diff --git a/ChangeLog b/ChangeLog index be5acaee5..bcb7f3889 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2014-11-27 suzuki toshiya + + Prevent too negative values (< FT_INT_MIN) in bitmap metrics, + suggested by Alexei. + + * src/pfr/pfrsbit.c (pfr_slot_load_bitmap): Prevent too + negative values in `xpos' and `ypos + ysize'. + * src/smooth/ftsmooth.c (ft_smooth_render_generic): Prevent + too negative values in `x_left' and `y_top'. Either negative + values in `width' and `height' are checked. + 2014-11-27 Werner Lemberg [docmaker] Produce better HTML code. diff --git a/src/pfr/pfrsbit.c b/src/pfr/pfrsbit.c index eb7507f3f..cc4a9c9d3 100644 --- a/src/pfr/pfrsbit.c +++ b/src/pfr/pfrsbit.c @@ -636,7 +636,8 @@ * which causes a size truncation, because truncated * size properties makes bitmap glyph broken. */ - if ( xpos > FT_INT_MAX || ( ypos + ysize ) > FT_INT_MAX ) + if ( xpos > FT_INT_MAX || ( ypos + ysize ) > FT_INT_MAX || + xpos < FT_INT_MIN || ( ypos + ysize ) < FT_INT_MIN ) { FT_TRACE1(( "pfr_slot_load_bitmap:" )); FT_TRACE1(( "huge bitmap glyph %dx%d over FT_GlyphSlot\n", diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c index 98e117cd8..de2e01d08 100644 --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -205,7 +205,8 @@ * XXX: on 16bit system, we return an error for huge bitmap * to prevent an overflow. */ - if ( x_left > FT_INT_MAX || y_top > FT_INT_MAX ) + if ( x_left > FT_INT_MAX || y_top > FT_INT_MAX || + x_left < FT_INT_MIN || y_top < FT_INT_MIN ) { error = FT_THROW( Invalid_Pixel_Size ); goto Exit; @@ -213,7 +214,8 @@ /* Required check is (pitch * height < FT_ULONG_MAX), */ /* but we care realistic cases only. Always pitch <= width. */ - if ( width > 0x7FFF || height > 0x7FFF ) + if ( width < 0 || width > 0x7FFF || + height < 0 || height > 0x7FFF ) { FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n", width, height ));