--- freetype-2.2.1/src/truetype/ttgxvar.c 2006-05-02 23:53:30.000000000 +0200
+++ freetype-2.2.1/src/truetype/ttgxvar.c 2010-10-22 08:41:21.000000000 +0200
@@ -158,6 +158,9 @@
runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
first = points[i++] = FT_GET_USHORT();
+ if ( runcnt < 1 || i + runcnt >= n )
+ goto Exit;
+
/* first point not included in runcount */
for ( j = 0; j < runcnt; ++j )
points[i++] = (FT_UShort)( first += FT_GET_USHORT() );
@@ -166,11 +169,15 @@
{
first = points[i++] = FT_GET_BYTE();
+ if ( runcnt < 1 || i + runcnt >= n )
+ goto Exit;
+
for ( j = 0; j < runcnt; ++j )
points[i++] = (FT_UShort)( first += FT_GET_BYTE() );
}
}
+ Exit:
return points;
}
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
ace0c7d5943399be8235d684d03fb2e5
>
files
>
12
