[truetype] Protect against code range underflow. * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow negative IP values.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
diff --git a/ChangeLog b/ChangeLog
index 8ef4f2c..ac58422 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2010-07-01 Werner Lemberg <wl@gnu.org>
+ [truetype] Protect against code range underflow.
+
+ * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
+ negative IP values.
+
+2010-07-01 Werner Lemberg <wl@gnu.org>
+
[truetype] Add rudimentary tracing for bytecode instructions.
* src/truetype/ttinterp.c (opcode_name) [FT_DEBUG_LEVEL_TRACE]: New
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index ceb108d..f729eaf 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3175,24 +3175,30 @@
}
-#define DO_JROT \
- if ( args[1] != 0 ) \
- { \
- CUR.IP += args[0]; \
- CUR.step_ins = FALSE; \
+#define DO_JROT \
+ if ( args[1] != 0 ) \
+ { \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}
-#define DO_JMPR \
- CUR.IP += args[0]; \
+#define DO_JMPR \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE;
-#define DO_JROF \
- if ( args[1] == 0 ) \
- { \
- CUR.IP += args[0]; \
- CUR.step_ins = FALSE; \
+#define DO_JROF \
+ if ( args[1] == 0 ) \
+ { \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}