From 15235d0d2287f33cadf3724a6491bc3592203ee2 Mon Sep 17 00:00:00 2001 From: matthieu Date: Fri, 25 May 2007 01:23:29 +0000 Subject: [PATCH] Fix for CVE-2007-2754: integer overflow that can lead to an heap overflow. Discovered by Victor Stinner. Patch from Freetype repository. --- lib/freetype/src/truetype/ttgload.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/freetype/src/truetype/ttgload.c b/lib/freetype/src/truetype/ttgload.c index 158111384..deb6b978b 100644 --- a/lib/freetype/src/truetype/ttgload.c +++ b/lib/freetype/src/truetype/ttgload.c @@ -269,7 +269,11 @@ n_points = 0; if ( n_contours > 0 ) + { n_points = cont[-1] + 1; + if ( n_points < 0 ) + goto Invalid_Outline; + } /* note that we will add four phantom points later */ error = FT_GLYPHLOADER_CHECK_POINTS( gloader, n_points + 4, 0 ); @@ -677,7 +681,7 @@ FT_GlyphLoader gloader = loader->gloader; FT_Error error = TT_Err_Ok; FT_Outline* outline; - FT_UInt n_points; + FT_Int n_points; outline = &gloader->current.outline; @@ -704,7 +708,7 @@ /* Deltas apply to the unscaled data. */ FT_Vector* deltas; FT_Memory memory = loader->face->memory; - FT_UInt i; + FT_Int i; error = TT_Vary_Get_Glyph_Deltas( (TT_Face)(loader->face),