ref: be183ebb5dada06b8be9948f03081e72ce0da1f5
parent: e12ed563d600299fc7e009311ed412be6fde4188
author: Werner Lemberg <[email protected]>
date: Sun Jun 17 07:27:17 EDT 2007
* src/winfonts/winfnt.c (fnt_face_get_dll_font): Exit in case of invalid font. (FNT_Load_Glyph): Protect against invalid bitmap width.
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@
(main): Handle new option `--size' to set `font_size'.
(Usage): Updated.
+ * src/winfonts/winfnt.c (fnt_face_get_dll_font): Exit in case of
+ invalid font.
+ (FNT_Load_Glyph): Protect against invalid bitmap width.
+
2006-06-16 David Turner <[email protected]>
* src/smooth/ftgrays.c (gray_find_cell, gray_set_cell, gray_hline):
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -536,8 +536,11 @@
error = fnt_font_load( face->font, stream );
if ( error )
+ {FT_TRACE2(( "font #%lu load error %d\n",
dir_entry2.name, error ));
+ goto Fail;
+ }
else
FT_TRACE2(( "font #%lu successfully loaded\n",
dir_entry2.name ));
@@ -967,6 +970,13 @@
bitmap->pitch = pitch;
bitmap->rows = font->header.pixel_height;
bitmap->pixel_mode = FT_PIXEL_MODE_MONO;
+
+ if ( offset + pitch * bitmap->rows >= font->header.file_size )
+ {+ FT_TRACE2(( "invalid bitmap width\n" ));
+ error = FNT_Err_Invalid_File_Format;
+ goto Exit;
+ }
/* note: since glyphs are stored in columns and not in rows we */
/* can't use ft_glyphslot_set_bitmap */