[truetype]: Limit `SLOOP' bytecode argument to 16 bits.
This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7707 * src/truetype/ttinterp.c (Ins_SLOOP): Do it.
This commit is contained in:
parent
827ca3bcf2
commit
235b1e2fe6
10
ChangeLog
10
ChangeLog
|
@ -1,3 +1,13 @@
|
|||
2018-04-15 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[truetype]: Limit `SLOOP' bytecode argument to 16 bits.
|
||||
|
||||
This fixes
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7707
|
||||
|
||||
* src/truetype/ttinterp.c (Ins_SLOOP): Do it.
|
||||
|
||||
2018-04-14 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[truetype] Integer overflow issues.
|
||||
|
|
|
@ -3289,7 +3289,10 @@
|
|||
if ( args[0] < 0 )
|
||||
exc->error = FT_THROW( Bad_Argument );
|
||||
else
|
||||
exc->GS.loop = args[0];
|
||||
{
|
||||
/* we heuristically limit the number of loops to 16 bits */
|
||||
exc->GS.loop = args[0] > 0xFFFFL ? 0xFFFFL : args[0];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue