[truetype] Protect jump instructions against endless loops.

* src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error
if offset is zero.
This commit is contained in:
Werner Lemberg 2011-01-31 22:26:53 +01:00
parent d6a213f8ea
commit f1a981b5ce
2 changed files with 31 additions and 18 deletions

View File

@ -1,3 +1,10 @@
2011-01-31 Werner Lemberg <wl@gnu.org>
[truetype] Protect jump instructions against endless loops.
* src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error
if offset is zero.
2011-01-31 Werner Lemberg <wl@gnu.org> 2011-01-31 Werner Lemberg <wl@gnu.org>
[truetype] Improve handling of invalid references. [truetype] Improve handling of invalid references.

View File

@ -3184,30 +3184,36 @@
} }
#define DO_JROT \ #define DO_JROT \
if ( args[1] != 0 ) \ if ( args[1] != 0 ) \
{ \ { \
CUR.IP += args[0]; \ if ( args[0] == 0 && CUR.args == 0 ) \
if ( CUR.IP < 0 ) \ CUR.error = TT_Err_Bad_Argument; \
CUR.error = TT_Err_Bad_Argument; \ CUR.IP += args[0]; \
CUR.step_ins = FALSE; \ if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
} }
#define DO_JMPR \ #define DO_JMPR \
CUR.IP += args[0]; \ if ( args[0] == 0 && CUR.args == 0 ) \
if ( CUR.IP < 0 ) \ CUR.error = TT_Err_Bad_Argument; \
CUR.error = TT_Err_Bad_Argument; \ CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; CUR.step_ins = FALSE;
#define DO_JROF \ #define DO_JROF \
if ( args[1] == 0 ) \ if ( args[1] == 0 ) \
{ \ { \
CUR.IP += args[0]; \ if ( args[0] == 0 && CUR.args == 0 ) \
if ( CUR.IP < 0 ) \ CUR.error = TT_Err_Bad_Argument; \
CUR.error = TT_Err_Bad_Argument; \ CUR.IP += args[0]; \
CUR.step_ins = FALSE; \ if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
} }