From da5946278048ca97594120b23b47adb43095503b Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Thu, 9 Jul 2009 17:21:32 +0900
Subject: [PATCH] smooth: Check glyph size by width/height, instead of
 pitch/height.

---
 ChangeLog             | 14 +++++++++++++-
 src/smooth/ftsmooth.c |  4 +++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e84dd0b0c..b74dc22cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2009-07-09  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	smooth: Check glyph size by width/height, instead of pitch/height.
+	Suggested by der Mouse <mouse@Rodents-Montreal.ORG>.
+
+	* src/smooth/ftsmooth.c (ft_smooth_render_generic): Improve
+	the check for too large glyph. Replace the pair of `pitch' and
+	`height' by the pair of `width' and `height'. `pitch' cannot
+	be greater than `height'. The required is checking the product
+	`pitch' * `height' <= FT_ULONG_MAX, but we use cheap checks for 
+	the realistic case only.
+
 2009-07-09  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	Register 2 missing trace components, t1afm and ttbdf.
@@ -957,7 +969,7 @@
 	Problem reported by Tavis Ormandy <taviso@google.com>.
 
 	* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
-	`width' or `pitch' to be larger than 0xFFFF.
+	`pitch' or `height' to be larger than 0xFFFF.
 
 2009-03-20  Werner Lemberg  <wl@gnu.org>
 	    Tavis Ormandy <taviso@google.com>
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index f0b0513a4..a47c97a22 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -196,7 +196,9 @@
 
 #endif
 
-    if ( pitch > 0xFFFF || height > 0xFFFF )
+    /* Required check is ( pitch * height < FT_ULONG_MAX ),     */
+    /* but we care realistic cases only. Always pitch <= width. */
+    if ( width > 0xFFFFU || height > 0xFFFFU )
     {
       FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
                  width, height ));