Attachment #89114 for bug #124828

Lines 52-57 Link Here

(-)freetype-2.1.7.orig/include/freetype/fterrdef.h (+2 lines)
52	"broken table" )	52	"broken table" )
53	FT_ERRORDEF_( Invalid_Offset, 0x09, \	53	FT_ERRORDEF_( Invalid_Offset, 0x09, \
54	"broken offset within table" )	54	"broken offset within table" )
		55	FT_ERRORDEF_( Array_Too_Large, 0x0A, \
		56	"array allocation size too large" )
55		57
56	/* glyph/character errors */	58	/* glyph/character errors */
57		59




    short          res_ref, res_id;
    unsigned char  *buffer, *p, *size_p = NULL;
    FT_ULong       total_size = 0;
    FT_ULong       old_total_size = 0;
    FT_ULong       post_size, pfb_chunk_size;
    Handle         post_data;
    char           code, last_code;


      total_size += GetHandleSize( post_data ) - 2;
      last_code = code;

      /* detect integer overflows */
      if ( total_size < old_total_size )
      {
        error = FT_Err_Array_Too_Large;
        goto Error;
      }

      old_total_size = total_size;
    }

    if ( FT_ALLOC( buffer, (FT_Long)total_size ) )

Lines 187-193 Link Here

(-)freetype-2.1.7.orig/src/base/ftstream.c (+10 lines)
187	FT_Memory memory = stream->memory;	187	FT_Memory memory = stream->memory;
188		188
189		189
		190	#ifdef FT_DEBUG_MEMORY
		191	ft_mem_free( memory, *pbytes );
		192	*pbytes = NULL;
		193	#else
190	FT_FREE( *pbytes );	194	FT_FREE( *pbytes );
		195	#endif
191	}	196	}
192	*pbytes = 0;	197	*pbytes = 0;
193	}	198	}
Lines 273-279 Link Here
273	FT_Memory memory = stream->memory;	278	FT_Memory memory = stream->memory;
274		279
275		280
		281	#ifdef FT_DEBUG_MEMORY
		282	ft_mem_free( memory, stream->base );
		283	stream->base = NULL;
		284	#else
276	FT_FREE( stream->base );	285	FT_FREE( stream->base );
		286	#endif
277	}	287	}
278	stream->cursor = 0;	288	stream->cursor = 0;
279	stream->limit = 0;	289	stream->limit = 0;

Lines 21-26 Link Here

(-)freetype-2.1.7.orig/src/raster/ftrend1.c (+4 lines)
21	#include FT_OUTLINE_H	21	#include FT_OUTLINE_H
22	#include "ftrend1.h"	22	#include "ftrend1.h"
23	#include "ftraster.h"	23	#include "ftraster.h"
		24	#include <limits.h>
24		25
25	#include "rasterrs.h"	26	#include "rasterrs.h"
26		27
Lines 175-180 Link Here
175	bitmap->rows = height;	176	bitmap->rows = height;
176	bitmap->pitch = pitch;	177	bitmap->pitch = pitch;
177		178
		179	if ((FT_ULong)pitch > LONG_MAX/height)
		180	goto Exit;
		181
178	if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )	182	if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
179	goto Exit;	183	goto Exit;
180		184

Lines 292-298 Link Here

(-)freetype-2.1.7.orig/src/sfnt/ttpost.c (-1 / +1 lines)
292	goto Exit;	292	goto Exit;
293	}	293	}
294		294
295	if ( FT_ALLOC( offset_table, num_glyphs ) \|\|	295	if ( FT_NEW_ARRAY( offset_table, num_glyphs ) \|\|
296	FT_STREAM_READ( offset_table, num_glyphs ) )	296	FT_STREAM_READ( offset_table, num_glyphs ) )
297	goto Fail;	297	goto Fail;
298		298

Lines 27-32 Link Here

(-)freetype-2.1.7.orig/src/winfonts/winfnt.c (+5 lines)
27	#include FT_SERVICE_WINFNT_H	27	#include FT_SERVICE_WINFNT_H
28	#include FT_SERVICE_XFREE86_NAME_H	28	#include FT_SERVICE_XFREE86_NAME_H
29		29
		30	#include <limits.h>
		31
30	/*************************************************************************/	32	/*************************************************************************/
31	/* */	33	/* */
32	/* The macro FT_COMPONENT is used in trace mode. It is an implicit */	34	/* The macro FT_COMPONENT is used in trace mode. It is an implicit */
Lines 614-619 Link Here
614		616
615	/* note: since glyphs are stored in columns and not in rows we */	617	/* note: since glyphs are stored in columns and not in rows we */
616	/* can't use ft_glyphslot_set_bitmap */	618	/* can't use ft_glyphslot_set_bitmap */
		619	if (pitch > LONG_MAX/bitmap->rows)
		620	goto Exit;
		621
617	if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) )	622	if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) )
618	goto Exit;	623	goto Exit;
619		624

Return to bug 124828

Lines 359-364 Link Here

(-)freetype-2.1.7.orig/src/base/ftmac.c (+10 lines)
359	short res_ref, res_id;	359	short res_ref, res_id;
360	unsigned char buffer, p, *size_p = NULL;	360	unsigned char buffer, p, *size_p = NULL;
361	FT_ULong total_size = 0;	361	FT_ULong total_size = 0;
		362	FT_ULong old_total_size = 0;
362	FT_ULong post_size, pfb_chunk_size;	363	FT_ULong post_size, pfb_chunk_size;
363	Handle post_data;	364	Handle post_data;
364	char code, last_code;	365	char code, last_code;
Lines 392-397 Link Here
392		393
393	total_size += GetHandleSize( post_data ) - 2;	394	total_size += GetHandleSize( post_data ) - 2;
394	last_code = code;	395	last_code = code;
		396
		397	/* detect integer overflows */
		398	if ( total_size < old_total_size )
		399	{
		400	error = FT_Err_Array_Too_Large;
		401	goto Error;
		402	}
		403
		404	old_total_size = total_size;
395	}	405	}
396		406
397	if ( FT_ALLOC( buffer, (FT_Long)total_size ) )	407	if ( FT_ALLOC( buffer, (FT_Long)total_size ) )