forked from pool/freetype2
40 lines
1.1 KiB
Diff
40 lines
1.1 KiB
Diff
|
From 79972af4f0485a11dcb19551356c45245749fc5b Mon Sep 17 00:00:00 2001
|
||
|
|
From: Werner Lemberg <wl@gnu.org>
|
||
|
|
Date: Fri, 20 Mar 2009 07:21:37 +0000
|
||
|
|
Subject: Protect against too large glyphs.
|
||
|
|
|
||
|
|
Problem reported by Tavis Ormandy <taviso@google.com>.
|
||
|
|
|
||
|
|
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
|
||
|
|
`width' or `pitch' to be larger than 0xFFFF.
|
||
|
|
---
|
||
|
|
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
|
||
|
|
index a6db504..cacc490 100644
|
||
|
|
--- a/src/smooth/ftsmooth.c
|
||
|
|
+++ b/src/smooth/ftsmooth.c
|
||
|
|
@@ -153,7 +153,7 @@
|
||
|
|
slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
|
||
|
|
}
|
||
|
|
|
||
|
|
- /* allocate new one, depends on pixel format */
|
||
|
|
+ /* allocate new one */
|
||
|
|
pitch = width;
|
||
|
|
if ( hmul )
|
||
|
|
{
|
||
|
|
@@ -194,6 +194,13 @@
|
||
|
|
|
||
|
|
#endif
|
||
|
|
|
||
|
|
+ if ( pitch > 0xFFFF || height > 0xFFFF )
|
||
|
|
+ {
|
||
|
|
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
|
||
|
|
+ width, height ));
|
||
|
|
+ return Smooth_Err_Raster_Overflow;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
|
||
|
|
bitmap->num_grays = 256;
|
||
|
|
bitmap->width = width;
|
||
|
|
--
|
||
|
|
cgit v0.8.2
|