Fix Savannah bug #31310. r=stuart a=blocking-fennec
authorWerner Lemberg <wl@gnu.org>
Thu, 18 Nov 2010 16:36:23 -0500
changeset 57867 003e0d6ec5a943d71dc8dd670a0654a504dcb5df
parent 57866 bef94549e955b80e8a1dd8fa99722af89f867678
child 57868 a2e5d3cbf6cf275e72b9d804485c769fc90dd5c4
push idunknown
push userunknown
push dateunknown
reviewersstuart, blocking-fennec
bugs31310
milestone2.0b8pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Fix Savannah bug #31310. r=stuart a=blocking-fennec From 59eb9f8cfe7d1df379a2318316d1f04f80fba54a Mon Sep 17 00:00:00 2001 Date: Tue, 12 Oct 2010 05:49:17 +0000 * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against invalid `runcnt' values. ---
modules/freetype2/ChangeLog
modules/freetype2/src/truetype/ttgxvar.c
--- a/modules/freetype2/ChangeLog
+++ b/modules/freetype2/ChangeLog
@@ -1,8 +1,15 @@
+2010-10-12  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #31310.
+
+	* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against
+	invalid `runcnt' values.
+
 2010-10-06  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Improve error handling of `SHZ' bytecode instruction.
 	Problem reported by Chris Evans <scarybeasts@gmail.com>.
 
 	* src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
 
 2010-10-03  Werner Lemberg  <wl@gnu.org>
--- a/modules/freetype2/src/truetype/ttgxvar.c
+++ b/modules/freetype2/src/truetype/ttgxvar.c
@@ -125,17 +125,17 @@
   {
     FT_UShort *points;
     FT_Int     n;
     FT_Int     runcnt;
     FT_Int     i;
     FT_Int     j;
     FT_Int     first;
     FT_Memory  memory = stream->memory;
-    FT_Error   error = TT_Err_Ok;
+    FT_Error   error  = TT_Err_Ok;
 
     FT_UNUSED( error );
 
 
     *point_cnt = n = FT_GET_BYTE();
     if ( n == 0 )
       return ALL_POINTS;
 
@@ -149,28 +149,28 @@
     while ( i < n )
     {
       runcnt = FT_GET_BYTE();
       if ( runcnt & GX_PT_POINTS_ARE_WORDS )
       {
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         /* first point not included in runcount */
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_USHORT() );
       }
       else
       {
         first = points[i++] = FT_GET_BYTE();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_BYTE() );
       }
     }
 
   Exit: