$NetBSD: patch-ac,v 1.6.2.2 2010/12/19 03:47:00 sbd Exp $

CVE-2010-3814

--- src/truetype/ttinterp.c.orig	2010-10-01 06:08:19.000000000 +0000
+++ src/truetype/ttinterp.c
@@ -5795,7 +5795,16 @@
     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+    {
       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+      {
+        if ( CUR.pedantic_hinting )
+          CUR.error = TT_Err_Invalid_Reference;
+        return;
+      }
+    }
     else
       last_point = 0;
 
