--- freetype-2.1.10/src/base/ftutil.c.cve-2006-2661 2005-03-03 15:59:06.000000000 -0700 +++ freetype-2.1.10/src/base/ftutil.c 2006-06-07 18:09:04.314309308 -0600 @@ -52,6 +52,8 @@ FT_Long size, void* *P ) { + FT_Error error = FT_Err_Ok; + FT_ASSERT( P != 0 ); if ( size > 0 ) @@ -68,13 +70,17 @@ FT_MEM_ZERO( *P, size ); } else + { *P = NULL; + if ( size < 0 ) + error = FT_Err_Invalid_Argument; + } FT_TRACE7(( "FT_Alloc:" )); FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n", size, *P, P )); - return FT_Err_Ok; + return error; } @@ -128,11 +134,14 @@ return FT_Alloc( memory, size, P ); /* if the new block if zero-sized, clear the current one */ - if ( size <= 0 ) + if ( size == 0 ) { FT_Free( memory, P ); return FT_Err_Ok; } + + if ( size < 0 || current < 0 ) + return FT_Err_Invalid_Argument; Q = memory->realloc( memory, current, size, *P ); if ( !Q ) @@ -170,11 +179,14 @@ return FT_QAlloc( memory, size, P ); /* if the new block if zero-sized, clear the current one */ - if ( size <= 0 ) + if ( size == 0 ) { FT_Free( memory, P ); return FT_Err_Ok; } + + if ( size < 0 || current < 0 ) + return FT_Err_Invalid_Argument; Q = memory->realloc( memory, current, size, *P ); if ( !Q )