ref: 0edf0986f3be570f5bf90ff245a85c1675f5c9a4
parent: 94d540ef7753749700eda06cff6be954cdd5ab6e
author: Werner Lemberg <[email protected]>
date: Wed Oct 6 07:52:27 EDT 2010
[truetype] Improve error handling of `SHZ' bytecode instruction. Problem reported by Chris Evans <[email protected]>. * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-10-06 Werner Lemberg <[email protected]>
+
+ [truetype] Improve error handling of `SHZ' bytecode instruction.
+ Problem reported by Chris Evans <[email protected]>.
+
+ * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
+
2010-10-05 Werner Lemberg <[email protected]>
Fix Savannah bug #31253.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5795,7 +5795,16 @@
if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+ {last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+ if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+ {+ if ( CUR.pedantic_hinting )
+ CUR.error = TT_Err_Invalid_Reference;
+ return;
+ }
+ }
else
last_point = 0;