1
From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001
2
From: Werner Lemberg <wl@gnu.org>
3
Date: Mon, 24 Nov 2014 09:51:21 +0000
4
Subject: [sfnt] Fix Savannah bug #43680.
6
This adds an additional constraint to make the fix from 2013-01-25
9
* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
10
Check `p' before `num_glyphs'.
12
Index: freetype-2.5.2/src/sfnt/ttsbit.c
13
===================================================================
14
--- freetype-2.5.2.orig/src/sfnt/ttsbit.c 2015-02-24 08:19:30.901177578 -0500
15
+++ freetype-2.5.2/src/sfnt/ttsbit.c 2015-02-24 08:19:30.901177578 -0500
17
num_glyphs = FT_NEXT_ULONG( p );
19
/* overflow check for p + ( num_glyphs + 1 ) * 4 */
20
- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
21
+ if ( p + 4 > p_limit ||
22
+ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
25
for ( mm = 0; mm < num_glyphs; mm++ )