[truetype] Protect jump instructions against endless loops.

* src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error
if offset is zero.
This commit is contained in:
Werner Lemberg 2011-01-31 22:26:53 +01:00
parent d6a213f8ea
commit f1a981b5ce
2 changed files with 31 additions and 18 deletions

@ -1,3 +1,10 @@
2011-01-31 Werner Lemberg <wl@gnu.org>
[truetype] Protect jump instructions against endless loops.
* src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error
if offset is zero.
2011-01-31 Werner Lemberg <wl@gnu.org>
[truetype] Improve handling of invalid references.

@ -3184,30 +3184,36 @@
}
#define DO_JROT \
if ( args[1] != 0 ) \
{ \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
#define DO_JROT \
if ( args[1] != 0 ) \
{ \
if ( args[0] == 0 && CUR.args == 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
}
#define DO_JMPR \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
#define DO_JMPR \
if ( args[0] == 0 && CUR.args == 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE;
#define DO_JROF \
if ( args[1] == 0 ) \
{ \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
#define DO_JROF \
if ( args[1] == 0 ) \
{ \
if ( args[0] == 0 && CUR.args == 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.IP += args[0]; \
if ( CUR.IP < 0 ) \
CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE; \
}