Fix for CVE-2007-2754: integer overflow that can lead to an heap overflow.
Discovered by Victor Stinner. Patch from Freetype repository.
This commit is contained in:
parent
8326dc8ba6
commit
15235d0d22
@ -269,7 +269,11 @@
|
||||
|
||||
n_points = 0;
|
||||
if ( n_contours > 0 )
|
||||
{
|
||||
n_points = cont[-1] + 1;
|
||||
if ( n_points < 0 )
|
||||
goto Invalid_Outline;
|
||||
}
|
||||
|
||||
/* note that we will add four phantom points later */
|
||||
error = FT_GLYPHLOADER_CHECK_POINTS( gloader, n_points + 4, 0 );
|
||||
@ -677,7 +681,7 @@
|
||||
FT_GlyphLoader gloader = loader->gloader;
|
||||
FT_Error error = TT_Err_Ok;
|
||||
FT_Outline* outline;
|
||||
FT_UInt n_points;
|
||||
FT_Int n_points;
|
||||
|
||||
|
||||
outline = &gloader->current.outline;
|
||||
@ -704,7 +708,7 @@
|
||||
/* Deltas apply to the unscaled data. */
|
||||
FT_Vector* deltas;
|
||||
FT_Memory memory = loader->face->memory;
|
||||
FT_UInt i;
|
||||
FT_Int i;
|
||||
|
||||
|
||||
error = TT_Vary_Get_Glyph_Deltas( (TT_Face)(loader->face),
|
||||
|
Loading…
Reference in New Issue
Block a user