Commit 7d911736439e31fe71c816286e7a764612bf520d
2010-06-26T09:29:51
Fix Savannah bug #30262. * src/sfnt/ttload.c (tt_face_load_maxp): Limit `maxComponentDepth' arbitrarily to 100 to avoid stack exhaustion.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
diff --git a/ChangeLog b/ChangeLog
index f5bf6ce..fc02521 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,11 @@
-2010-06-25 Werner Lemberg <wl@gnu.org>
+2010-06-26 Werner Lemberg <wl@gnu.org>
+
+ Fix Savannah bug #30262.
+
+ * src/sfnt/ttload.c (tt_face_load_maxp): Limit `maxComponentDepth'
+ arbitrarily to 100 to avoid stack exhaustion.
+
+2010-06-26 Werner Lemberg <wl@gnu.org>
Add some memory checks (mainly for debugging).
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index f60d49b..1c174af 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -5,7 +5,8 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
+/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */
+/* 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -694,6 +695,15 @@
maxProfile->maxTwilightPoints = 0xFFFFU - 4;
}
+
+ /* we arbitrarily limit recursion to avoid stack exhaustion */
+ if ( maxProfile->maxComponentDepth > 100 )
+ {
+ FT_TRACE0(( "tt_face_load_maxp:"
+ " abnormally large component depth (%d) set to 100\n",
+ maxProfile->maxComponentDepth ));
+ maxProfile->maxComponentDepth = 100;
+ }
}
FT_TRACE3(( "numGlyphs: %u\n", maxProfile->numGlyphs ));