From ddc4b136d6d491f811ddd5e053566789d508e359 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 21 Jun 2010 09:28:32 +0200 Subject: [PATCH] Fix Savannah bug #30168. * src/pfr/pfrgload.c (pfr_glyph_load_compound): Limit the number of subglyphs to avoid endless recursion. --- ChangeLog | 7 +++++++ src/pfr/pfrgload.c | 12 +++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index fad0c9eac..a1f428861 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2010-06-21 Werner Lemberg + + Fix Savannah bug #30168. + + * src/pfr/pfrgload.c (pfr_glyph_load_compound): Limit the number of + subglyphs to avoid endless recursion. + 2010-06-20 Werner Lemberg Fix Savannah bug #30145. diff --git a/src/pfr/pfrgload.c b/src/pfr/pfrgload.c index 6fe6e4225..4bf9e74b8 100644 --- a/src/pfr/pfrgload.c +++ b/src/pfr/pfrgload.c @@ -4,7 +4,7 @@ /* */ /* FreeType PFR glyph loader (body). */ /* */ -/* Copyright 2002, 2003, 2005, 2007 by */ +/* Copyright 2002, 2003, 2005, 2007, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -598,6 +598,16 @@ FT_UInt new_max = ( org_count + count + 3 ) & (FT_UInt)-4; + /* we arbitrarily limit the number of subglyphs */ + /* to avoid endless recursion */ + if ( new_max > 64 ) + { + error = PFR_Err_Invalid_Table; + FT_ERROR(( "pfr_glyph_load_compound:" + " too many compound glyphs components\n" )); + goto Exit; + } + if ( FT_RENEW_ARRAY( glyph->subs, glyph->max_subs, new_max ) ) goto Exit;