From fae4ec05251a399c9f90c8ca813d0681e7f62e7b Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 29 Jul 2016 06:43:32 +0200
Subject: [PATCH] [sfnt, truetype] Don't abort on invalid `maxComponentDepth'.

Since 2016-05-16 we detect infinite recursion directly.

* src/sfnt/ttload.c (tt_face_load_maxp): Don't adjust
`maxComponentDepth'.
* src/truetype/ttgload.c (load_truetype_glyph): Don't abort if
`maxComponentDepth' is not valid.  Instead, simply adjust its value
and emit a tracing message.
---
 ChangeLog              | 12 ++++++++++++
 src/sfnt/ttload.c      |  9 ---------
 src/truetype/ttgload.c | 11 +++++------
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 36ca399f4..4254ed41e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2016-07-29  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt, truetype] Don't abort on invalid `maxComponentDepth'.
+
+	Since 2016-05-16 we detect infinite recursion directly.
+
+	* src/sfnt/ttload.c (tt_face_load_maxp): Don't adjust
+	`maxComponentDepth'.
+	* src/truetype/ttgload.c (load_truetype_glyph): Don't abort if
+	`maxComponentDepth' is not valid.  Instead, simply adjust its value
+	and emit a tracing message.
+
 2016-07-26  Werner Lemberg  <wl@gnu.org>
 
 	* src/autofit/aflatin.c (af_latin_metrics_scale_dim): Minor.
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index 2f5b2c384..ed80a9ca8 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -775,15 +775,6 @@
 
         maxProfile->maxTwilightPoints = 0xFFFFU - 4;
       }
-
-      /* we arbitrarily limit recursion to avoid stack exhaustion */
-      if ( maxProfile->maxComponentDepth > 100 )
-      {
-        FT_TRACE0(( "tt_face_load_maxp:"
-                    " abnormally large component depth (%d) set to 100\n",
-                    maxProfile->maxComponentDepth ));
-        maxProfile->maxComponentDepth = 100;
-      }
     }
 
     FT_TRACE3(( "numGlyphs: %u\n", maxProfile->numGlyphs ));
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 8be9b6ae6..cb99c7e54 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1436,13 +1436,12 @@
       FT_TRACE5(( "  nesting level: %d\n", recurse_count ));
 #endif
 
-    /* some fonts have an incorrect value of `maxComponentDepth', */
-    /* thus we allow depth 1 to catch the majority of them        */
-    if ( recurse_count > 1                                   &&
-         recurse_count > face->max_profile.maxComponentDepth )
+    /* some fonts have an incorrect value of `maxComponentDepth' */
+    if ( recurse_count > face->max_profile.maxComponentDepth )
     {
-      error = FT_THROW( Invalid_Composite );
-      goto Exit;
+      FT_TRACE1(( "load_truetype_glyph: maxComponentDepth set to %d\n",
+                  recurse_count ));
+      face->max_profile.maxComponentDepth = recurse_count;
     }
 
 #ifndef FT_CONFIG_OPTION_INCREMENTAL