--- freetype-2.3.8.orig/include/freetype/config/ftstdlib.h	2009-01-12 20:46:57.000000000 +0100
+++ freetype-2.3.8.orig/include/freetype/config/ftstdlib.h	2009-03-16 17:07:23.000000000 +0100
@@ -63,6 +63,7 @@ 
 #define FT_INT_MAX    INT_MAX
 #define FT_UINT_MAX   UINT_MAX
 #define FT_ULONG_MAX  ULONG_MAX
+#define FT_USHRT_MAX  USHRT_MAX
 
 
   /**********************************************************************/
--- freetype-2.3.8.orig/src/cff/cffload.c	2008-07-16 07:42:25.000000000 +0200
+++ freetype-2.3.8.orig/src/cff/cffload.c	2009-03-16 17:06:55.000000000 +0100
@@ -744,6 +744,10 @@ 
     for ( i = 0; i < num_glyphs; i++ )
       if ( charset->sids[i] > max_cid )
         max_cid = charset->sids[i];
+
+    if ( max_cid == FT_USHRT_MAX )
+      goto Exit;
+
     max_cid++;
 
     if ( FT_NEW_ARRAY( charset->cids, max_cid ) )
--- freetype-2.3.8.orig/src/lzw/ftzopen.c	2007-05-25 08:36:29.000000000 +0200
+++ freetype-2.3.8.orig/src/lzw/ftzopen.c	2009-03-16 17:09:03.000000000 +0100
@@ -332,6 +332,9 @@ 
 
           while ( code >= 256U )
           {
+            if ( !state->suffix || !state->prefix )
+              goto Eof;
+
             FTLZW_STACK_PUSH( state->suffix[code - 256] );
             code = state->prefix[code - 256];
           }
--- freetype-2.3.8.orig/src/sfnt/ttcmap.c	2008-10-09 09:13:36.000000000 +0200
+++ freetype-2.3.8.orig/src/sfnt/ttcmap.c	2009-03-16 17:04:10.000000000 +0100
@@ -1591,7 +1591,7 @@ 
       FT_INVALID_TOO_SHORT;
 
     length = TT_NEXT_ULONG( p );
-    if ( table + length > valid->limit || length < 8208 )
+    if ( length > valid->limit - table || table + length > valid->limit || length < 8208 )
       FT_INVALID_TOO_SHORT;
 
     is32       = table + 12;
@@ -1819,7 +1819,7 @@ 
     p      = table + 16;
     count  = TT_NEXT_ULONG( p );
 
-    if ( table + length > valid->limit || length < 20 + count * 2 )
+    if ( length > valid->limit - table || table + length > valid->limit || length < 20 + count * 2 )
       FT_INVALID_TOO_SHORT;
 
     /* check glyph indices */
@@ -2004,7 +2004,7 @@ 
     p          = table + 12;
     num_groups = TT_NEXT_ULONG( p );
 
-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
+    if ( length > valid->limit - table || table + length > valid->limit || length < 16 + 12 * num_groups )
       FT_INVALID_TOO_SHORT;
 
     /* check groups, they must be in increasing order */
@@ -2385,7 +2385,7 @@ 
     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
 
 
-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
+    if ( length > valid->limit - table || table + length > valid->limit || length < 10 + 11 * num_selectors )
       FT_INVALID_TOO_SHORT;
 
     /* check selectors, they must be in increasing order */
--- freetype-2.3.8.orig/src/smooth/ftsmooth.c	2009-01-12 20:12:35.000000000 +0100
+++ freetype-2.3.8.orig/src/smooth/ftsmooth.c	2009-03-16 17:05:43.000000000 +0100
@@ -203,6 +203,9 @@ 
     /* translate outline to render it into the bitmap */
     FT_Outline_Translate( outline, -x_shift, -y_shift );
 
+    if ( height && pitch > FT_ULONG_MAX / height )
+      goto Exit;
+
     if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
       goto Exit;