Prevent too negative values (< FT_INT_MIN) in bitmap metrics,

suggested by Alexei. * src/pfr/pfrsbit.c (pfr_slot_load_bitmap): Prevent too negative values in `xpos' and `ypos + ysize'. * src/smooth/ftsmooth.c (ft_smooth_render_generic): Prevent too negative values in `x_left' and `y_top'. Either negative values in `width' and `height' are checked.
10 years ago · 1b057040d8
parent c52882ab72
commit 1b057040d8
3 changed files with 17 additions and 3 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2014-11-27  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Prevent too negative values (< FT_INT_MIN) in bitmap metrics,
+	suggested by Alexei.
+
+	* src/pfr/pfrsbit.c (pfr_slot_load_bitmap): Prevent too
+	negative values in `xpos' and `ypos + ysize'.
+	* src/smooth/ftsmooth.c (ft_smooth_render_generic): Prevent
+	too negative values in `x_left' and `y_top'.  Either negative
+	values in `width' and `height' are checked.
+
 2014-11-27  Werner Lemberg  <wl@gnu.org>

 	[docmaker] Produce better HTML code.
--- a/src/pfr/pfrsbit.c
+++ b/src/pfr/pfrsbit.c
@ -636,7 +636,8 @@
       *      which causes a size truncation, because truncated
       *      size properties makes bitmap glyph broken.
       */
-      if ( xpos > FT_INT_MAX || ( ypos + ysize ) > FT_INT_MAX )
+      if ( xpos > FT_INT_MAX || ( ypos + ysize ) > FT_INT_MAX ||
+           xpos < FT_INT_MIN || ( ypos + ysize ) < FT_INT_MIN )
      {
        FT_TRACE1(( "pfr_slot_load_bitmap:" ));
        FT_TRACE1(( "huge bitmap glyph %dx%d over FT_GlyphSlot\n",
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@ -205,7 +205,8 @@
     * XXX: on 16bit system, we return an error for huge bitmap
     * to prevent an overflow.
     */
-    if ( x_left > FT_INT_MAX || y_top > FT_INT_MAX )
+    if ( x_left > FT_INT_MAX || y_top > FT_INT_MAX ||
+         x_left < FT_INT_MIN || y_top < FT_INT_MIN )
    {
      error = FT_THROW( Invalid_Pixel_Size );
      goto Exit;
@ -213,7 +214,8 @@

    /* Required check is (pitch * height < FT_ULONG_MAX),        */
    /* but we care realistic cases only.  Always pitch <= width. */
-    if ( width > 0x7FFF || height > 0x7FFF )
+    if ( width  < 0 || width  > 0x7FFF ||
+         height < 0 || height > 0x7FFF )
    {
      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
                 width, height ));