Sam Edwards : gdi32: Prevent possible buffer overflows in get_glyph_outline .

[Alexandre Julliard]

Module: wine
Branch: master
Commit: 147765a505fff264e7efc4666133d6772e737f8e
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=147765a505fff264e7efc4666133d6772e737f8e

Author: Sam Edwards <CFSworks at gmail.com>
Date:   Thu Apr 18 13:57:41 2013 -0600

gdi32: Prevent possible buffer overflows in get_glyph_outline.

---

 dlls/gdi32/freetype.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dlls/gdi32/freetype.c b/dlls/gdi32/freetype.c
index 96c94e4..fec752a 100644
--- a/dlls/gdi32/freetype.c
+++ b/dlls/gdi32/freetype.c
@@ -6148,8 +6148,8 @@ static DWORD get_glyph_outline(GdiFont *incoming_font, UINT glyph, UINT format,
 	case ft_glyph_format_bitmap:
 	  {
 	    BYTE *src = ft_face->glyph->bitmap.buffer, *dst = buf;
-	    INT w = (ft_face->glyph->bitmap.width + 7) >> 3;
-	    INT h = ft_face->glyph->bitmap.rows;
+	    INT w = min( pitch, (ft_face->glyph->bitmap.width + 7) >> 3 );
+	    INT h = min( height, ft_face->glyph->bitmap.rows );
 	    while(h--) {
 	        memcpy(dst, src, w);
 		src += ft_face->glyph->bitmap.pitch;
@@ -6202,7 +6202,7 @@ static DWORD get_glyph_outline(GdiFont *incoming_font, UINT glyph, UINT format,
 	case ft_glyph_format_bitmap:
 	  {
             BYTE *src = ft_face->glyph->bitmap.buffer, *dst = buf;
-            INT h = ft_face->glyph->bitmap.rows;
+            INT h = min( height, ft_face->glyph->bitmap.rows );
             INT x;
             memset( buf, 0, needed );
             while(h--) {