31 lines
800 B
Diff
31 lines
800 B
Diff
|
--- freetype-2.4.1/src/cff/cffgload.c.orig 2010-07-15 18:26:45.000000000 +0200
|
||
|
+++ freetype-2.4.1/src/cff/cffgload.c 2010-08-06 16:56:07.736041000 +0200
|
||
|
@@ -204,7 +204,7 @@
|
||
|
2, /* hsbw */
|
||
|
0,
|
||
|
0,
|
||
|
- 0,
|
||
|
+ 1,
|
||
|
5, /* seac */
|
||
|
4, /* sbw */
|
||
|
2 /* setcurrentpoint */
|
||
|
@@ -2041,6 +2041,9 @@
|
||
|
if ( Rand >= 0x8000L )
|
||
|
Rand++;
|
||
|
|
||
|
+ if ( args - stack >= CFF_MAX_OPERANDS )
|
||
|
+ goto Stack_Overflow;
|
||
|
+
|
||
|
args[0] = Rand;
|
||
|
seed = FT_MulFix( seed, 0x10000L - seed );
|
||
|
if ( seed == 0 )
|
||
|
@@ -2166,6 +2169,8 @@
|
||
|
case cff_op_dup:
|
||
|
FT_TRACE4(( " dup\n" ));
|
||
|
|
||
|
+ if ( args + 1 - stack >= CFF_MAX_OPERANDS )
|
||
|
+ goto Stack_Overflow;
|
||
|
args[1] = args[0];
|
||
|
args += 2;
|
||
|
break;
|