diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/include/freetype/fterrdef.h freetype-2.1.7/include/freetype/fterrdef.h --- freetype-2.1.7.orig/include/freetype/fterrdef.h 2002-05-21 16:13:00.000000000 +0200 +++ freetype-2.1.7/include/freetype/fterrdef.h 2006-05-28 11:51:12.000000000 +0200 @@ -224,6 +224,8 @@ "`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" ) + FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + "`BBX' too big" ) /* END */ diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/bdf/bdflib.c freetype-2.1.7/src/bdf/bdflib.c --- freetype-2.1.7.orig/src/bdf/bdflib.c 2006-05-28 10:55:02.000000000 +0200 +++ freetype-2.1.7/src/bdf/bdflib.c 2006-05-28 12:04:52.000000000 +0200 @@ -1098,6 +1098,7 @@ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" +#define ERRMSG4 "[line %ld] BBX too big.\n" static FT_Error @@ -1578,6 +1579,14 @@ goto Exit; } + /* Check that the encoding is in the range [0,65536] because */ + /* otherwise p->have (a bitmap with static size) overflows. */ + if ( p->glyph_enc >= sizeof(p->have)*8 ) + { + error = BDF_Err_Invalid_File_Format; + goto Exit; + } + /* Check to see whether this encoding has already been encountered. */ /* If it has then change it to unencoded so it gets added if */ /* indicated. */ @@ -1829,6 +1838,8 @@ /* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) { + unsigned long bitmap_size; + if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */ @@ -1839,7 +1850,16 @@ /* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; - glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); + + bitmap_size = glyph->bpr * glyph->bbx.height; + if ( bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; + goto Exit; + } + else + glyph->bytes = (unsigned short)bitmap_size; if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit; diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/cff/cffgload.c freetype-2.1.7/src/cff/cffgload.c --- freetype-2.1.7.orig/src/cff/cffgload.c 2003-08-06 19:27:14.000000000 +0200 +++ freetype-2.1.7/src/cff/cffgload.c 2006-05-28 11:51:12.000000000 +0200 @@ -2278,7 +2278,7 @@ FT_LOCAL_DEF( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ) { FT_Error error; diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/cff/cffgload.h freetype-2.1.7/src/cff/cffgload.h --- freetype-2.1.7.orig/src/cff/cffgload.h 2003-06-03 13:51:42.000000000 +0200 +++ freetype-2.1.7/src/cff/cffgload.h 2006-05-28 11:51:12.000000000 +0200 @@ -200,7 +200,7 @@ FT_BEGIN_HEADER FT_LOCAL( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ); diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/sfnt/ttcmap0.c freetype-2.1.7/src/sfnt/ttcmap0.c --- freetype-2.1.7.orig/src/sfnt/ttcmap.c 2003-06-22 17:33:53.000000000 +0200 +++ freetype-2.1.7/src/sfnt/ttcmap.c 2006-05-28 18:10:20.000000000 +0200 @@ -2144,9 +2144,7 @@ charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ offset = TT_NEXT_ULONG( p ); - if ( offset && - table + offset + 2 < limit && - table + offset >= table ) + if ( offset && offset <= face->cmap_size - 2 ) { FT_Byte* cmap = table + offset; volatile FT_UInt format = TT_PEEK_USHORT( cmap );