SHA256
1
0
forked from pool/freetype2
freetype2/bnc628213_1797.diff

37 lines
925 B
Diff
Raw Normal View History

---
src/cff/cffgload.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Index: freetype-2.4.2/src/cff/cffgload.c
===================================================================
--- freetype-2.4.2.orig/src/cff/cffgload.c
+++ freetype-2.4.2/src/cff/cffgload.c
@@ -204,7 +204,7 @@
2, /* hsbw */
0,
0,
- 0,
+ 1,
5, /* seac */
4, /* sbw */
2 /* setcurrentpoint */
@@ -2041,6 +2041,9 @@
if ( Rand >= 0x8000L )
Rand++;
+ if ( args - stack >= CFF_MAX_OPERANDS )
+ goto Stack_Overflow;
+
args[0] = Rand;
seed = FT_MulFix( seed, 0x10000L - seed );
if ( seed == 0 )
@@ -2166,6 +2169,8 @@
case cff_op_dup:
FT_TRACE4(( " dup\n" ));
+ if ( args + 1 - stack >= CFF_MAX_OPERANDS )
+ goto Stack_Overflow;
args[1] = args[0];
args += 2;
break;