Commit ddc4b136d6d491f811ddd5e053566789d508e359
2010-06-21T09:28:32
Fix Savannah bug #30168. * src/pfr/pfrgload.c (pfr_glyph_load_compound): Limit the number of subglyphs to avoid endless recursion.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
diff --git a/ChangeLog b/ChangeLog
index fad0c9e..a1f4288 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-06-21 Werner Lemberg <wl@gnu.org>
+
+ Fix Savannah bug #30168.
+
+ * src/pfr/pfrgload.c (pfr_glyph_load_compound): Limit the number of
+ subglyphs to avoid endless recursion.
+
2010-06-20 Werner Lemberg <wl@gnu.org>
Fix Savannah bug #30145.
diff --git a/src/pfr/pfrgload.c b/src/pfr/pfrgload.c
index 6fe6e42..4bf9e74 100644
--- a/src/pfr/pfrgload.c
+++ b/src/pfr/pfrgload.c
@@ -4,7 +4,7 @@
/* */
/* FreeType PFR glyph loader (body). */
/* */
-/* Copyright 2002, 2003, 2005, 2007 by */
+/* Copyright 2002, 2003, 2005, 2007, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -598,6 +598,16 @@
FT_UInt new_max = ( org_count + count + 3 ) & (FT_UInt)-4;
+ /* we arbitrarily limit the number of subglyphs */
+ /* to avoid endless recursion */
+ if ( new_max > 64 )
+ {
+ error = PFR_Err_Invalid_Table;
+ FT_ERROR(( "pfr_glyph_load_compound:"
+ " too many compound glyphs components\n" ));
+ goto Exit;
+ }
+
if ( FT_RENEW_ARRAY( glyph->subs, glyph->max_subs, new_max ) )
goto Exit;