diff --git a/ChangeLog b/ChangeLog index 553dbe999..1b81fe059 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2006-03-26 Werner Lemberg + + * src/bdf/bdflib.c (ERRMSG4): New macro. + (_bdf_parse_glyphs): Handle invalid BBX values. + + * include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error + macro. + 2006-03-23 Werner Lemberg * docs/CHANGES: Updated. diff --git a/include/freetype/fterrdef.h b/include/freetype/fterrdef.h index 2f73c0858..42115d284 100644 --- a/include/freetype/fterrdef.h +++ b/include/freetype/fterrdef.h @@ -4,7 +4,7 @@ /* */ /* FreeType error codes (specification). */ /* */ -/* Copyright 2002, 2004 by */ +/* Copyright 2002, 2004, 2006 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -226,6 +226,8 @@ "`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" ) + FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + "`BBX' too big" ) /* END */ diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index d13df4716..3c928e563 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1092,6 +1092,7 @@ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" +#define ERRMSG4 "[line %ld] BBX too big.\n" static FT_Error @@ -1814,6 +1815,9 @@ /* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) { + unsigned long bitmap_size; + + if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */ @@ -1824,7 +1828,16 @@ /* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; - glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); + + bitmap_size = glyph->bpr * glyph->bbx.height; + if ( bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; + goto Exit; + } + else + glyph->bytes = (unsigned short)bitmap_size; if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit;