From 8f535a6dba05ae9902eaf3f731cc51f21dc92616 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 7 May 2011 09:44:12 +0200
Subject: [PATCH] Buffer lengths must be a multiple of four.

---
 src/tabytecode.c | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/tabytecode.c b/src/tabytecode.c
index 8b2aa6c..ef4407d 100644
--- a/src/tabytecode.c
+++ b/src/tabytecode.c
@@ -66,6 +66,7 @@ TA_table_build_cvt(FT_Byte** cvt,
 
   FT_UInt i;
   FT_UInt buf_len;
+  FT_UInt len;
   FT_Byte* buf;
   FT_Byte* buf_p;
 
@@ -82,10 +83,18 @@ TA_table_build_cvt(FT_Byte** cvt,
 
   buf_len = 2 * (haxis->width_count + vaxis->width_count
                  + 2 * vaxis->blue_count);
-  buf = (FT_Byte*)malloc(buf_len);
+
+  /* buffer length must be a multiple of four */
+  len = (buf_len + 3) & ~3;
+  buf = (FT_Byte*)malloc(len);
   if (!buf)
     return FT_Err_Out_Of_Memory;
 
+  /* pad end of buffer with zeros */
+  buf[len - 1] = 0x00;
+  buf[len - 2] = 0x00;
+  buf[len - 3] = 0x00;
+
   buf_p = buf;
 
   /* XXX emit standard_width also? */
@@ -547,6 +556,7 @@ TA_table_build_fpgm(FT_Byte** fpgm,
                     FONT* font)
 {
   FT_UInt buf_len;
+  FT_UInt len;
   FT_Byte* buf;
   FT_Byte* buf_p;
 
@@ -559,10 +569,17 @@ TA_table_build_fpgm(FT_Byte** fpgm,
             + sizeof (fpgm_1)
             + sizeof (fpgm_2)
             + sizeof (fpgm_A);
-  buf = (FT_Byte*)malloc(buf_len);
+  /* buffer length must be a multiple of four */
+  len = (buf_len + 3) & ~3;
+  buf = (FT_Byte*)malloc(len);
   if (!buf)
     return FT_Err_Out_Of_Memory;
 
+  /* pad end of buffer with zeros */
+  buf[len - 1] = 0x00;
+  buf[len - 2] = 0x00;
+  buf[len - 3] = 0x00;
+
   /* copy font program into buffer and fill in the missing variables */
   buf_p = buf;
 
@@ -764,6 +781,7 @@ TA_table_build_prep(FT_Byte** prep,
   FT_UInt i;
 
   FT_UInt buf_len;
+  FT_UInt len;
   FT_Byte* buf;
   FT_Byte* buf_p;
 
@@ -797,10 +815,17 @@ TA_table_build_prep(FT_Byte** prep,
                + sizeof (prep_g);
   }
 
-  buf = (FT_Byte*)malloc(buf_len);
+  /* buffer length must be a multiple of four */
+  len = (buf_len + 3) & ~3;
+  buf = (FT_Byte*)malloc(len);
   if (!buf)
     return FT_Err_Out_Of_Memory;
 
+  /* pad end of buffer with zeros */
+  buf[len - 1] = 0x00;
+  buf[len - 2] = 0x00;
+  buf[len - 3] = 0x00;
+
   /* copy cvt program into buffer and fill in the missing variables */
   buf_p = buf;
 
-- 
2.11.4.GIT