truetype: Check invalid function number in FDEF instruction.

16 years ago · a72a4bd3b7
parent 34bc30a5f0
commit a72a4bd3b7
2 changed files with 17 additions and 2 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2009-07-03  suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
+	truetype: Check invalid function number in FDEF instruction.
+
+	* src/truetype/ttinterp.c (Ins_FDEF): Check
+	if the operand fits 16-bit function number.
+
 2009-07-03  suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>

 	truetype: Truncate the deltas of composite glyph at 16-bit values.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -4290,13 +4290,21 @@
      CUR.numFDefs++;
    }

+    /* Although FDEF takes unsigned 32-bit integer,  */
+    /* func # must be within unsigned 16-bit integer */
+    if ( n > 0xFFFFU )
+    {
+      CUR.error = TT_Err_Too_Many_Function_Defs;
+      return;
+    }
+
    rec->range  = CUR.curRange;
-    rec->opc    = n;
+    rec->opc    = (FT_UInt16)n;
    rec->start  = CUR.IP + 1;
    rec->active = TRUE;

    if ( n > CUR.maxFunc )
-      CUR.maxFunc = n;
+      CUR.maxFunc = (FT_UInt16)n;

    /* Now skip the whole function definition. */
    /* We don't allow nested IDEFS & FDEFs.    */