MFC security fix for CVE-2010-3814

commit 0edf0986f3be570f5bf90ff245a85c1675f5c9a4 Author: Werner Lemberg <wl@gnu.org> Date: Wed Oct 6 11:52:27 2010 +0200 [truetype] Improve error handling of `SHZ' bytecode instruction. Problem reported by Chris Evans <scarybeasts@gmail.com>. * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2010-11-06 16:45:50 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2010-11-06 16:45:50 +0000
commit: c572180aeb6016c74a4dd20ea121e4d26b0a2826 (patch)
tree: 657c1e0f31e6accae5ec3ea559da85f9be50b938 /lib
parent: 995c62c1b154d56a029323b773d1c6ff8902cebe (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/freetype/src/truetype/ttinterp.c b/lib/freetype/src/truetype/ttinterp.c
index bf9189c39..e196dcea0 100644
--- a/lib/freetype/src/truetype/ttinterp.c
+++ b/lib/freetype/src/truetype/ttinterp.c
@@ -5795,7 +5795,16 @@
     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+    {
       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+      {
+        if ( CUR.pedantic_hinting )
+          CUR.error = TT_Err_Invalid_Reference;
+        return;
+      }
+    }
     else
       last_point = 0;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2010-11-06 16:45:50 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2010-11-06 16:45:50 +0000
commit	c572180aeb6016c74a4dd20ea121e4d26b0a2826 (patch)
tree	657c1e0f31e6accae5ec3ea559da85f9be50b938 /lib
parent	995c62c1b154d56a029323b773d1c6ff8902cebe (diff)