From 39a61bc423ced0147f16b6197a8944f32377ce2c Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 31 Dec 2011 20:20:35 +0100
Subject: [PATCH] Add some overflow checks.

---
 src/taglyf.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/taglyf.c b/src/taglyf.c
index 008b099..fc55702 100644
--- a/src/taglyf.c
+++ b/src/taglyf.c
@@ -304,6 +304,9 @@ TA_iterate_composite_glyph(glyf_Data* data,
 
   /* save current state */
 
+  if (*num_pointsums == 0xFFFF)
+    return FT_Err_Invalid_Table;
+
   (*num_pointsums)++;
   pointsums_new = (FT_UShort*)realloc(*pointsums,
                                       *num_pointsums
@@ -344,6 +347,11 @@ TA_iterate_composite_glyph(glyf_Data* data,
     }
     else
     {
+      /* no need for checking overflow of the number of contours */
+      /* since the number of points is always larger or equal */
+      if (*num_composite_points > 0xFFFF - glyph->num_points)
+        return FT_Err_Invalid_Table;
+
       *num_composite_contours += glyph->num_contours;
       *num_composite_points += glyph->num_points;
     }
-- 
2.11.4.GIT