From 28464c48a1ef77762a60abaa59432d9a64f58133 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 18 Feb 2008 20:34:42 +0000
Subject: [PATCH] * src/truetype/ttinterp.c (Ins_IUP): Check number of points. 
 Fix from Savannah bug #22356.

---
 ChangeLog               | 5 +++++
 src/truetype/ttinterp.c | 5 ++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 7cc20729f..669feb91c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-02-18  Victor Stinner  <victor.stinner@haypocalc.com>
+
+	* src/truetype/ttinterp.c (Ins_IUP): Check number of points.  Fix
+	from Savannah bug #22356.
+
 2008-02-17  Jonathan Blow  <jon@number-none.com>
 
 	* src/autofit/afloader.c (af_loader_load_g, af_loader_load_glyph):
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 85c8529ac..84b65c703 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    TrueType bytecode interpreter (body).                                */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007 by             */
+/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by       */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -6434,6 +6434,9 @@
       end_point   = CUR.pts.contours[contour] - CUR.pts.first_point;
       first_point = point;
 
+      if ( CUR.pts.n_points <= end_point )
+        end_point = CUR.pts.n_points;
+
       while ( point <= end_point && ( CUR.pts.tags[point] & mask ) == 0 )
         point++;