[truetype] Prevent bytecode reuse after the interpretation error.

* src/truetype/ttinterp.c (free_buffer_in_size): New function to free the buffer allocated during the interpretation of this glyph. (TT_RunIns): Unset FT_Face->size->{cvt_ready,bytecode_ready} if an error occurs in the bytecode interpretation. The interpretation of invalid bytecode may break the function definitions and referring them in later interpretation is danger. By unsetting these flags, `fpgm' and `prep' tables are executed again in next interpretation. Fix Savannah bug #30798, reported by Robert Swiecki.
2010-08-31 01:23:30 +09:00 · 2010-08-31 01:23:30 +09:00 · 29e044a4af
parent 12cf031644
commit 29e044a4af
2 changed files with 59 additions and 0 deletions
--- a/14
+++ b/14
@ -1,3 +1,17 @@
+2010-08-30  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	[truetype] Prevent bytecode reuse after the interpretation error.
+
+	* src/truetype/ttinterp.c (free_buffer_in_size): New function to
+	free the buffer allocated during the interpretation of this glyph.
+	(TT_RunIns): Unset FT_Face->size->{cvt_ready,bytecode_ready} if
+	an error occurs in the bytecode interpretation.  The interpretation
+	of invalid bytecode may break the function definitions and referring
+	them in later interpretation is danger.  By unsetting these flags,
+	`fpgm' and `prep' tables are executed again in next interpretation.
+
+	Fix Savannah bug #30798, reported by Robert Swiecki.
+
 2010-08-29  Werner Lemberg  <wl@gnu.org>

 	[ftraster] Pacify compiler.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -7362,6 +7362,41 @@
 #endif /* !TT_CONFIG_OPTION_INTERPRETER_SWITCH */


+  static void
+  free_buffer_in_size( TT_ExecContext  exc )
+  {
+    FT_Memory        memory = exc->memory;
+    TT_Size          size = exc->size;
+    TT_GlyphZoneRec  twilight;
+
+
+    if ( !size )
+      return;
+
+    if ( size->function_defs )
+      FT_FREE( size->function_defs );
+    if ( size->instruction_defs )
+      FT_FREE( size->instruction_defs );
+    if ( size->cvt )
+      FT_FREE( size->cvt );
+    if ( size->storage )
+      FT_FREE( size->storage );
+
+    twilight = size->twilight;
+
+    if ( twilight.org )
+      FT_FREE( twilight.org );
+    if ( twilight.cur )
+      FT_FREE( twilight.cur );
+    if ( twilight.orus )
+      FT_FREE( twilight.orus );
+    if ( twilight.tags )
+      FT_FREE( twilight.tags );
+    if ( twilight.contours )
+      FT_FREE( twilight.contours );
+  }
+
+
  /*************************************************************************/
  /*                                                                       */
  /* RUN                                                                   */
@ -8128,6 +8163,16 @@
    *exc = cur;
 #endif

+    /* if any errors, function tables may be broken.  */
+    /* it should not be used for next interpretation. */
+    if ( CUR.error )
+    {
+      FT_TRACE7(( "  The interpreter got an error = %d\n", CUR.error ));
+      free_buffer_in_size( exc );
+      exc->size->cvt_ready = FALSE;  
+      exc->size->bytecode_ready = FALSE;  
+    }
+
    return CUR.error;
  }