+++ This bug was initially created as a clone of Bug #190593 +++
Several integer overflow bugs in freetype have been fixed in CVS. The details
The descriptions are the CVS commit messages. That patch for each particular
comment is keyed off it's # identifier.
* Integer overflow
* src/bdf/bdflib.c (ERRMSG4): New macro.
(_bdf_parse_glyphs): Handle invalid BBX values.
* include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset
* src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member.
* src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'.
* src/cff/cffgload.c (cff_slot_load): Change type of third parameter
Check range of `glyph_index'.
* src/cff/cffgload.h: Updated.
* src/bdf/bdflib.c: fixed a problem with large encodings.
Again, this patch comes from Debian libfreetype6 for 2.1.10 !
See the parent bug for more information
This issue also affects FC4
All this bugs are fixed in FreeType 2.2.1 release.