From 6730854c397130879c64bd766c673b9bccf9c04a Mon Sep 17 00:00:00 2001
From: Alexei Podtelezhnikov <apodtele@gmail.com>
Date: Tue, 25 Aug 2020 23:16:27 -0400
Subject: [PATCH] * src/smooth/ftsmooth.c (ft_smooth_raster_overlap): Limit
 width.

Segmentation fault reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24729
---
 ChangeLog             | 8 ++++++++
 src/smooth/ftsmooth.c | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index dc91ab546..0e3b5b543 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2020-08-25  Alexei Podtelezhnikov  <apodtele@gmail.com>
+
+	* src/smooth/ftsmooth.c (ft_smooth_raster_overlap): Limit width.
+
+	Segmentation fault reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24729
+
 2020-08-22  Werner Lemberg  <wl@gnu.org>
 
 	* src/truetype/ttgload.c (TT_Get_VMetrics): Add tracing message.
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index 3ce1cea24..eb5928f6f 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -379,6 +379,11 @@
     TOrigin            target;
 
 
+    /* Reject outlines that are too wide for 16-bit FT_Span.       */
+    /* Other limits are applied upstream with the same error code. */
+    if ( bitmap->width * SCALE > 0x7FFF )
+      return FT_THROW( Raster_Overflow );
+
     /* Set up direct rendering to average oversampled spans. */
     params.target     = bitmap;
     params.source     = outline;