[truetype] Protect against code range underflow.

* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow negative IP values.
15 years ago · a2d225e322
parent 462ddb4072
commit a2d225e322
2 changed files with 25 additions and 12 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2010-07-01  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Protect against code range underflow.
+
+	* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
+	negative IP values.
+
 2010-07-01  Werner Lemberg  <wl@gnu.org>

 	[truetype] Add rudimentary tracing for bytecode instructions.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -3175,24 +3175,30 @@
  }


-#define DO_JROT               \
-    if ( args[1] != 0 )       \
-    {                         \
-      CUR.IP      += args[0]; \
-      CUR.step_ins = FALSE;   \
+#define DO_JROT                          \
+    if ( args[1] != 0 )                  \
+    {                                    \
+      CUR.IP      += args[0];            \
+      if ( CUR.IP < 0 )                  \
+        CUR.error = TT_Err_Bad_Argument; \
+      CUR.step_ins = FALSE;              \
    }


-#define DO_JMPR             \
-    CUR.IP      += args[0]; \
+#define DO_JMPR                        \
+    CUR.IP      += args[0];            \
+    if ( CUR.IP < 0 )                  \
+      CUR.error = TT_Err_Bad_Argument; \
    CUR.step_ins = FALSE;


-#define DO_JROF               \
-    if ( args[1] == 0 )       \
-    {                         \
-      CUR.IP      += args[0]; \
-      CUR.step_ins = FALSE;   \
+#define DO_JROF                          \
+    if ( args[1] == 0 )                  \
+    {                                    \
+      CUR.IP      += args[0];            \
+      if ( CUR.IP < 0 )                  \
+        CUR.error = TT_Err_Bad_Argument; \
+      CUR.step_ins = FALSE;              \
    }