diff --git a/ChangeLog b/ChangeLog index f5bf6cecf..fc0252194 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,11 @@ -2010-06-25 Werner Lemberg +2010-06-26 Werner Lemberg + + Fix Savannah bug #30262. + + * src/sfnt/ttload.c (tt_face_load_maxp): Limit `maxComponentDepth' + arbitrarily to 100 to avoid stack exhaustion. + +2010-06-26 Werner Lemberg Add some memory checks (mainly for debugging). diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index f60d49b02..1c174aff9 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -5,7 +5,8 @@ /* Load the basic TrueType tables, i.e., tables that can be either in */ /* TTF or OTF fonts (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */ +/* 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -694,6 +695,15 @@ maxProfile->maxTwilightPoints = 0xFFFFU - 4; } + + /* we arbitrarily limit recursion to avoid stack exhaustion */ + if ( maxProfile->maxComponentDepth > 100 ) + { + FT_TRACE0(( "tt_face_load_maxp:" + " abnormally large component depth (%d) set to 100\n", + maxProfile->maxComponentDepth )); + maxProfile->maxComponentDepth = 100; + } } FT_TRACE3(( "numGlyphs: %u\n", maxProfile->numGlyphs ));