From f1a981b5ce4f06c772bb2f62f3ce4c54a0c2c6d0 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 31 Jan 2011 22:26:53 +0100 Subject: [PATCH] [truetype] Protect jump instructions against endless loops. * src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error if offset is zero. --- ChangeLog | 7 +++++++ src/truetype/ttinterp.c | 42 +++++++++++++++++++++++------------------ 2 files changed, 31 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index be4a47ef7..44e4af5ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2011-01-31 Werner Lemberg + + [truetype] Protect jump instructions against endless loops. + + * src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error + if offset is zero. + 2011-01-31 Werner Lemberg [truetype] Improve handling of invalid references. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 269d35a6f..d568926bf 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -3184,30 +3184,36 @@ } -#define DO_JROT \ - if ( args[1] != 0 ) \ - { \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ - CUR.step_ins = FALSE; \ +#define DO_JROT \ + if ( args[1] != 0 ) \ + { \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ } -#define DO_JMPR \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ +#define DO_JMPR \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ CUR.step_ins = FALSE; -#define DO_JROF \ - if ( args[1] == 0 ) \ - { \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ - CUR.step_ins = FALSE; \ +#define DO_JROF \ + if ( args[1] == 0 ) \ + { \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ }