File CVE-2012-1128.patch of Package freetype2

---
 src/truetype/ttinterp.c |   21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)

Index: freetype-2.4.4/src/truetype/ttinterp.c
===================================================================
--- freetype-2.4.4.orig/src/truetype/ttinterp.c
+++ freetype-2.4.4/src/truetype/ttinterp.c
@@ -5780,7 +5780,7 @@
     FT_F26Dot6       dx,
                      dy;
 
-    FT_UShort        last_point, i;
+    FT_UShort        limit, i;
 
 
     if ( BOUNDS( args[0], 2 ) )
@@ -5797,24 +5797,15 @@
     /*      Twilight zone has no contours, so use `n_points'.   */
     /*      Normal zone's `n_points' includes phantoms, so must */
     /*      use end of last contour.                            */
-    if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
-      last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
+    if ( CUR.GS.gep2 == 0 )
+      limit = (FT_UShort)CUR.zp2.n_points;
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
-    {
-      last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
-
-      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
-      {
-        if ( CUR.pedantic_hinting )
-          CUR.error = TT_Err_Invalid_Reference;
-        return;
-      }
-    }
+      limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 );
     else
-      last_point = 0;
+      limit = 0;
 
     /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
-    for ( i = 0; i <= last_point; i++ )
+    for ( i = 0; i < limit; i++ )
     {
       if ( zp.cur != CUR.zp2.cur || refp != i )
         MOVE_Zp2_Point( i, dx, dy, FALSE );