ref: f1a981b5ce4f06c772bb2f62f3ce4c54a0c2c6d0
parent: d6a213f8eaf256642cd46196e69898fbe6a95672
author: Werner Lemberg <[email protected]>
date: Mon Jan 31 17:26:53 EST 2011
[truetype] Protect jump instructions against endless loops. * src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error if offset is zero.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2011-01-31 Werner Lemberg <[email protected]>
+ [truetype] Protect jump instructions against endless loops.
+
+ * src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error
+ if offset is zero.
+
+2011-01-31 Werner Lemberg <[email protected]>
+
[truetype] Improve handling of invalid references.
* src/truetype/interp.c: Set even more TT_Err_Invalid_Reference
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3184,30 +3184,36 @@
}
-#define DO_JROT \
- if ( args[1] != 0 ) \
- { \- CUR.IP += args[0]; \
- if ( CUR.IP < 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
- CUR.step_ins = FALSE; \
+#define DO_JROT \
+ if ( args[1] != 0 ) \
+ { \+ if ( args[0] == 0 && CUR.args == 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}
-#define DO_JMPR \
- CUR.IP += args[0]; \
- if ( CUR.IP < 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
+#define DO_JMPR \
+ if ( args[0] == 0 && CUR.args == 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE;
-#define DO_JROF \
- if ( args[1] == 0 ) \
- { \- CUR.IP += args[0]; \
- if ( CUR.IP < 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
- CUR.step_ins = FALSE; \
+#define DO_JROF \
+ if ( args[1] == 0 ) \
+ { \+ if ( args[0] == 0 && CUR.args == 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}