shithub: freetype+ttf2subf

Download patch

ref: a2d225e32248ad68e675ed5374518b3dbbab83d0
parent: 462ddb4072ef25bd428acb678db3da26d2dd4002
author: Werner Lemberg <[email protected]>
date: Thu Jul 1 07:37:09 EDT 2010

[truetype] Protect against code range underflow.

* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
negative IP values.

git/fs: mount .git/fs: mount/attach disallowed
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2010-07-01  Werner Lemberg  <[email protected]>
 
+	[truetype] Protect against code range underflow.
+
+	* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
+	negative IP values.
+
+2010-07-01  Werner Lemberg  <[email protected]>
+
 	[truetype] Add rudimentary tracing for bytecode instructions.
 
 	* src/truetype/ttinterp.c (opcode_name) [FT_DEBUG_LEVEL_TRACE]: New
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3175,24 +3175,30 @@
   }
 
 
-#define DO_JROT               \
-    if ( args[1] != 0 )       \
-    {                         \
-      CUR.IP      += args[0]; \
-      CUR.step_ins = FALSE;   \
+#define DO_JROT                          \
+    if ( args[1] != 0 )                  \
+    {                                    \
+      CUR.IP      += args[0];            \
+      if ( CUR.IP < 0 )                  \
+        CUR.error = TT_Err_Bad_Argument; \
+      CUR.step_ins = FALSE;              \
     }
 
 
-#define DO_JMPR             \
-    CUR.IP      += args[0]; \
+#define DO_JMPR                        \
+    CUR.IP      += args[0];            \
+    if ( CUR.IP < 0 )                  \
+      CUR.error = TT_Err_Bad_Argument; \
     CUR.step_ins = FALSE;
 
 
-#define DO_JROF               \
-    if ( args[1] == 0 )       \
-    {                         \
-      CUR.IP      += args[0]; \
-      CUR.step_ins = FALSE;   \
+#define DO_JROF                          \
+    if ( args[1] == 0 )                  \
+    {                                    \
+      CUR.IP      += args[0];            \
+      if ( CUR.IP < 0 )                  \
+        CUR.error = TT_Err_Bad_Argument; \
+      CUR.step_ins = FALSE;              \
     }