shithub: freetype+ttf2subf

Download patch

ref: 5dddcc45a03b336860436a180aec5b358517336b
parent: 96cddb8d1d32d6738b06552083db9d6cee5b5cb4
author: Werner Lemberg <[email protected]>
date: Thu Mar 1 02:52:24 EST 2012 

[truetype] Fix Savannah bug #35640.

* src/truetype/ttinterp.c (SkipCode, TT_RunIns): Fix boundary check
for NPUSHB and NPUSHW instructions.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2012-02-29  Werner Lemberg  <[email protected]>
 
+	[truetype] Fix Savannah bug #35640.
+
+	* src/truetype/ttinterp.c (SkipCode, TT_RunIns): Fix boundary check
+	for NPUSHB and NPUSHW instructions.
+
+2012-02-29  Werner Lemberg  <[email protected]>
+
 	[truetype] Fix Savannah bug #35601.
 
 	* src/truetype/ttinterp.c (Ins_SHZ): Use number of points instead of
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4477,7 +4477,7 @@
       CUR.length = opcode_length[CUR.opcode];
       if ( CUR.length < 0 )
       {
-        if ( CUR.IP + 1 > CUR.codeSize )
+        if ( CUR.IP + 1 >= CUR.codeSize )
           goto Fail_Overflow;
         CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
       }
@@ -7544,7 +7544,7 @@
 
       if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 )
       {
-        if ( CUR.IP + 1 > CUR.codeSize )
+        if ( CUR.IP + 1 >= CUR.codeSize )
           goto LErrorCodeOverflow_;
 
         CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];