From 8d435c463d22f6de35015b244d6f9bb433beb7e6 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Thu, 1 Jun 2017 07:09:44 +0200 Subject: [PATCH] * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Problem reported by Marek Kašík . The problematic font that exceeds the old limit is Padauk-Bold, version 3.002, containing bytecode generated by a buggy version of ttfautohint. --- ChangeLog | 10 ++++++++++ src/truetype/ttinterp.c | 3 +-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c38b5af66..a0447129b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2017-06-01 Werner Lemberg + + * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again. + + Problem reported by Marek Kašík . + + The problematic font that exceeds the old limit is Padauk-Bold, + version 3.002, containing bytecode generated by a buggy version of + ttfautohint. + 2017-05-31 Werner Lemberg [cff] 32bit integer overflow run-time errors 2/2 (#46149). diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 0c48c2562..775d11047 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -7649,8 +7649,7 @@ FT_MAX( 50, exc->cvtSize / 10 ); else - exc->loopcall_counter_max = FT_MAX( 100, - 10 * exc->cvtSize ); + exc->loopcall_counter_max = 300 + 8 * exc->cvtSize; /* as a protection against an unreasonable number of CVT entries */ /* we assume at most 100 control values per glyph for the counter */