From a2d225e32248ad68e675ed5374518b3dbbab83d0 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Thu, 1 Jul 2010 11:37:09 +0200 Subject: [PATCH] [truetype] Protect against code range underflow. * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow negative IP values. --- ChangeLog | 7 +++++++ src/truetype/ttinterp.c | 30 ++++++++++++++++++------------ 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8ef4f2ca7..ac5842291 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2010-07-01 Werner Lemberg + + [truetype] Protect against code range underflow. + + * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow + negative IP values. + 2010-07-01 Werner Lemberg [truetype] Add rudimentary tracing for bytecode instructions. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index ceb108d45..f729eaf5e 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -3175,24 +3175,30 @@ } -#define DO_JROT \ - if ( args[1] != 0 ) \ - { \ - CUR.IP += args[0]; \ - CUR.step_ins = FALSE; \ +#define DO_JROT \ + if ( args[1] != 0 ) \ + { \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ } -#define DO_JMPR \ - CUR.IP += args[0]; \ +#define DO_JMPR \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ CUR.step_ins = FALSE; -#define DO_JROF \ - if ( args[1] == 0 ) \ - { \ - CUR.IP += args[0]; \ - CUR.step_ins = FALSE; \ +#define DO_JROF \ + if ( args[1] == 0 ) \ + { \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ }