Sophie: freetype2-2.3.12-1.9mdv2010.2 src

freetype2-2.3.12-1.9mdv2010.2.src.rpm


http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=9c98fbf634a83c6ea286395f0e788956eafd5aeb

diff -Naurp freetype-2.3.12/include/freetype/config/ftstdlib.h freetype-2.3.12.oden/include/freetype/config/ftstdlib.h
--- freetype-2.3.12/include/freetype/config/ftstdlib.h	2009-07-31 16:45:18.000000000 +0000
+++ freetype-2.3.12.oden/include/freetype/config/ftstdlib.h	2011-10-20 14:33:15.000000000 +0000
@@ -59,11 +59,12 @@
 
 #include <limits.h>
 
-#define FT_CHAR_BIT   CHAR_BIT
-#define FT_INT_MAX    INT_MAX
-#define FT_INT_MIN    INT_MIN
-#define FT_UINT_MAX   UINT_MAX
-#define FT_ULONG_MAX  ULONG_MAX
+#define FT_CHAR_BIT    CHAR_BIT
+#define FT_USHORT_MAX  USHRT_MAX
+#define FT_INT_MAX     INT_MAX
+#define FT_INT_MIN     INT_MIN
+#define FT_UINT_MAX    UINT_MAX
+#define FT_ULONG_MAX   ULONG_MAX
 
 
   /**********************************************************************/
diff -Naurp freetype-2.3.12/src/base/ftbitmap.c freetype-2.3.12.oden/src/base/ftbitmap.c
--- freetype-2.3.12/src/base/ftbitmap.c	2009-07-31 16:45:18.000000000 +0000
+++ freetype-2.3.12.oden/src/base/ftbitmap.c	2011-10-20 14:33:15.000000000 +0000
@@ -417,6 +417,10 @@
 
         target->pitch = source->width + pad;
 
+        if ( target->pitch > 0                           &&
+             target->rows > FT_ULONG_MAX / target->pitch )
+          return FT_Err_Invalid_Argument;
+
         if ( target->rows * target->pitch > old_size             &&
              FT_QREALLOC( target->buffer,
                           old_size, target->rows * target->pitch ) )
diff -Naurp freetype-2.3.12/src/psaux/t1decode.c freetype-2.3.12.oden/src/psaux/t1decode.c
--- freetype-2.3.12/src/psaux/t1decode.c	2011-10-20 14:33:42.000000000 +0000
+++ freetype-2.3.12.oden/src/psaux/t1decode.c	2011-10-20 14:33:15.000000000 +0000
@@ -754,6 +754,13 @@
             if ( arg_cnt != 0 )
               goto Unexpected_OtherSubr;
 
+            if ( decoder->flex_state == 0 )
+            {
+              FT_ERROR(( "t1_decoder_parse_charstrings:"
+                         " missing flex start\n" ));
+              goto Syntax_Error;
+            }
+
             /* note that we should not add a point for index 0; */
             /* this will move our current position to the flex  */
             /* point without adding any point to the outline    */
diff -Naurp freetype-2.3.12/src/raster/ftrend1.c freetype-2.3.12.oden/src/raster/ftrend1.c
--- freetype-2.3.12/src/raster/ftrend1.c	2009-07-03 13:28:24.000000000 +0000
+++ freetype-2.3.12.oden/src/raster/ftrend1.c	2011-10-20 14:33:15.000000000 +0000
@@ -168,6 +168,13 @@
 
     width  = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
     height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+
+    if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX )
+    {
+      error = Raster_Err_Invalid_Argument;
+      goto Exit;
+    }
+
     bitmap = &slot->bitmap;
     memory = render->root.memory;
 
diff -Naurp freetype-2.3.12/src/truetype/ttgxvar.c freetype-2.3.12.oden/src/truetype/ttgxvar.c
--- freetype-2.3.12/src/truetype/ttgxvar.c	2011-10-20 14:33:42.000000000 +0000
+++ freetype-2.3.12.oden/src/truetype/ttgxvar.c	2011-10-20 14:33:15.000000000 +0000
@@ -1470,6 +1470,9 @@
       {
         for ( j = 0; j < point_count; ++j )
         {
+          if ( localpoints[j] >= n_points )
+            continue;
+
           delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply );
           delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply );
         }