+++ This bug was initially created as a clone of Bug #190593 +++ Several integer overflow bugs in freetype have been fixed in CVS. The details are below. The descriptions are the CVS commit messages. That patch for each particular comment is keyed off it's # identifier. * Integer overflow #2 * src/bdf/bdflib.c (ERRMSG4): New macro. (_bdf_parse_glyphs): Handle invalid BBX values. * include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error macro. #3 * src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset correctly. #4 * src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member. * src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'. * src/cff/cffgload.c (cff_slot_load): Change type of third parameter to `FT_UInt'. Check range of `glyph_index'. * src/cff/cffgload.h: Updated. #6 * src/bdf/bdflib.c: fixed a problem with large encodings. Again, this patch comes from Debian libfreetype6 for 2.1.10 ! See the parent bug for more information This issue also affects FC4
All this bugs are fixed in FreeType 2.2.1 release.