kc3-lang/freetype

diff --git a/ChangeLog b/ChangeLog
index 8c39fbf..558a669 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,19 @@
 2015-11-04  Werner Lemberg  <wl@gnu.org>
 
+	[truetype] Catch infinite recursion in subglyphs (#46372).
+
+	* include/freetype/internal/tttypes.h (TT_LoaderRec): New field
+	`composites'.
+
+	* src/truetype/ttgload.c: Include FT_LIST_H.
+	(load_truetype_glyph): Add composite subglyph index to a list;
+	abort if index is already in list.
+	(tt_loader_init): Updated.
+	(tt_loader_done): New function.
+	(TT_Load_Glyph): Call `tt_loader_done'.
+
+2015-11-04  Werner Lemberg  <wl@gnu.org>
+
 	[truetype] Better tracing of composite glyphs.
 
 	* src/truetype/ttgload.c (TT_Load_Composite_Glyph,
diff --git a/include/freetype/internal/tttypes.h b/include/freetype/internal/tttypes.h
index 1507a7c..000c5a8 100644
--- a/include/freetype/internal/tttypes.h
+++ b/include/freetype/internal/tttypes.h
@@ -1515,6 +1515,9 @@ FT_BEGIN_HEADER
     FT_Byte*         cursor;
     FT_Byte*         limit;
 
+    /* since version 2.6.2 */
+    FT_ListRec       composites;
+
   } TT_LoaderRec;
 
 
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 93647de..9a8b458 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -24,6 +24,7 @@
 #include FT_TRUETYPE_TAGS_H
 #include FT_OUTLINE_H
 #include FT_TRUETYPE_DRIVER_H
+#include FT_LIST_H
 
 #include "ttgload.h"
 #include "ttpload.h"
@@ -1633,11 +1634,32 @@
     /* otherwise, load a composite! */
     else if ( loader->n_contours == -1 )
     {
+      FT_Memory  memory = face->root.memory;
+
       FT_UInt   start_point;
       FT_UInt   start_contour;
       FT_ULong  ins_pos;  /* position of composite instructions, if any */
 
 
+      /* check whether we already have a composite glyph with this index */
+      if ( FT_List_Find( &loader->composites, (void*)glyph_index ) )
+      {
+        FT_TRACE1(( "TT_Load_Composite_Glyph:"
+                    " infinite recursion detected\n" ));
+        error = FT_THROW( Invalid_Composite );
+        goto Exit;
+      }
+      else
+      {
+        FT_ListNode  node;
+
+
+        if ( FT_NEW( node ) )
+          goto Exit;
+        node->data = (void*)glyph_index;
+        FT_List_Add( &loader->composites, node );
+      }
+
       start_point   = (FT_UInt)gloader->base.outline.n_points;
       start_contour = (FT_UInt)gloader->base.outline.n_contours;
 
@@ -1665,8 +1687,6 @@
         char*       tags     = NULL;
         short*      contours = NULL;
 
-        FT_Memory  memory = face->root.memory;
-
 
         limit = (short)gloader->current.num_subglyphs;
 
@@ -2399,10 +2419,23 @@
     loader->glyph  = (FT_GlyphSlot)glyph;
     loader->stream = stream;
 
+    loader->composites.head = NULL;
+    loader->composites.tail = NULL;
+
     return FT_Err_Ok;
   }
 
 
+  static void
+  tt_loader_done( TT_Loader  loader )
+  {
+    FT_List_Finalize( &loader->composites,
+                      NULL,
+                      loader->face->root.memory,
+                      NULL );
+  }
+
+
   /*************************************************************************/
   /*                                                                       */
   /* <Function>                                                            */
@@ -2459,6 +2492,7 @@
           /* for the bbox we need the header only */
           (void)tt_loader_init( &loader, size, glyph, load_flags, TRUE );
           (void)load_truetype_glyph( &loader, glyph_index, 0, TRUE );
+          tt_loader_done( &loader );
           glyph->linearHoriAdvance = loader.linear;
           glyph->linearVertAdvance = loader.vadvance;
 
@@ -2554,6 +2588,8 @@
       error = compute_glyph_metrics( &loader, glyph_index );
     }
 
+    tt_loader_done( &loader );
+
     /* Set the `high precision' bit flag.                           */
     /* This is _critical_ to get correct output for monochrome      */
     /* TrueType glyphs at all sizes using the bytecode interpreter. */