From be183ebb5dada06b8be9948f03081e72ce0da1f5 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sun, 17 Jun 2007 11:27:17 +0000 Subject: [PATCH] * src/winfonts/winfnt.c (fnt_face_get_dll_font): Exit in case of invalid font. (FNT_Load_Glyph): Protect against invalid bitmap width. --- ChangeLog | 4 ++++ src/winfonts/winfnt.c | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/ChangeLog b/ChangeLog index 50ef6a7fb..21673950a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ (main): Handle new option `--size' to set `font_size'. (Usage): Updated. + * src/winfonts/winfnt.c (fnt_face_get_dll_font): Exit in case of + invalid font. + (FNT_Load_Glyph): Protect against invalid bitmap width. + 2006-06-16 David Turner * src/smooth/ftgrays.c (gray_find_cell, gray_set_cell, gray_hline): diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c index ff2458415..259b3acef 100644 --- a/src/winfonts/winfnt.c +++ b/src/winfonts/winfnt.c @@ -536,8 +536,11 @@ error = fnt_font_load( face->font, stream ); if ( error ) + { FT_TRACE2(( "font #%lu load error %d\n", dir_entry2.name, error )); + goto Fail; + } else FT_TRACE2(( "font #%lu successfully loaded\n", dir_entry2.name )); @@ -968,6 +971,13 @@ bitmap->rows = font->header.pixel_height; bitmap->pixel_mode = FT_PIXEL_MODE_MONO; + if ( offset + pitch * bitmap->rows >= font->header.file_size ) + { + FT_TRACE2(( "invalid bitmap width\n" )); + error = FNT_Err_Invalid_File_Format; + goto Exit; + } + /* note: since glyphs are stored in columns and not in rows we */ /* can't use ft_glyphslot_set_bitmap */ if ( FT_ALLOC_MULT( bitmap->buffer, pitch, bitmap->rows ) )