Commit a2d225e32248ad68e675ed5374518b3dbbab83d0

Werner Lemberg 2010-07-01T11:37:09

[truetype] Protect against code range underflow. * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow negative IP values.

diff --git a/ChangeLog b/ChangeLog
index 8ef4f2c..ac58422 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2010-07-01  Werner Lemberg  <wl@gnu.org>
 
+	[truetype] Protect against code range underflow.
+
+	* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Don't allow
+	negative IP values.
+
+2010-07-01  Werner Lemberg  <wl@gnu.org>
+
 	[truetype] Add rudimentary tracing for bytecode instructions.
 
 	* src/truetype/ttinterp.c (opcode_name) [FT_DEBUG_LEVEL_TRACE]: New
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index ceb108d..f729eaf 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3175,24 +3175,30 @@
   }
 
 
-#define DO_JROT               \
-    if ( args[1] != 0 )       \
-    {                         \
-      CUR.IP      += args[0]; \
-      CUR.step_ins = FALSE;   \
+#define DO_JROT                          \
+    if ( args[1] != 0 )                  \
+    {                                    \
+      CUR.IP      += args[0];            \
+      if ( CUR.IP < 0 )                  \
+        CUR.error = TT_Err_Bad_Argument; \
+      CUR.step_ins = FALSE;              \
     }
 
 
-#define DO_JMPR             \
-    CUR.IP      += args[0]; \
+#define DO_JMPR                        \
+    CUR.IP      += args[0];            \
+    if ( CUR.IP < 0 )                  \
+      CUR.error = TT_Err_Bad_Argument; \
     CUR.step_ins = FALSE;
 
 
-#define DO_JROF               \
-    if ( args[1] == 0 )       \
-    {                         \
-      CUR.IP      += args[0]; \
-      CUR.step_ins = FALSE;   \
+#define DO_JROF                          \
+    if ( args[1] == 0 )                  \
+    {                                    \
+      CUR.IP      += args[0];            \
+      if ( CUR.IP < 0 )                  \
+        CUR.error = TT_Err_Bad_Argument; \
+      CUR.step_ins = FALSE;              \
     }