Commit 3ffb822e925bef3f61dd29796e16e322f00451fc
2012-12-21T16:45:27
Check parameters of `FT_Outline_New'. Problem reported by Robin Watts <robin.watts@artifex.com>. * src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that `numContours' and `numPoints' fit into FT_Outline's `n_points' and `n_contours', respectively.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
diff --git a/ChangeLog b/ChangeLog
index b5c7d13..19ff20e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2012-12-21 Werner Lemberg <wl@gnu.org>
+
+ Check parameters of `FT_Outline_New'.
+ Problem reported by Robin Watts <robin.watts@artifex.com>.
+
+ * src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that
+ `numContours' and `numPoints' fit into FT_Outline's `n_points' and
+ `n_contours', respectively.
+
2012-12-20 Werner Lemberg <wl@gnu.org>
* Version 2.4.11 released.
diff --git a/include/freetype/ftoutln.h b/include/freetype/ftoutln.h
index e733f39..fd69f28 100644
--- a/include/freetype/ftoutln.h
+++ b/include/freetype/ftoutln.h
@@ -126,8 +126,10 @@ FT_BEGIN_HEADER
/* destroying the library, by @FT_Done_FreeType. */
/* */
/* numPoints :: The maximum number of points within the outline. */
+ /* Must be smaller than or equal to 0xFFFF (65535). */
/* */
/* numContours :: The maximum number of contours within the outline. */
+ /* This value must be in the range 0 to `numPoints'. */
/* */
/* <Output> */
/* anoutline :: A handle to the new outline. */
diff --git a/src/base/ftoutln.c b/src/base/ftoutln.c
index c4fd266..27aba01 100644
--- a/src/base/ftoutln.c
+++ b/src/base/ftoutln.c
@@ -304,6 +304,13 @@
*anoutline = null_outline;
+ if ( numContours < 0 ||
+ (FT_UInt)numContours > numPoints )
+ return FT_Err_Invalid_Argument;
+
+ if ( numPoints > FT_OUTLINE_POINTS_MAX )
+ return FT_Err_Array_Too_Large;
+
if ( FT_NEW_ARRAY( anoutline->points, numPoints ) ||
FT_NEW_ARRAY( anoutline->tags, numPoints ) ||
FT_NEW_ARRAY( anoutline->contours, numContours ) )