[truetype] Protect against code range underflow.

* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
negative IP values.
This commit is contained in:
Werner Lemberg 2010-07-01 11:37:09 +02:00
parent 462ddb4072
commit a2d225e322
2 changed files with 25 additions and 12 deletions

View File

@ -1,3 +1,10 @@
2010-07-01 Werner Lemberg <wl@gnu.org>
[truetype] Protect against code range underflow.
* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
negative IP values.
2010-07-01 Werner Lemberg <wl@gnu.org>
[truetype] Add rudimentary tracing for bytecode instructions.

View File

@ -3175,24 +3175,30 @@
}
#define DO_JROT \
if ( args[1] != 0 ) \
{ \
CUR.IP += args[0]; \
CUR.step_ins = FALSE; \
#define DO_JROT \
if ( args[1] != 0 ) \
{ \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
}
#define DO_JMPR \
CUR.IP += args[0]; \
#define DO_JMPR \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE;
#define DO_JROF \
if ( args[1] == 0 ) \
{ \
CUR.IP += args[0]; \
CUR.step_ins = FALSE; \
#define DO_JROF \
if ( args[1] == 0 ) \
{ \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
}