Commit 28464c48a1ef77762a60abaa59432d9a64f58133
2008-02-18T20:34:42
* src/truetype/ttinterp.c (Ins_IUP): Check number of points. Fix from Savannah bug #22356.
diff --git a/ChangeLog b/ChangeLog
index 7cc2072..669feb9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-02-18 Victor Stinner <victor.stinner@haypocalc.com>
+
+ * src/truetype/ttinterp.c (Ins_IUP): Check number of points. Fix
+ from Savannah bug #22356.
+
2008-02-17 Jonathan Blow <jon@number-none.com>
* src/autofit/afloader.c (af_loader_load_g, af_loader_load_glyph):
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 85c8529..84b65c7 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4,7 +4,7 @@
/* */
/* TrueType bytecode interpreter (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007 by */
+/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -6434,6 +6434,9 @@
end_point = CUR.pts.contours[contour] - CUR.pts.first_point;
first_point = point;
+ if ( CUR.pts.n_points <= end_point )
+ end_point = CUR.pts.n_points;
+
while ( point <= end_point && ( CUR.pts.tags[point] & mask ) == 0 )
point++;