ref: a2d225e32248ad68e675ed5374518b3dbbab83d0
parent: 462ddb4072ef25bd428acb678db3da26d2dd4002
author: Werner Lemberg <[email protected]>
date: Thu Jul 1 07:37:09 EDT 2010
[truetype] Protect against code range underflow. * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow negative IP values.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2010-07-01 Werner Lemberg <[email protected]>
+ [truetype] Protect against code range underflow.
+
+ * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
+ negative IP values.
+
+2010-07-01 Werner Lemberg <[email protected]>
+
[truetype] Add rudimentary tracing for bytecode instructions.
* src/truetype/ttinterp.c (opcode_name) [FT_DEBUG_LEVEL_TRACE]: New
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3175,24 +3175,30 @@
}
-#define DO_JROT \
- if ( args[1] != 0 ) \
- { \
- CUR.IP += args[0]; \
- CUR.step_ins = FALSE; \
+#define DO_JROT \
+ if ( args[1] != 0 ) \
+ { \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}
-#define DO_JMPR \
- CUR.IP += args[0]; \
+#define DO_JMPR \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE;
-#define DO_JROF \
- if ( args[1] == 0 ) \
- { \
- CUR.IP += args[0]; \
- CUR.step_ins = FALSE; \
+#define DO_JROF \
+ if ( args[1] == 0 ) \
+ { \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}