Here's part of the relevant ChangeLog message from freetype 2.2.1: 2006-05-02 David Turner <david@freetype.org> Update the memory management functions and macros to safely deal with array size buffer overflows. This corresponds to attemps to allocate arrays that are too large. For an example, consider the following code: count = read_uint32_from_file(); array = malloc( sizeof ( Item ) * count ); for ( nn = 0; nn < count; nn++ ) array[nn] = read_item_from_file(); If `count' is larger than `FT_UINT_MAX/sizeof(Item)', the multiplication overflows, and the array allocated os smaller than the data read from the file. In this case, the heap will be trashed, and this can be used as a denial-of-service attack, or make the engine crash later. The FT_ARRAY_NEW and FT_ARRAY_RENEW macros now ensure that the new count is no larger than `FT_INT_MAX/item_size', otherwise a new error code `FT_Err_Array_Too_Large' will be returned. Note that the memory debugger now works again when FT_DEBUG_MEMORY is defined. FT_STRICT_ALIASING has disappeared; the corresponding code is now the default.
foser was working on it, prework now public *** This bug has been marked as a duplicate of 124828 ***