Fix Savannah bug #31310. r=stuart a=blocking-fennec
authorWerner Lemberg <wl@gnu.org>
Thu, 18 Nov 2010 16:36:23 -0500
changeset 57867 003e0d6ec5a943d71dc8dd670a0654a504dcb5df
parent 57866 bef94549e955b80e8a1dd8fa99722af89f867678
child 57868 a2e5d3cbf6cf275e72b9d804485c769fc90dd5c4
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersstuart, blocking-fennec
bugs31310
milestone2.0b8pre
Fix Savannah bug #31310. r=stuart a=blocking-fennec From 59eb9f8cfe7d1df379a2318316d1f04f80fba54a Mon Sep 17 00:00:00 2001 Date: Tue, 12 Oct 2010 05:49:17 +0000 * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against invalid `runcnt' values. ---
modules/freetype2/ChangeLog
modules/freetype2/src/truetype/ttgxvar.c
--- a/modules/freetype2/ChangeLog
+++ b/modules/freetype2/ChangeLog
@@ -1,8 +1,15 @@
+2010-10-12  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #31310.
+
+	* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against
+	invalid `runcnt' values.
+
 2010-10-06  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Improve error handling of `SHZ' bytecode instruction.
 	Problem reported by Chris Evans <scarybeasts@gmail.com>.
 
 	* src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
 
 2010-10-03  Werner Lemberg  <wl@gnu.org>
--- a/modules/freetype2/src/truetype/ttgxvar.c
+++ b/modules/freetype2/src/truetype/ttgxvar.c
@@ -125,17 +125,17 @@
   {
     FT_UShort *points;
     FT_Int     n;
     FT_Int     runcnt;
     FT_Int     i;
     FT_Int     j;
     FT_Int     first;
     FT_Memory  memory = stream->memory;
-    FT_Error   error = TT_Err_Ok;
+    FT_Error   error  = TT_Err_Ok;
 
     FT_UNUSED( error );
 
 
     *point_cnt = n = FT_GET_BYTE();
     if ( n == 0 )
       return ALL_POINTS;
 
@@ -149,28 +149,28 @@
     while ( i < n )
     {
       runcnt = FT_GET_BYTE();
       if ( runcnt & GX_PT_POINTS_ARE_WORDS )
       {
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         /* first point not included in runcount */
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_USHORT() );
       }
       else
       {
         first = points[i++] = FT_GET_BYTE();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_BYTE() );
       }
     }
 
   Exit: