head 1.11; access; symbols pkgsrc-2013Q2:1.11.0.6 pkgsrc-2013Q2-base:1.11 pkgsrc-2012Q4:1.11.0.4 pkgsrc-2012Q4-base:1.11 pkgsrc-2011Q4:1.11.0.2 pkgsrc-2011Q4-base:1.11 pkgsrc-2011Q2:1.8.0.2 pkgsrc-2011Q2-base:1.8 pkgsrc-2010Q3:1.6.0.2 pkgsrc-2009Q4:1.5.0.2 pkgsrc-2009Q4-base:1.5 pkgsrc-2009Q3:1.4.0.6 pkgsrc-2009Q3-base:1.4 pkgsrc-2009Q2:1.4.0.4 pkgsrc-2009Q2-base:1.4 pkgsrc-2009Q1:1.4.0.2 pkgsrc-2008Q4:1.3.0.16 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.14 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.12 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.10 pkgsrc-2008Q2-base:1.3 pkgsrc-2008Q1:1.3.0.8 pkgsrc-2008Q1-base:1.3 pkgsrc-2007Q4:1.3.0.6 pkgsrc-2007Q4-base:1.3 pkgsrc-2007Q3:1.3.0.4 pkgsrc-2007Q3-base:1.3 pkgsrc-2007Q2:1.3.0.2 pkgsrc-2007Q2-base:1.3 pkgsrc-2007Q1:1.2.0.2 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.1.0.8 pkgsrc-2006Q4-base:1.1 pkgsrc-2006Q3:1.1.0.6 pkgsrc-2006Q3-base:1.1 pkgsrc-2006Q2:1.1.0.4 pkgsrc-2006Q2-base:1.1 pkgsrc-2006Q1:1.1.0.2; locks; strict; comment @# @; 1.11 date 2011.08.03.08.25.41; author cheusov; state dead; branches; next 1.10; 1.10 date 2011.07.18.09.54.27; author drochner; state Exp; branches; next 1.9; 1.9 date 2011.07.12.16.30.28; author drochner; state Exp; branches; next 1.8; 1.8 date 2011.07.07.17.02.12; author drochner; state Exp; branches; next 1.7; 1.7 date 2010.12.26.19.16.16; author adam; state dead; branches; next 1.6; 1.6 date 2010.11.24.18.44.54; author drochner; state Exp; branches 1.6.2.1; next 1.5; 1.5 date 2009.11.23.12.01.58; author drochner; state dead; branches; next 1.4; 1.4 date 2009.05.02.19.44.51; author tnn; state Exp; branches 1.4.2.1; next 1.3; 1.3 date 2007.04.10.16.55.32; author drochner; state dead; branches; next 1.2; 1.2 date 2007.04.05.16.29.38; author drochner; state Exp; branches; next 1.1; 1.1 date 2006.06.06.07.51.29; author snj; state dead; branches 1.1.2.1; next ; 1.6.2.1 date 2010.11.24.18.44.54; author sbd; state dead; branches; next 1.6.2.2; 1.6.2.2 date 2010.12.19.03.47.00; author sbd; state Exp; branches; next ; 1.4.2.1 date 2009.05.02.19.44.51; author spz; state dead; branches; next 1.4.2.2; 1.4.2.2 date 2009.05.03.14.16.41; author spz; state Exp; branches; next ; 1.1.2.1 date 2006.06.06.07.51.29; author snj; state Exp; branches; next ; desc @@ 1.11 log @ Fixed: build failure on 5.99.55 Update to 2.4.6, No answer from maintainer. CHANGES BETWEEN 2.4.5 and 2.4.6 I. IMPORTANT BUG FIXES - For TrueType based fonts, the ascender and descender values were incorrect sometimes (off by a pixel if the ppem value was not a multiple of 5). Depending on the use you might now experience a different layout; the change should result in better, more consistent line spacing. - Fix CVE-2011-0226 which causes a vulnerability while handling Type 1 fonts. - BDF fonts containing glyphs with negative values for ENCODING were incorrectly rejected. This bug has been introduced in FreeType version 2.2.0. - David Bevan contributed a major revision of the FreeType stroker code: . The behaviour of FT_STROKER_LINEJOIN_BEVEL has been corrected. . A new line join style, FT_STROKER_LINEJOIN_MITER_FIXED, has been introduced to support PostScript and PDF miter joins. . FT_STROKER_LINEJOIN_MITER_VARIABLE has been introduced ches has been fixed. II. MISCELLANEOUS - SFNT bitmap fonts which contain an outline glyph for `.notdef' only no longer set the FT_FACE_FLAG_SCALABLE flag. CHANGES BETWEEN 2.4.4 and 2.4.5 I. IMPORTANT BUG FIXES - A rendering regression for second-order B#zier curves has been fixed, introduced in 2.4.3. II. IMPORTANT CHANGES - If autohinting is not explicitly disabled, FreeType now uses the autohinter if a TrueType based font doesn't contain native hints. - The load flag FT_LOAD_IGNORE_GLOBAL_ADVANCE_WIDTH has been made redundant and is simply ignored; this means that FreeType now ignores the global advance width value in TrueType fonts. III. MISCELLANEOUS - `FT_Sfnt_Table_Info' can now return the number of SFNT tables of a font. - Support for PCF files compressed with bzip2 has been contributed by Joel Klinghed. To make this work, the OS must provide a bzip2 library. - Bradley Grainger contributed project and solution files in Visual Studio 2010 format. - Again some fixes to better handle broken fonts. @ text @$NetBSD: patch-ac,v 1.10 2011/07/18 09:54:27 drochner Exp $ CVE-2011-0226 --- src/psaux/t1decode.c.orig 2010-11-23 18:28:53.000000000 +0000 +++ src/psaux/t1decode.c @@@@ -28,6 +28,8 @@@@ #include "psauxerr.h" +/* ensure proper sign extension */ +#define Fix2Int(f) ((FT_Int)(FT_Short)((f) >> 16)) /*************************************************************************/ /* */ @@@@ -662,7 +664,7 @@@@ if ( large_int ) FT_TRACE4(( " %ld", value )); else - FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) )); + FT_TRACE4(( " %ld", Fix2Int( value ) )); #endif *top++ = value; @@@@ -684,8 +686,8 @@@@ top -= 2; - subr_no = (FT_Int)( top[1] >> 16 ); - arg_cnt = (FT_Int)( top[0] >> 16 ); + subr_no = Fix2Int( top[1] ); + arg_cnt = Fix2Int( top[0] ); /***********************************************************/ /* */ @@@@ -698,6 +700,8 @@@@ /* for unhandled othersubrs the following pops adjust the */ /* stack pointer as necessary */ + if ( arg_cnt < 0 ) + goto Syntax_Error; if ( arg_cnt > top - decoder->stack ) goto Stack_Underflow; @@@@ -862,7 +866,7 @@@@ if ( arg_cnt != 1 || blend == NULL ) goto Unexpected_OtherSubr; - idx = (FT_Int)( top[0] >> 16 ); + idx = Fix2Int( top[0] ); if ( idx < 0 || idx + blend->num_designs > decoder->len_buildchar ) @@@@ -930,7 +934,7 @@@@ if ( arg_cnt != 2 || blend == NULL ) goto Unexpected_OtherSubr; - idx = (FT_Int)( top[1] >> 16 ); + idx = Fix2Int( top[1] ); if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar ) goto Unexpected_OtherSubr; @@@@ -951,7 +955,7 @@@@ if ( arg_cnt != 1 || blend == NULL ) goto Unexpected_OtherSubr; - idx = (FT_Int)( top[0] >> 16 ); + idx = Fix2Int( top[0] ); if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar ) goto Unexpected_OtherSubr; @@@@ -1009,11 +1013,15 @@@@ break; default: - FT_ERROR(( "t1_decoder_parse_charstrings:" - " unknown othersubr [%d %d], wish me luck\n", - arg_cnt, subr_no )); - unknown_othersubr_result_cnt = arg_cnt; - break; + if ( subr_no >= 0 ) + { + FT_ERROR(( "t1_decoder_parse_charstrings:" + " unknown othersubr [%d %d], wish me luck\n", + arg_cnt, subr_no )); + unknown_othersubr_result_cnt = arg_cnt; + break; + } + /* FALLTHROUGH */ Unexpected_OtherSubr: FT_ERROR(( "t1_decoder_parse_charstrings:" @@@@ -1139,8 +1147,8 @@@@ top[0], top[1], top[2], - (FT_Int)( top[3] >> 16 ), - (FT_Int)( top[4] >> 16 ) ); + Fix2Int( top[3] ), + Fix2Int( top[4] ) ); case op_sbw: FT_TRACE4(( " sbw" )); @@@@ -1324,7 +1332,7 @@@@ FT_TRACE4(( " callsubr" )); - idx = (FT_Int)( top[0] >> 16 ); + idx = Fix2Int( top[0] ); if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs ) { FT_ERROR(( "t1_decoder_parse_charstrings:" @ 1.10 log @replace SA# in comment with a CVE reference @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.9 2011/07/12 16:30:28 drochner Exp $ @ 1.9 log @update to 2.4.5 changes: -fixed rendering regression for second-order Bezier curves -FreeType now uses the autohinter per default -Support for PCF files compressed with bzip2 -misc fixes and improvements pkgsrc change: clean up patch-ac (which fixes SA45167): put sign extension stuff into a macro and move checks to make it closer to the upstream fix @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 SA45167 @ 1.8 log @avoid sign extension on right shift (there are more occurences, but they are followed by checks for result<0) bump PKGREV @ text @d3 1 a3 1 avoid sign extension d7 10 a16 1 @@@@ -662,7 +662,7 @@@@ d21 1 a21 1 + FT_TRACE4(( " %ld", (FT_Int32)( (FT_UInt32)value >> 16 ) )); d25 1 a25 1 @@@@ -684,8 +684,8 @@@@ d31 2 a32 2 + subr_no = (FT_Int)( (FT_ULong)top[1] >> 16 ); + arg_cnt = (FT_Int)( (FT_ULong)top[0] >> 16 ); d36 77 @ 1.7 log @Changes 2.4.4: I. IMPORTANT BUG FIXES - UVS support (TrueType/OpenType cmap format 14) support is fixed. This regression has been introduced in version 2.4.0. II. MISCELLANEOUS - Detect tricky fonts (e.g. MingLiU) by the lengths and checksums of Type42-persistent subtables (`cvt ', `fpgm', and `prep') when a TrueType font without family name is given. The previous fix, introduced in 2.4.3, was too rigorous, causing many subsetted fonts (mainly from PDF files) displayed badly because FreeType forced rendering with the TrueType bytecode engine instead of the autohinter. - Better support for 64bit platforms. - More fixes to improve handling of broken fonts. @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.6 2010/11/24 18:44:54 drochner Exp $ d3 1 a3 1 CVE-2010-3814 d5 9 a13 18 --- src/truetype/ttinterp.c.orig 2010-10-01 06:08:19.000000000 +0000 +++ src/truetype/ttinterp.c @@@@ -5795,7 +5795,16 @@@@ if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) + { last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); + + if ( BOUNDS( last_point, CUR.zp2.n_points ) ) + { + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + return; + } + } else last_point = 0; d15 12 @ 1.6 log @add patch from upstream CVS to fix handling the "SHZ" bytecode instruction which could be exploited to cause a crash and potentially execute arbitrary code via a specially crafted font (CVE-2010-3814) bump PKGREV being here, add CVE reference to an older patch @ text @d1 1 a1 1 $NetBSD$ @ 1.6.2.1 log @file patch-ac was added on branch pkgsrc-2010Q3 on 2010-12-19 03:47:00 +0000 @ text @d1 23 @ 1.6.2.2 log @Pullup ticket #3308 - requested by drochner security updates for freetype2 Revisions pulled up: - pkgsrc/graphics/freetype2/Makefile 1.75-1.77 - pkgsrc/graphics/freetype2/distinfo 1.37-1.39 Files added: - pkgsrc/graphics/freetype2/patches/patch-ab 1.14, 1.15 - pkgsrc/graphics/freetype2/patches/patch-ac 1.6 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: drochner Date: Fri Oct 22 16:14:13 UTC 2010 Modified Files: pkgsrc/graphics/freetype2: Makefile distinfo Log Message: update to 2.4.3 changes: A rendering regression of S-shaped cubic arcs (introduced in version 2.4.0) has been fixed. Besides that, a bunch of fixes have been applied to improve handling of broken fonts. To generate a diff of this commit: cvs rdiff -u -r1.74 -r1.75 pkgsrc/graphics/freetype2/Makefile cvs rdiff -u -r1.36 -r1.37 pkgsrc/graphics/freetype2/distinfo ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: drochner Date: Wed Nov 3 11:56:37 UTC 2010 Modified Files: pkgsrc/graphics/freetype2: Makefile distinfo Added Files: pkgsrc/graphics/freetype2/patches: patch-ab Log Message: add patch from upstream CVS to fix a possible buffer overflow when processing TrueType GX fonts (SA41738), bump PKGREVISION To generate a diff of this commit: cvs rdiff -u -r1.75 -r1.76 pkgsrc/graphics/freetype2/Makefile cvs rdiff -u -r1.37 -r1.38 pkgsrc/graphics/freetype2/distinfo cvs rdiff -u -r0 -r1.14 pkgsrc/graphics/freetype2/patches/patch-ab ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: drochner Date: Wed Nov 24 18:44:55 UTC 2010 Modified Files: pkgsrc/graphics/freetype2: Makefile distinfo pkgsrc/graphics/freetype2/patches: patch-ab Added Files: pkgsrc/graphics/freetype2/patches: patch-ac Log Message: add patch from upstream CVS to fix handling the "SHZ" bytecode instruction which could be exploited to cause a crash and potentially execute arbitrary code via a specially crafted font (CVE-2010-3814) bump PKGREV being here, add CVE reference to an older patch To generate a diff of this commit: cvs rdiff -u -r1.76 -r1.77 pkgsrc/graphics/freetype2/Makefile cvs rdiff -u -r1.38 -r1.39 pkgsrc/graphics/freetype2/distinfo cvs rdiff -u -r1.14 -r1.15 pkgsrc/graphics/freetype2/patches/patch-ab cvs rdiff -u -r0 -r1.6 pkgsrc/graphics/freetype2/patches/patch-ac @ text @a0 23 $NetBSD: patch-ac,v 1.6 2010/11/24 18:44:54 drochner Exp $ CVE-2010-3814 --- src/truetype/ttinterp.c.orig 2010-10-01 06:08:19.000000000 +0000 +++ src/truetype/ttinterp.c @@@@ -5795,7 +5795,16 @@@@ if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) + { last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); + + if ( BOUNDS( last_point, CUR.zp2.n_points ) ) + { + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + return; + } + } else last_point = 0; @ 1.5 log @update to 2.3.11 This is a bugfix release for the 2.3 series, which brings considerable improvements for b/w rasterizing of hinted TrueType fonts at small sizes. All users should upgrade. @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.4 2009/05/02 19:44:51 tnn Exp $ d3 1 a3 1 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596 d5 18 a22 5 diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c index fc78315..c0483de 100644 --- src/lzw/ftzopen.c +++ src/lzw/ftzopen.c @@@@ -332,6 +332,9 @@@@ a23 10 while ( code >= 256U ) { + if ( !state->prefix ) + goto Eof; + FTLZW_STACK_PUSH( state->suffix[code - 256] ); code = state->prefix[code - 256]; } -- cgit v0.8.2.1 @ 1.4 log @patch-[a-d]: Upstream patches for CVE-2009-0946. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.4.2.1 log @file patch-ac was added on branch pkgsrc-2009Q1 on 2009-05-03 14:16:41 +0000 @ text @d1 20 @ 1.4.2.2 log @Pullup ticket 2755 and 2758 - requested by tnn Security fix Revisions pulled up: - pkgsrc/graphics/freetype2/Makefile 1.69 - pkgsrc/graphics/freetype2/distinfo 1.31 - pkgsrc/graphics/freetype2/patches/patch-aa 1.17 - pkgsrc/graphics/freetype2/patches/patch-ab 1.12 - pkgsrc/graphics/freetype2/patches/patch-ac 1.4 - pkgsrc/graphics/freetype2/patches/patch-ad 1.2 Module Name: pkgsrc Committed By: drochner Date: Thu Apr 16 20:26:26 UTC 2009 Modified Files: pkgsrc/graphics/freetype2: Makefile distinfo Removed Files: pkgsrc/graphics/freetype2/patches: patch-aa Log Message: update to 2.3.9 changes: -important bugfixes -improved CID support There was an ABI breakage between 2.3.7 and 2.3.8 which was reverted in 2.3.9. The public 'PS_FontInfoRec' structure was expanded and then shrunk. Applications compiled against 2.3.8 should work fine with 2.3.9. Applications compiled against the new 2.3.9 can theoretically exhibit problems if run against a 2.3.8 binary, if some PS_FontInfo stuff is used. See the freetype release notes for details. I didn't find any suspects for now. If one is found, it should be changed to require 2.3.9, and PKGREV bumped. To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 pkgsrc/graphics/freetype2/Makefile cvs rdiff -u -r1.29 -r1.30 pkgsrc/graphics/freetype2/distinfo cvs rdiff -u -r1.15 -r0 pkgsrc/graphics/freetype2/patches/patch-aa Date: Sat, 2 May 2009 19:44:51 +0000 From: Tobias Nygren To: pkgsrc-changes@@NetBSD.org Subject: CVS commit: pkgsrc/graphics/freetype2 Module Name: pkgsrc Committed By: tnn Date: Sat May 2 19:44:51 UTC 2009 Modified Files: pkgsrc/graphics/freetype2: Makefile distinfo Added Files: pkgsrc/graphics/freetype2/patches: patch-aa patch-ab patch-ac patch-ad Log Message: patch-[a-d]: Upstream patches for CVE-2009-0946. Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 pkgsrc/graphics/freetype2/Makefile cvs rdiff -u -r1.30 -r1.31 pkgsrc/graphics/freetype2/distinfo cvs rdiff -u -r0 -r1.17 pkgsrc/graphics/freetype2/patches/patch-aa cvs rdiff -u -r0 -r1.12 pkgsrc/graphics/freetype2/patches/patch-ab cvs rdiff -u -r0 -r1.4 pkgsrc/graphics/freetype2/patches/patch-ac cvs rdiff -u -r0 -r1.2 pkgsrc/graphics/freetype2/patches/patch-ad @ text @a0 20 $NetBSD: patch-ac,v 1.4 2009/05/02 19:44:51 tnn Exp $ http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596 diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c index fc78315..c0483de 100644 --- src/lzw/ftzopen.c +++ src/lzw/ftzopen.c @@@@ -332,6 +332,9 @@@@ while ( code >= 256U ) { + if ( !state->prefix ) + goto Eof; + FTLZW_STACK_PUSH( state->suffix[code - 256] ); code = state->prefix[code - 256]; } -- cgit v0.8.2.1 @ 1.3 log @update to 2.3.4 changes: -includes security fixes for bdf font handling (was patched in pkgsrc) -fixes for truetype butecode interpreter @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.2 2007/04/05 16:29:38 drochner Exp $ d3 12 a14 34 --- src/bdf/bdflib.c.orig 2007-02-12 22:29:20.000000000 +0100 +++ src/bdf/bdflib.c @@@@ -385,8 +385,10 @@@@ } _bdf_parse_t; -#define setsbit( m, cc ) ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) -#define sbitset( m, cc ) ( m[(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) +#define setsbit( m, cc ) \ + ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) +#define sbitset( m, cc ) \ + ( m[(FT_Byte)(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) static void @@@@ -1130,7 +1132,7 @@@@ bdf_options_t* opts ) { unsigned long len; - char name[128]; + char name[256]; _bdf_list_t list; FT_Memory memory; FT_Error error = BDF_Err_Ok; @@@@ -1149,6 +1151,13 @@@@ font->spacing = opts->font_spacing; len = (unsigned long)( ft_strlen( font->name ) + 1 ); + /* Limit ourselves to 256 characters in the font name. */ + if ( len >= 256 ) + { + error = BDF_Err_Invalid_Argument; + goto Exit; + } d16 5 a20 18 FT_MEM_COPY( name, font->name, len ); error = _bdf_list_split( &list, (char *)"-", name, len ); @@@@ -1467,6 +1476,14 @@@@ if ( p->cnt == 0 ) font->glyphs_size = 64; + /* Limit ourselves to 1,114,112 glyphs in the font (this is the */ + /* number of code points available in Unicode). */ + if ( p->cnt >= 1114112UL ) + { + error = BDF_Err_Invalid_Argument; + goto Exit; + } + if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) ) goto Exit; @ 1.2 log @pull in a patch from freetype CVS: * src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128 gracefully. (_bdf_set_default_spacing): Increase `name' buffer size to 256 and issue an error for longer names. (_bdf_parse_glyphs): Limit allowed number of glyphs in font to the number of code points in Unicode. This fixes CVE-2007-1351. @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @file patch-ac was initially added on branch pkgsrc-2006Q1. @ text @d1 55 @ 1.1.2.1 log @Pullup ticket 1686 - requested by salo security fix for freetype2 Apply patch from salo, mirroring the recent xsrc fixes for CVE-2006-0747, CVE-2006-1861, and CVE-2006-2661. @ text @a0 28 $NetBSD$ --- src/base/ftmac.c.orig 2004-08-28 10:02:46.000000000 +0200 +++ src/base/ftmac.c 2006-06-05 23:17:29.000000000 +0200 @@@@ -430,6 +430,7 @@@@ short res_id; unsigned char *buffer, *p, *size_p = NULL; FT_ULong total_size = 0; + FT_ULong old_total_size = 0; FT_ULong post_size, pfb_chunk_size; Handle post_data; char code, last_code; @@@@ -462,6 +463,15 @@@@ last_code = code; } + /* detect integer overflows */ + if ( total_size < old_total_size ) + { + error = FT_Err_Array_Too_Large; + goto Error; + } + + old_total_size = total_size; + if ( FT_ALLOC( buffer, (FT_Long)total_size ) ) goto Error; @