kc3-lang/freetype

Browse

Commit 0edf0986f3be570f5bf90ff245a85c1675f5c9a4

Werner Lemberg 2010-10-06T11:52:27

[truetype] Improve error handling of `SHZ' bytecode instruction. Problem reported by Chris Evans <scarybeasts@gmail.com>. * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

diff --git a/ChangeLog b/ChangeLog
index afe662d..69e7304 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-10-06  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Improve error handling of `SHZ' bytecode instruction.
+	Problem reported by Chris Evans <scarybeasts@gmail.com>.
+
+	* src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
+
 2010-10-05  Werner Lemberg  <wl@gnu.org>
 
 	Fix Savannah bug #31253.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index bf9189c..e196dce 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5795,7 +5795,16 @@
     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+    {
       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+      {
+        if ( CUR.pedantic_hinting )
+          CUR.error = TT_Err_Invalid_Reference;
+        return;
+      }
+    }
     else
       last_point = 0;
kmx.io     mail     discord kmxgit v0.4.0