, 18 Nov 2010 16:36:23 -0500
changeset 57867 003e0d6ec5a943d71dc8dd670a0654a504dcb5df
parent 57866 bef94549e955b80e8a1dd8fa99722af89f867678
child 57868 a2e5d3cbf6cf275e72b9d804485c769fc90dd5c4
push id17050
push userblassey@mozilla.com
push dateThu, 18 Nov 2010 21:36:41 +0000
treeherdermozilla-central@a2e5d3cbf6cf [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersstuart, blocking-fennec
bugs31310
milestone2.0b8pre
first release with
nightly linux32
6478c1b83d60 / 4.0b8pre / 20101119020015 / files
nightly linux64
6478c1b83d60 / 4.0b8pre / 20101119031437 / files
nightly mac
6478c1b83d60 / 4.0b8pre / 20101119031110 / files
nightly win32
6478c1b83d60 / 4.0b8pre / 20101119042412 / files
nightly win64
6478c1b83d60 / 4.0b8pre / 20101119054519 / files
last release without
nightly linux32
c391595f5561 / 4.0b8pre / 20101118041411 / files
nightly linux64
c391595f5561 / 4.0b8pre / 20101118050543 / files
nightly mac
7e42ccaa7269 / 4.0b8pre / 20101118100301 / files
nightly win32
7e42ccaa7269 / 4.0b8pre / 20101118112142 / files
nightly win64
c391595f5561 / 4.0b8pre / 20101118044556 / files
Fix Savannah bug #31310. r=stuart a=blocking-fennec From 59eb9f8cfe7d1df379a2318316d1f04f80fba54a Mon Sep 17 00:00:00 2001 Date: Tue, 12 Oct 2010 05:49:17 +0000 * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against invalid `runcnt' values. ---
modules/freetype2/ChangeLog file | annotate | diff | comparison | revisions
modules/freetype2/src/truetype/ttgxvar.c file | annotate | diff | comparison | revisions 
--- a/modules/freetype2/ChangeLog
+++ b/modules/freetype2/ChangeLog
@@ -1,8 +1,15 @@
+2010-10-12  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #31310.
+
+	* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against
+	invalid `runcnt' values.
+
 2010-10-06  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Improve error handling of `SHZ' bytecode instruction.
 	Problem reported by Chris Evans <scarybeasts@gmail.com>.
 
 	* src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
 
 2010-10-03  Werner Lemberg  <wl@gnu.org>
--- a/modules/freetype2/src/truetype/ttgxvar.c
+++ b/modules/freetype2/src/truetype/ttgxvar.c
@@ -125,17 +125,17 @@
   {
     FT_UShort *points;
     FT_Int     n;
     FT_Int     runcnt;
     FT_Int     i;
     FT_Int     j;
     FT_Int     first;
     FT_Memory  memory = stream->memory;
-    FT_Error   error = TT_Err_Ok;
+    FT_Error   error  = TT_Err_Ok;
 
     FT_UNUSED( error );
 
 
     *point_cnt = n = FT_GET_BYTE();
     if ( n == 0 )
       return ALL_POINTS;
 
@@ -149,28 +149,28 @@
     while ( i < n )
     {
       runcnt = FT_GET_BYTE();
       if ( runcnt & GX_PT_POINTS_ARE_WORDS )
       {
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         /* first point not included in runcount */
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_USHORT() );
       }
       else
       {
         first = points[i++] = FT_GET_BYTE();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_BYTE() );
       }
     }
 
   Exit:
mozilla-central
Deployed from 18d8b634a3eb at 2022-06-27T19:41:41Z.