diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/include/freetype/fterrdef.h freetype-2.1.7/include/freetype/fterrdef.h --- freetype-2.1.7.orig/include/freetype/fterrdef.h 2006-05-28 11:51:12.000000000 +0200 +++ freetype-2.1.7/include/freetype/fterrdef.h 2006-05-28 12:15:30.000000000 +0200 @@ -52,6 +52,8 @@ "broken table" ) FT_ERRORDEF_( Invalid_Offset, 0x09, \ "broken offset within table" ) + FT_ERRORDEF_( Array_Too_Large, 0x0A, \ + "array allocation size too large" ) /* glyph/character errors */ diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/base/ftmac.c freetype-2.1.7/src/base/ftmac.c --- freetype-2.1.7.orig/src/base/ftmac.c 2003-06-07 07:13:21.000000000 +0200 +++ freetype-2.1.7/src/base/ftmac.c 2006-05-28 12:15:31.000000000 +0200 @@ -359,6 +359,7 @@ short res_ref, res_id; unsigned char *buffer, *p, *size_p = NULL; FT_ULong total_size = 0; + FT_ULong old_total_size = 0; FT_ULong post_size, pfb_chunk_size; Handle post_data; char code, last_code; @@ -392,6 +393,15 @@ total_size += GetHandleSize( post_data ) - 2; last_code = code; + + /* detect integer overflows */ + if ( total_size < old_total_size ) + { + error = FT_Err_Array_Too_Large; + goto Error; + } + + old_total_size = total_size; } if ( FT_ALLOC( buffer, (FT_Long)total_size ) ) diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/base/ftstream.c freetype-2.1.7/src/base/ftstream.c --- freetype-2.1.7.orig/src/base/ftstream.c 2002-03-30 14:16:35.000000000 +0100 +++ freetype-2.1.7/src/base/ftstream.c 2006-05-28 15:15:25.000000000 +0200 @@ -187,7 +187,12 @@ FT_Memory memory = stream->memory; +#ifdef FT_DEBUG_MEMORY + ft_mem_free( memory, *pbytes ); + *pbytes = NULL; +#else FT_FREE( *pbytes ); +#endif } *pbytes = 0; } @@ -273,7 +278,12 @@ FT_Memory memory = stream->memory; +#ifdef FT_DEBUG_MEMORY + ft_mem_free( memory, stream->base ); + stream->base = NULL; +#else FT_FREE( stream->base ); +#endif } stream->cursor = 0; stream->limit = 0; diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/raster/ftrend1.c freetype-2.1.7/src/raster/ftrend1.c --- freetype-2.1.7.orig/src/raster/ftrend1.c 2003-06-18 08:59:56.000000000 +0200 +++ freetype-2.1.7/src/raster/ftrend1.c 2006-05-28 15:50:05.000000000 +0200 @@ -21,6 +21,7 @@ #include FT_OUTLINE_H #include "ftrend1.h" #include "ftraster.h" +#include #include "rasterrs.h" @@ -175,6 +176,9 @@ bitmap->rows = height; bitmap->pitch = pitch; + if ((FT_ULong)pitch > LONG_MAX/height) + goto Exit; + if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) ) goto Exit; diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/sfnt/ttpost.c freetype-2.1.7/src/sfnt/ttpost.c --- freetype-2.1.7.orig/src/sfnt/ttpost.c 2003-10-29 22:43:51.000000000 +0100 +++ freetype-2.1.7/src/sfnt/ttpost.c 2006-05-28 15:48:22.000000000 +0200 @@ -292,7 +292,7 @@ goto Exit; } - if ( FT_ALLOC( offset_table, num_glyphs ) || + if ( FT_NEW_ARRAY( offset_table, num_glyphs ) || FT_STREAM_READ( offset_table, num_glyphs ) ) goto Fail; diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/winfonts/winfnt.c freetype-2.1.7/src/winfonts/winfnt.c --- freetype-2.1.7.orig/src/winfonts/winfnt.c 2003-10-23 06:54:14.000000000 +0200 +++ freetype-2.1.7/src/winfonts/winfnt.c 2006-05-28 15:50:15.000000000 +0200 @@ -27,6 +27,8 @@ #include FT_SERVICE_WINFNT_H #include FT_SERVICE_XFREE86_NAME_H +#include + /*************************************************************************/ /* */ /* The macro FT_COMPONENT is used in trace mode. It is an implicit */ @@ -614,6 +616,9 @@ /* note: since glyphs are stored in columns and not in rows we */ /* can't use ft_glyphslot_set_bitmap */ + if (pitch > LONG_MAX/bitmap->rows) + goto Exit; + if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) ) goto Exit;