diff options
author | Werner Lemberg <wl@gnu.org> | 2009-03-20 08:21:37 +0100 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2009-03-20 08:21:37 +0100 |
commit | 79972af4f0485a11dcb19551356c45245749fc5b (patch) | |
tree | 5e76d8ffd3da1d65759bbd184b74a74f3b86574d | |
parent | a18788b14db60ae3673f932249cd02d33a227c4e (diff) | |
download | freetype2-79972af4f0485a11dcb19551356c45245749fc5b.tar.gz |
Protect against too large glyphs.
Problem reported by Tavis Ormandy <taviso@google.com>.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
`width' or `pitch' to be larger than 0xFFFF.
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | src/smooth/ftsmooth.c | 9 |
2 files changed, 17 insertions, 3 deletions
@@ -1,4 +1,13 @@ 2009-03-20 Werner Lemberg <wl@gnu.org> + + Protect against too large glyphs. + + Problem reported by Tavis Ormandy <taviso@google.com>. + + * src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow + `width' or `pitch' to be larger than 0xFFFF. + +2009-03-20 Werner Lemberg <wl@gnu.org> Tavis Ormandy <taviso@google.com> Fix validation for various cmap table formats. @@ -11,8 +20,6 @@ Protect against malformed compressed data. - Problem reported by Tavis Ormandy <taviso@google.com>. - * src/lsw/ftzopen.c (ft_lzwstate_io): Test whether `state->prefix' is zero. diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c index a6db5048d..cacc490e8 100644 --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -153,7 +153,7 @@ slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; } - /* allocate new one, depends on pixel format */ + /* allocate new one */ pitch = width; if ( hmul ) { @@ -194,6 +194,13 @@ #endif + if ( pitch > 0xFFFF || height > 0xFFFF ) + { + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", + width, height )); + return Smooth_Err_Raster_Overflow; + } + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; bitmap->num_grays = 256; bitmap->width = width; |