ref: 79972af4f0485a11dcb19551356c45245749fc5b
parent: a18788b14db60ae3673f932249cd02d33a227c4e
author: Werner Lemberg <[email protected]>
date: Fri Mar 20 04:21:37 EDT 2009
Protect against too large glyphs. Problem reported by Tavis Ormandy <[email protected]>. * src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow `width' or `pitch' to be larger than 0xFFFF.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,13 @@
2009-03-20 Werner Lemberg <[email protected]>
+
+ Protect against too large glyphs.
+
+ Problem reported by Tavis Ormandy <[email protected]>.
+
+ * src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
+ `width' or `pitch' to be larger than 0xFFFF.
+
+2009-03-20 Werner Lemberg <[email protected]>
Tavis Ormandy <[email protected]>
Fix validation for various cmap table formats.
@@ -10,8 +19,6 @@
2009-03-20 Werner Lemberg <[email protected]>
Protect against malformed compressed data.
-
- Problem reported by Tavis Ormandy <[email protected]>.
* src/lsw/ftzopen.c (ft_lzwstate_io): Test whether `state->prefix' is
zero.
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -153,7 +153,7 @@
slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
}
- /* allocate new one, depends on pixel format */
+ /* allocate new one */
pitch = width;
if ( hmul )
{@@ -193,6 +193,13 @@
}
#endif
+
+ if ( pitch > 0xFFFF || height > 0xFFFF )
+ {+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+ width, height ));
+ return Smooth_Err_Raster_Overflow;
+ }
bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
bitmap->num_grays = 256;