Check parameters of `FT_Outline_New'.

Problem reported by Robin Watts <robin.watts@artifex.com>. * src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that `numContours' and `numPoints' fit into FT_Outline's `n_points' and `n_contours', respectively.
author: Werner Lemberg <wl@gnu.org> 2012-12-21 16:45:27 +0100
committer: Werner Lemberg <wl@gnu.org> 2012-12-21 16:45:27 +0100
commit: 3ffb822e925bef3f61dd29796e16e322f00451fc (patch)
tree: 5ba92f7303d919e9aa2de65c3923bdc13592f945
parent: c6a66b49e64e9a21c013f23c867d238cf1aa98cb (diff)
download: freetype2-3ffb822e925bef3f61dd29796e16e322f00451fc.tar.gz
3 files changed, 18 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index b5c7d13aa..19ff20e4d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2012-12-21  Werner Lemberg  <wl@gnu.org>
+
+	Check parameters of `FT_Outline_New'.
+	Problem reported by Robin Watts <robin.watts@artifex.com>.
+
+	* src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that
+	`numContours' and `numPoints' fit into FT_Outline's `n_points' and
+	`n_contours', respectively.
+
 2012-12-20  Werner Lemberg  <wl@gnu.org>
 
 	* Version 2.4.11 released.
diff --git a/include/freetype/ftoutln.h b/include/freetype/ftoutln.h
index e733f391e..fd69f2829 100644
--- a/include/freetype/ftoutln.h
+++ b/include/freetype/ftoutln.h
@@ -126,8 +126,10 @@ FT_BEGIN_HEADER
   /*                   destroying the library, by @FT_Done_FreeType.       */
   /*                                                                       */
   /*    numPoints   :: The maximum number of points within the outline.    */
+  /*                   Must be smaller than or equal to 0xFFFF (65535).    */
   /*                                                                       */
   /*    numContours :: The maximum number of contours within the outline.  */
+  /*                   This value must be in the range 0 to `numPoints'.   */
   /*                                                                       */
   /* <Output>                                                              */
   /*    anoutline   :: A handle to the new outline.                        */
diff --git a/src/base/ftoutln.c b/src/base/ftoutln.c
index c4fd2660a..27aba015a 100644
--- a/src/base/ftoutln.c
+++ b/src/base/ftoutln.c
@@ -304,6 +304,13 @@
 
     *anoutline = null_outline;
 
+    if ( numContours < 0                  ||
+         (FT_UInt)numContours > numPoints )
+      return FT_Err_Invalid_Argument;
+
+    if ( numPoints > FT_OUTLINE_POINTS_MAX )
+      return FT_Err_Array_Too_Large;
+
     if ( FT_NEW_ARRAY( anoutline->points,   numPoints   ) ||
          FT_NEW_ARRAY( anoutline->tags,     numPoints   ) ||
          FT_NEW_ARRAY( anoutline->contours, numContours ) )
author	Werner Lemberg <wl@gnu.org>	2012-12-21 16:45:27 +0100
committer	Werner Lemberg <wl@gnu.org>	2012-12-21 16:45:27 +0100
commit	3ffb822e925bef3f61dd29796e16e322f00451fc (patch)
tree	5ba92f7303d919e9aa2de65c3923bdc13592f945
parent	c6a66b49e64e9a21c013f23c867d238cf1aa98cb (diff)
download	freetype2-3ffb822e925bef3f61dd29796e16e322f00451fc.tar.gz