$OpenBSD: patch-pango_glyphstring_c,v 1.1 2009/05/11 12:43:21 jasper Exp $

Security fix for CVE-2009-1194, "Pango integer overflow in heap allocation
	size calculations"
Patch from upstream git, commit id: 4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e

--- pango/glyphstring.c.orig	Tue Dec 16 07:14:00 2008
+++ pango/glyphstring.c	Mon May 11 14:31:25 2009
@@ -61,14 +61,28 @@ pango_glyph_string_set_size (PangoGlyphString *string,
   while (new_len > string->space)
     {
       if (string->space == 0)
-	string->space = 1;
+	{
+	  string->space = 4;
+	}
       else
-	string->space *= 2;
-
-      if (string->space < 0)
 	{
-	  g_warning ("glyph string length overflows maximum integer size, truncated");
-	  new_len = string->space = G_MAXINT - 8;
+	  const guint max_space =
+	    MIN (G_MAXINT, G_MAXSIZE / MAX (sizeof(PangoGlyphInfo), sizeof(gint)));
+
+	  guint more_space = (guint)string->space * 2;
+
+	  if (more_space > max_space)
+	    {
+	      more_space = max_space;
+
+	      if ((guint)new_len > max_space)
+		{
+		  g_error ("%s: failed to allocate glyph string of length %i\n",
+			   G_STRLOC, new_len);
+		}
+	    }
+
+	  string->space = more_space;
 	}
     }
 
