From 495de6cc72c602a5c2c14a14b5c1da59f18e26f7 Mon Sep 17 00:00:00 2001 From: Alexei Podtelezhnikov Date: Sun, 6 Mar 2016 23:54:34 -0500 Subject: [PATCH] [base] Refuse to render enormous outlines (#47114). The goal is to avoid integer overflows in the rendering algorithms. The limit is chosen arbitrarily at some 2^18 pixels, which should be enough for modern devices including printers. * src/base/ftoutln.c (FT_Outline_Render): Check CBox and reject enormous outlines. --- ChangeLog | 11 +++++++++++ src/base/ftoutln.c | 6 ++++++ 2 files changed, 17 insertions(+) diff --git a/ChangeLog b/ChangeLog index a1db4ad70..8761d5485 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2016-03-06 Alexei Podtelezhnikov + + [base] Refuse to render enormous outlines (#47114). + + The goal is to avoid integer overflows in the rendering algorithms. + The limit is chosen arbitrarily at some 2^18 pixels, which should be + enough for modern devices including printers. + + * src/base/ftoutln.c (FT_Outline_Render): Check CBox and reject + enormous outlines. + 2016-03-06 Alexei Podtelezhnikov [smooth] Replace left shifts with multiplications (#47114). diff --git a/src/base/ftoutln.c b/src/base/ftoutln.c index fa2d2cf65..1cf86442d 100644 --- a/src/base/ftoutln.c +++ b/src/base/ftoutln.c @@ -618,6 +618,7 @@ FT_Error error; FT_Renderer renderer; FT_ListNode node; + FT_BBox cbox; if ( !library ) @@ -629,6 +630,11 @@ if ( !params ) return FT_THROW( Invalid_Argument ); + FT_Outline_Get_CBox( outline, &cbox ); + if ( cbox.xMin < -0x1000000L || cbox.yMin < -0x1000000L || + cbox.xMax > 0x1000000L || cbox.yMax > 0x1000000L ) + return FT_THROW( Invalid_Outline ); + renderer = library->cur_renderer; node = library->renderers.head;