Protect against too large glyphs.

Problem reported by Tavis Ormandy <taviso@google.com>.

* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
`width' or `pitch' to be larger than 0xFFFF.

2 files changed, 17 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index d894b37a1..cb3575d5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,13 @@
 2009-03-20  Werner Lemberg  <wl@gnu.org>
+
+	Protect against too large glyphs.
+
+	Problem reported by Tavis Ormandy <taviso@google.com>.
+
+	* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
+	`width' or `pitch' to be larger than 0xFFFF.
+
+2009-03-20  Werner Lemberg  <wl@gnu.org>
 	    Tavis Ormandy <taviso@google.com>
 
 	Fix validation for various cmap table formats.
@@ -11,8 +20,6 @@
 
 	Protect against malformed compressed data.
 
-	Problem reported by Tavis Ormandy <taviso@google.com>.
-
 	* src/lsw/ftzopen.c (ft_lzwstate_io): Test whether `state->prefix' is
 	zero.
 
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index a6db5048d..cacc490e8 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -153,7 +153,7 @@
       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
     }
 
-    /* allocate new one, depends on pixel format */
+    /* allocate new one */
     pitch = width;
     if ( hmul )
     {
@@ -194,6 +194,13 @@
 
 #endif
 
+    if ( pitch > 0xFFFF || height > 0xFFFF )
+    {
+      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+                 width, height ));
+      return Smooth_Err_Raster_Overflow;
+    }
+
     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
     bitmap->num_grays  = 256;
     bitmap->width      = width;