diff --git a/ChangeLog b/ChangeLog index be4a47ef7..44e4af5ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2011-01-31 Werner Lemberg + + [truetype] Protect jump instructions against endless loops. + + * src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error + if offset is zero. + 2011-01-31 Werner Lemberg [truetype] Improve handling of invalid references. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 269d35a6f..d568926bf 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -3184,30 +3184,36 @@ } -#define DO_JROT \ - if ( args[1] != 0 ) \ - { \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ - CUR.step_ins = FALSE; \ +#define DO_JROT \ + if ( args[1] != 0 ) \ + { \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ } -#define DO_JMPR \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ +#define DO_JMPR \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ CUR.step_ins = FALSE; -#define DO_JROF \ - if ( args[1] == 0 ) \ - { \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ - CUR.step_ins = FALSE; \ +#define DO_JROF \ + if ( args[1] == 0 ) \ + { \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ }