From a7d8bdbcfeb65b4859fe553df9d4922627837888 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Mon, 16 May 2016 21:54:32 +0900
Subject: [PATCH] [truetype] Improve the recursive reference detector.

The previous fix for #46372 misunderstood a composite glyph referring
same component twice as a recursive reference.  See the discussion

http://lists.gnu.org/archive/html/freetype/2016-05/msg00000.html

Thanks to Khaled Hosny for finding this issue.

* src/truetype/ttgload.c (ft_list_get_node_at): A function to get
the i-th node from FT_List.  (load_truetype_glyph): In the traversal
scan of the reference tree in the composite glyph, we clear the
nodes filled by previous sibling chain.
---
 ChangeLog              | 16 ++++++++++++++++
 src/truetype/ttgload.c | 38 +++++++++++++++++++++++++++++++++++---
 2 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 58fd711c7..fe34f6477 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2016-05-16  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	[truetype] Improve the recursive reference detector.
+
+	The previous fix for #46372 misunderstood a composite glyph referring
+	same component twice as a recursive reference.  See the discussion
+
+	http://lists.gnu.org/archive/html/freetype/2016-05/msg00000.html
+
+	Thanks to Khaled Hosny for finding this issue.
+
+	* src/truetype/ttgload.c (ft_list_get_node_at): A function to get
+	the i-th node from FT_List.  (load_truetype_glyph): In the traversal
+	scan of the reference tree in the composite glyph, we clear the
+	nodes filled by previous sibling chain.
+
 2016-05-07  Werner Lemberg  <wl@gnu.org>
 
 	[cache] Allow value 0 for face ID.
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index c4038ee77..7a3483817 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1369,6 +1369,29 @@
 #endif /* !TT_CONFIG_OPTION_SUBPIXEL_HINTING */
 
 
+  /* a utility function to retrieve i-th node from given FT_List */
+  static FT_ListNode
+  ft_list_get_node_at( FT_List  list,
+                       FT_UInt  index )
+  {
+    FT_ListNode  cur;
+
+
+    if ( !list )
+      return NULL;
+
+    for ( cur = list->head; cur; cur = cur->next )
+    {
+      if ( !index )
+        return cur;
+
+      index --;
+    }
+
+    return NULL;
+  }
+
+
   /*************************************************************************/
   /*                                                                       */
   /* <Function>                                                            */
@@ -1640,6 +1663,7 @@
       FT_UInt   start_point;
       FT_UInt   start_contour;
       FT_ULong  ins_pos;  /* position of composite instructions, if any */
+      FT_ListNode  node, node2;
 
 
       /*
@@ -1649,6 +1673,13 @@
        * pointers with a width of at least 32 bits.
        */
 
+
+      /* clear the nodes filled by sibling chains */
+      node = ft_list_get_node_at( &loader->composites, recurse_count );
+      for ( node2 = node ; node2 ; node2 = node2->next )
+        node2->data = (void*)ULONG_MAX;
+
+
       /* check whether we already have a composite glyph with this index */
       if ( FT_List_Find( &loader->composites,
                          (void*)(unsigned long)glyph_index ) )
@@ -1658,11 +1689,12 @@
         error = FT_THROW( Invalid_Composite );
         goto Exit;
       }
+      else if ( node )
+      {
+        node->data = (void*)(unsigned long)glyph_index;
+      }
       else
       {
-        FT_ListNode  node = NULL;
-
-
         if ( FT_NEW( node ) )
           goto Exit;
         node->data = (void*)(unsigned long)glyph_index;