From 248f5629d8889aa5b77ea5bfce0935140293d50d Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 13 Aug 2016 06:53:53 +0200
Subject: [PATCH] [winfonts] Avoid zero bitmap width and height.

Reported as

  https://bugzilla.mozilla.org/show_bug.cgi?id=1272173

* src/winfonts/winfnt.c (FNT_Face_Init): Check zero pixel height.
(FNT_Load_Glyph): Check for zero pitch.
---
 ChangeLog             | 11 +++++++++++
 src/winfonts/winfnt.c | 11 ++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 0581fd7ad..e1f662968 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2016-08-13  Werner Lemberg  <wl@gnu.org>
+
+	[winfonts] Avoid zero bitmap width and height.
+
+	Reported as
+
+	  https://bugzilla.mozilla.org/show_bug.cgi?id=1272173
+
+	* src/winfonts/winfnt.c (FNT_Face_Init): Check zero pixel height.
+	(FNT_Load_Glyph): Check for zero pitch.
+
 2016-08-11  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	* src/truetype/ttinterp.c (Pop_Push_Count): Revert changes.
diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
index 1c74ccd5a..a0a18001b 100644
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -759,6 +759,14 @@
     if ( error )
       goto Fail;
 
+    /* sanity check */
+    if ( !face->font->header.pixel_height )
+    {
+      FT_TRACE2(( "invalid pixel height\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Fail;
+    }
+
     /* we now need to fill the root FT_Face fields */
     /* with relevant information                   */
     {
@@ -1062,7 +1070,8 @@
       bitmap->rows       = font->header.pixel_height;
       bitmap->pixel_mode = FT_PIXEL_MODE_MONO;
 
-      if ( offset + pitch * bitmap->rows > font->header.file_size )
+      if ( !pitch                                                 ||
+           offset + pitch * bitmap->rows > font->header.file_size )
       {
         FT_TRACE2(( "invalid bitmap width\n" ));
         error = FT_THROW( Invalid_File_Format );