kc3-lang/freetype

Browse

Commit 1b057040d87c22af6563e954e6e12acb1147d69c

suzuki toshiya 2014-11-27T17:53:20

Prevent too negative values (< FT_INT_MIN) in bitmap metrics, suggested by Alexei. * src/pfr/pfrsbit.c (pfr_slot_load_bitmap): Prevent too negative values in `xpos' and `ypos + ysize'. * src/smooth/ftsmooth.c (ft_smooth_render_generic): Prevent too negative values in `x_left' and `y_top'. Either negative values in `width' and `height' are checked. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

diff --git a/ChangeLog b/ChangeLog
index be5acae..bcb7f38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2014-11-27  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Prevent too negative values (< FT_INT_MIN) in bitmap metrics,
+	suggested by Alexei.
+
+	* src/pfr/pfrsbit.c (pfr_slot_load_bitmap): Prevent too
+	negative values in `xpos' and `ypos + ysize'.
+	* src/smooth/ftsmooth.c (ft_smooth_render_generic): Prevent
+	too negative values in `x_left' and `y_top'.  Either negative
+	values in `width' and `height' are checked.
+
 2014-11-27  Werner Lemberg  <wl@gnu.org>
 
 	[docmaker] Produce better HTML code.
diff --git a/src/pfr/pfrsbit.c b/src/pfr/pfrsbit.c
index eb7507f..cc4a9c9 100644
--- a/src/pfr/pfrsbit.c
+++ b/src/pfr/pfrsbit.c
@@ -636,7 +636,8 @@
        *      which causes a size truncation, because truncated
        *      size properties makes bitmap glyph broken.
        */
-      if ( xpos > FT_INT_MAX || ( ypos + ysize ) > FT_INT_MAX )
+      if ( xpos > FT_INT_MAX || ( ypos + ysize ) > FT_INT_MAX ||
+           xpos < FT_INT_MIN || ( ypos + ysize ) < FT_INT_MIN )
       {
         FT_TRACE1(( "pfr_slot_load_bitmap:" ));
         FT_TRACE1(( "huge bitmap glyph %dx%d over FT_GlyphSlot\n",
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index 98e117c..de2e01d 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -205,7 +205,8 @@
      * XXX: on 16bit system, we return an error for huge bitmap
      * to prevent an overflow.
      */
-    if ( x_left > FT_INT_MAX || y_top > FT_INT_MAX )
+    if ( x_left > FT_INT_MAX || y_top > FT_INT_MAX ||
+         x_left < FT_INT_MIN || y_top < FT_INT_MIN )
     {
       error = FT_THROW( Invalid_Pixel_Size );
       goto Exit;
@@ -213,7 +214,8 @@
 
     /* Required check is (pitch * height < FT_ULONG_MAX),        */
     /* but we care realistic cases only.  Always pitch <= width. */
-    if ( width > 0x7FFF || height > 0x7FFF )
+    if ( width  < 0 || width  > 0x7FFF ||
+         height < 0 || height > 0x7FFF )
     {
       FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
                  width, height ));
kmx.io     mail     discord kmxgit v0.4.0