Attachment #185509 for bug #263032

Lines 63-68 Link Here

(-)freetype-2.3.8.orig/include/freetype/config/ftstdlib.h (+1 lines)
63	#define FT_INT_MAX INT_MAX	63	#define FT_INT_MAX INT_MAX
64	#define FT_UINT_MAX UINT_MAX	64	#define FT_UINT_MAX UINT_MAX
65	#define FT_ULONG_MAX ULONG_MAX	65	#define FT_ULONG_MAX ULONG_MAX
		66	#define FT_USHRT_MAX USHRT_MAX
66		67
67		68
68	/**********************************************************************/	69	/**********************************************************************/

Lines 744-749 Link Here

(-)freetype-2.3.8.orig/src/cff/cffload.c (+4 lines)
744	for ( i = 0; i < num_glyphs; i++ )	744	for ( i = 0; i < num_glyphs; i++ )
745	if ( charset->sids[i] > max_cid )	745	if ( charset->sids[i] > max_cid )
746	max_cid = charset->sids[i];	746	max_cid = charset->sids[i];
		747
		748	if ( max_cid == FT_USHRT_MAX )
		749	goto Exit;
		750
747	max_cid++;	751	max_cid++;
748		752
749	if ( FT_NEW_ARRAY( charset->cids, max_cid ) )	753	if ( FT_NEW_ARRAY( charset->cids, max_cid ) )

Lines 332-337 Link Here

(-)freetype-2.3.8.orig/src/lzw/ftzopen.c (+3 lines)
332		332
333	while ( code >= 256U )	333	while ( code >= 256U )
334	{	334	{
		335	if ( !state->suffix \|\| !state->prefix )
		336	goto Eof;
		337
335	FTLZW_STACK_PUSH( state->suffix[code - 256] );	338	FTLZW_STACK_PUSH( state->suffix[code - 256] );
336	code = state->prefix[code - 256];	339	code = state->prefix[code - 256];
337	}	340	}




      FT_INVALID_TOO_SHORT;

    length = TT_NEXT_ULONG( p );
    if ( length > valid->limit - table || table + length > valid->limit || length < 8208 )
      FT_INVALID_TOO_SHORT;

    is32       = table + 12;

    p      = table + 16;
    count  = TT_NEXT_ULONG( p );

    if ( length > valid->limit - table || table + length > valid->limit || length < 20 + count * 2 )
      FT_INVALID_TOO_SHORT;

    /* check glyph indices */

    p          = table + 12;
    num_groups = TT_NEXT_ULONG( p );

    if ( length > valid->limit - table || table + length > valid->limit || length < 16 + 12 * num_groups )
      FT_INVALID_TOO_SHORT;

    /* check groups, they must be in increasing order */

    FT_ULong  num_selectors = TT_NEXT_ULONG( p );


    if ( length > valid->limit - table || table + length > valid->limit || length < 10 + 11 * num_selectors )
      FT_INVALID_TOO_SHORT;

    /* check selectors, they must be in increasing order */

Lines 203-208 Link Here

(-)freetype-2.3.8.orig/src/smooth/ftsmooth.c (+3 lines)
203	/* translate outline to render it into the bitmap */	203	/* translate outline to render it into the bitmap */
204	FT_Outline_Translate( outline, -x_shift, -y_shift );	204	FT_Outline_Translate( outline, -x_shift, -y_shift );
205		205
		206	if ( height && pitch > FT_ULONG_MAX / height )
		207	goto Exit;
		208
206	if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )	209	if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
207	goto Exit;	210	goto Exit;
208		211

Return to bug 263032

Lines 1591-1597 Link Here

(-)freetype-2.3.8.orig/src/sfnt/ttcmap.c (-4 / +4 lines)
1591	FT_INVALID_TOO_SHORT;	1591	FT_INVALID_TOO_SHORT;
1592		1592
1593	length = TT_NEXT_ULONG( p );	1593	length = TT_NEXT_ULONG( p );
1594	if ( table + length > valid->limit \|\| length < 8208 )	1594	if ( length > valid->limit - table \|\| table + length > valid->limit \|\| length < 8208 )
1595	FT_INVALID_TOO_SHORT;	1595	FT_INVALID_TOO_SHORT;
1596		1596
1597	is32 = table + 12;	1597	is32 = table + 12;
Lines 1819-1825 Link Here
1819	p = table + 16;	1819	p = table + 16;
1820	count = TT_NEXT_ULONG( p );	1820	count = TT_NEXT_ULONG( p );
1821		1821
1822	if ( table + length > valid->limit \|\| length < 20 + count * 2 )	1822	if ( length > valid->limit - table \|\| table + length > valid->limit \|\| length < 20 + count * 2 )
1823	FT_INVALID_TOO_SHORT;	1823	FT_INVALID_TOO_SHORT;
1824		1824
1825	/* check glyph indices */	1825	/* check glyph indices */
Lines 2004-2010 Link Here
2004	p = table + 12;	2004	p = table + 12;
2005	num_groups = TT_NEXT_ULONG( p );	2005	num_groups = TT_NEXT_ULONG( p );
2006		2006
2007	if ( table + length > valid->limit \|\| length < 16 + 12 * num_groups )	2007	if ( length > valid->limit - table \|\| table + length > valid->limit \|\| length < 16 + 12 * num_groups )
2008	FT_INVALID_TOO_SHORT;	2008	FT_INVALID_TOO_SHORT;
2009		2009
2010	/* check groups, they must be in increasing order */	2010	/* check groups, they must be in increasing order */
Lines 2385-2391 Link Here
2385	FT_ULong num_selectors = TT_NEXT_ULONG( p );	2385	FT_ULong num_selectors = TT_NEXT_ULONG( p );
2386		2386
2387		2387
2388	if ( table + length > valid->limit \|\| length < 10 + 11 * num_selectors )	2388	if ( length > valid->limit - table \|\| table + length > valid->limit \|\| length < 10 + 11 * num_selectors )
2389	FT_INVALID_TOO_SHORT;	2389	FT_INVALID_TOO_SHORT;
2390		2390
2391	/* check selectors, they must be in increasing order */	2391	/* check selectors, they must be in increasing order */