ref: 3ffb822e925bef3f61dd29796e16e322f00451fc
parent: c6a66b49e64e9a21c013f23c867d238cf1aa98cb
author: Werner Lemberg <[email protected]>
date: Fri Dec 21 11:45:27 EST 2012
Check parameters of `FT_Outline_New'. Problem reported by Robin Watts <[email protected]>. * src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that `numContours' and `numPoints' fit into FT_Outline's `n_points' and `n_contours', respectively.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2012-12-21 Werner Lemberg <[email protected]>
+
+ Check parameters of `FT_Outline_New'.
+ Problem reported by Robin Watts <[email protected]>.
+
+ * src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that
+ `numContours' and `numPoints' fit into FT_Outline's `n_points' and
+ `n_contours', respectively.
+
2012-12-20 Werner Lemberg <[email protected]>
* Version 2.4.11 released.
--- a/include/freetype/ftoutln.h
+++ b/include/freetype/ftoutln.h
@@ -126,8 +126,10 @@
/* destroying the library, by @FT_Done_FreeType. */
/* */
/* numPoints :: The maximum number of points within the outline. */
+ /* Must be smaller than or equal to 0xFFFF (65535). */
/* */
/* numContours :: The maximum number of contours within the outline. */
+ /* This value must be in the range 0 to `numPoints'. */
/* */
/* <Output> */
/* anoutline :: A handle to the new outline. */
--- a/src/base/ftoutln.c
+++ b/src/base/ftoutln.c
@@ -304,6 +304,13 @@
*anoutline = null_outline;
+ if ( numContours < 0 ||
+ (FT_UInt)numContours > numPoints )
+ return FT_Err_Invalid_Argument;
+
+ if ( numPoints > FT_OUTLINE_POINTS_MAX )
+ return FT_Err_Array_Too_Large;
+
if ( FT_NEW_ARRAY( anoutline->points, numPoints ) ||
FT_NEW_ARRAY( anoutline->tags, numPoints ) ||
FT_NEW_ARRAY( anoutline->contours, numContours ) )