diff --git a/ChangeLog b/ChangeLog index b5c7d13aa..19ff20e4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2012-12-21 Werner Lemberg + + Check parameters of `FT_Outline_New'. + Problem reported by Robin Watts . + + * src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that + `numContours' and `numPoints' fit into FT_Outline's `n_points' and + `n_contours', respectively. + 2012-12-20 Werner Lemberg * Version 2.4.11 released. diff --git a/include/freetype/ftoutln.h b/include/freetype/ftoutln.h index e733f391e..fd69f2829 100644 --- a/include/freetype/ftoutln.h +++ b/include/freetype/ftoutln.h @@ -126,8 +126,10 @@ FT_BEGIN_HEADER /* destroying the library, by @FT_Done_FreeType. */ /* */ /* numPoints :: The maximum number of points within the outline. */ + /* Must be smaller than or equal to 0xFFFF (65535). */ /* */ /* numContours :: The maximum number of contours within the outline. */ + /* This value must be in the range 0 to `numPoints'. */ /* */ /* */ /* anoutline :: A handle to the new outline. */ diff --git a/src/base/ftoutln.c b/src/base/ftoutln.c index c4fd2660a..27aba015a 100644 --- a/src/base/ftoutln.c +++ b/src/base/ftoutln.c @@ -304,6 +304,13 @@ *anoutline = null_outline; + if ( numContours < 0 || + (FT_UInt)numContours > numPoints ) + return FT_Err_Invalid_Argument; + + if ( numPoints > FT_OUTLINE_POINTS_MAX ) + return FT_Err_Array_Too_Large; + if ( FT_NEW_ARRAY( anoutline->points, numPoints ) || FT_NEW_ARRAY( anoutline->tags, numPoints ) || FT_NEW_ARRAY( anoutline->contours, numContours ) )