From 9318df0cad2b85ddc3509191e83a9927252dc7c8 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 11 Mar 2009 10:20:51 +0000
Subject: [PATCH] Fix Savannah bug #25597.

* src/cff/cffparse.c (cff_parse_real): Don't allow fraction_length
to become larger than 9.
---
 ChangeLog          | 7 +++++++
 src/cff/cffparse.c | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 56b2b2f0d..08b4a3c7e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-03-11  Bram Tassyns  <bramt@enfocus.be>
+
+	Fix Savannah bug #25597.
+
+	* src/cff/cffparse.c (cff_parse_real): Don't allow fraction_length
+	to become larger than 9.
+
 2009-03-11  Werner Lemberg  <wl@gnu.org>
 
 	Fix Savannah bug #25814.
diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
index 524d80cf8..290595f9e 100644
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    CFF token stream parser (body)                                       */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2007, 2008 by                   */
+/*  Copyright 1996-2001, 2002, 2003, 2004, 2007, 2008, 2009 by             */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -244,7 +244,7 @@
         if ( !nib && !number )
           exponent_add--;
         /* Only add digit if we don't overflow. */
-        else if ( number < 0xCCCCCCCL )
+        else if ( number < 0xCCCCCCCL && fraction_length < 9 )
         {
           fraction_length++;
           number = number * 10 + nib;