ref: a205b3ca85d2d78aac71ea3c1df104972031d6ad
parent: e563216ddd81eb9478b6dace60c14ee4de9b5017
author: Werner Lemberg <[email protected]>
date: Mon Aug 9 22:59:12 EDT 2010
Try to fix Savannah bug #30717 (and probably #30719 too). * src/smooth/ftsmooth.c (ft_smooth_render_generic): Add another overflow test for `width' and `height'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-08-10 Werner Lemberg <[email protected]>
+
+ Try to fix Savannah bug #30717 (and probably #30719 too).
+
+ * src/smooth/ftsmooth.c (ft_smooth_render_generic): Add another
+ overflow test for `width' and `height'.
+
2010-08-06 Werner Lemberg <[email protected]>
* Version 2.4.2 released.
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -140,8 +140,26 @@
cbox.xMax = FT_PIX_CEIL( cbox.xMax );
cbox.yMax = FT_PIX_CEIL( cbox.yMax );
- width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
- height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+ if ( cbox.xMin < 0 && cbox.xMax > FT_INT_MAX + cbox.xMin )
+ {+ FT_ERROR(( "ft_smooth_render_generic: glyph too large:"
+ " xMin = %d, xMax = %d\n",
+ cbox.xMin >> 6, cbox.xMax >> 6 ));
+ return Smooth_Err_Raster_Overflow;
+ }
+ else
+ width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
+
+ if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin )
+ {+ FT_ERROR(( "ft_smooth_render_generic: glyph too large:"
+ " yMin = %d, yMax = %d\n",
+ cbox.yMin >> 6, cbox.yMax >> 6 ));
+ return Smooth_Err_Raster_Overflow;
+ }
+ else
+ height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+
bitmap = &slot->bitmap;
memory = render->root.memory;
@@ -202,7 +220,7 @@
/* but we care realistic cases only. Always pitch <= width. */
if ( width > 0x7FFFU || height > 0x7FFFU )
{- FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
width, height ));
return Smooth_Err_Raster_Overflow;
}