--- freetype-2.4.2/src/base/ftbitmap.c 2009-07-31 18:45:18.000000000 +0200 +++ freetype-2.4.2/src/base/ftbitmap.c 2011-10-20 17:39:09.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* FreeType utility functions for bitmaps (body). */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2004-2009, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -417,6 +417,10 @@ target->pitch = source->width + pad; + if ( target->pitch > 0 && + target->rows > FT_ULONG_MAX / target->pitch ) + return FT_Err_Invalid_Argument; + if ( target->rows * target->pitch > old_size && FT_QREALLOC( target->buffer, old_size, target->rows * target->pitch ) ) --- freetype-2.4.2/src/psaux/t1decode.c 2011-10-20 17:38:34.000000000 +0200 +++ freetype-2.4.2/src/psaux/t1decode.c 2011-10-20 17:39:09.000000000 +0200 @@ -754,6 +754,13 @@ if ( arg_cnt != 0 ) goto Unexpected_OtherSubr; + if ( decoder->flex_state == 0 ) + { + FT_ERROR(( "t1_decoder_parse_charstrings:" + " missing flex start\n" )); + goto Syntax_Error; + } + /* note that we should not add a point for index 0; */ /* this will move our current position to the flex */ /* point without adding any point to the outline */ --- freetype-2.4.2/src/raster/ftrend1.c 2009-07-03 15:28:24.000000000 +0200 +++ freetype-2.4.2/src/raster/ftrend1.c 2011-10-20 17:39:32.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* The FreeType glyph rasterizer interface (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2005, 2006 by */ +/* Copyright 1996-2003, 2005, 2006, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -25,6 +25,7 @@ #include "rasterrs.h" +#define FT_USHORT_MAX USHRT_MAX /* initialize renderer -- init its raster */ static FT_Error @@ -168,6 +169,13 @@ width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 ); height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); + + if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX ) + { + error = Raster_Err_Invalid_Argument; + goto Exit; + } + bitmap = &slot->bitmap; memory = render->root.memory; --- freetype-2.4.2/src/truetype/ttgxvar.c 2011-10-20 17:38:34.000000000 +0200 +++ freetype-2.4.2/src/truetype/ttgxvar.c 2011-10-20 17:39:09.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* TrueType GX Font Variation loader */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ +/* Copyright 2004-2011 by */ /* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -1474,6 +1474,9 @@ { for ( j = 0; j < point_count; ++j ) { + if ( localpoints[j] >= n_points ) + continue; + delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply ); delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply ); }