From 79972af4f0485a11dcb19551356c45245749fc5b Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 20 Mar 2009 07:21:37 +0000
Subject: Protect against too large glyphs.

Problem reported by Tavis Ormandy <taviso@google.com>.

* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
`width' or `pitch' to be larger than 0xFFFF.
---
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index a6db504..cacc490 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -153,7 +153,7 @@
       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
     }
 
-    /* allocate new one, depends on pixel format */
+    /* allocate new one */
     pitch = width;
     if ( hmul )
     {
@@ -194,6 +194,13 @@
 
 #endif
 
+    if ( pitch > 0xFFFF || height > 0xFFFF )
+    {
+      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+                 width, height ));
+      return Smooth_Err_Raster_Overflow;
+    }
+
     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
     bitmap->num_grays  = 256;
     bitmap->width      = width;
--
cgit v0.8.2