=================================================================== RCS file: /sources/freetype/freetype2/src/bdf/bdflib.c,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- freetype2/src/bdf/bdflib.c 2007/02/12 21:44:09 1.33 +++ freetype2/src/bdf/bdflib.c 2007/03/28 07:17:17 1.34 @@ -385,8 +385,10 @@ } _bdf_parse_t; -#define setsbit( m, cc ) ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) -#define sbitset( m, cc ) ( m[(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) +#define setsbit( m, cc ) \ + ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) +#define sbitset( m, cc ) \ + ( m[(FT_Byte)(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) static void @@ -1130,7 +1132,7 @@ bdf_options_t* opts ) { unsigned long len; - char name[128]; + char name[256]; _bdf_list_t list; FT_Memory memory; FT_Error error = BDF_Err_Ok; @@ -1149,6 +1151,13 @@ font->spacing = opts->font_spacing; len = (unsigned long)( ft_strlen( font->name ) + 1 ); + /* Limit ourselves to 256 characters in the font name. */ + if ( len >= 256 ) + { + error = BDF_Err_Invalid_Argument; + goto Exit; + } + FT_MEM_COPY( name, font->name, len ); error = _bdf_list_split( &list, (char *)"-", name, len ); @@ -1467,6 +1476,14 @@ if ( p->cnt == 0 ) font->glyphs_size = 64; + /* Limit ourselves to 1,114,112 glyphs in the font (this is the */ + /* number of code points available in Unicode). */ + if ( p->cnt >= 1114112UL ) + { + error = BDF_Err_Invalid_Argument; + goto Exit; + } + if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) ) goto Exit;