Commit b4e06818ed2f570c9da2bb094291e0b708527c57
2012-02-11T20:56:10
[truetype] Fix Savannah bug #35466. Jump instructions are now bound to the current function. The MS Windows rasterizer behaves the same, as confirmed by Greg Hitchcock. * src/truetype/ttinterp.h (TT_CallRec): Add `Cur_End' element. * src/truetype/ttobjs.h (TT_DefRecord): Add `end' element. * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Check upper bound of jump address. (Ins_FDEF, Ins_CALL, Ins_LOOPCALL, Ins_UNKNOWN, TT_RunIns): Updated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195
diff --git a/ChangeLog b/ChangeLog
index 02efbf2..34515fa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,19 @@
2012-02-11 Werner Lemberg <wl@gnu.org>
+ [truetype] Fix Savannah bug #35466.
+
+ Jump instructions are now bound to the current function. The MS
+ Windows rasterizer behaves the same, as confirmed by Greg Hitchcock.
+
+ * src/truetype/ttinterp.h (TT_CallRec): Add `Cur_End' element.
+ * src/truetype/ttobjs.h (TT_DefRecord): Add `end' element.
+
+ * src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Check upper
+ bound of jump address.
+ (Ins_FDEF, Ins_CALL, Ins_LOOPCALL, Ins_UNKNOWN, TT_RunIns): Updated.
+
+2012-02-11 Werner Lemberg <wl@gnu.org>
+
We don't use `extensions'.
* include/freetype/internal/ftobjs.h (FT_DriverRec): Remove
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 6ac4be5..752732a 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -715,7 +715,7 @@
FT_Error error;
- if ( ( error = TT_Goto_CodeRange( exec, tt_coderange_glyph, 0 ) )
+ if ( ( error = TT_Goto_CodeRange( exec, tt_coderange_glyph, 0 ) )
!= TT_Err_Ok )
return error;
@@ -1800,7 +1800,7 @@
/* NOTE: Because the last instruction of a program may be a CALL */
/* which will return to the first byte *after* the code */
- /* range, we test for AIP <= Size, instead of AIP < Size. */
+ /* range, we test for aIP <= Size, instead of aIP < Size. */
if ( aIP > range->size )
{
@@ -2757,7 +2757,7 @@
W = Vx * Vx + Vy * Vy;
/* Now, we want that Sqrt( W ) = 0x4000 */
- /* Or 0x10000000 <= W < 0x10004000 */
+ /* Or 0x10000000 <= W < 0x10004000 */
if ( Vx < 0 )
{
@@ -3199,36 +3199,42 @@
}
-#define DO_JROT \
- if ( args[1] != 0 ) \
- { \
- if ( args[0] == 0 && CUR.args == 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
- CUR.IP += args[0]; \
- if ( CUR.IP < 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
- CUR.step_ins = FALSE; \
+#define DO_JROT \
+ if ( args[1] != 0 ) \
+ { \
+ if ( args[0] == 0 && CUR.args == 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 || \
+ ( CUR.callTop > 0 && \
+ CUR.IP > CUR.callStack[CUR.callTop - 1].Cur_End ) ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}
-#define DO_JMPR \
- if ( args[0] == 0 && CUR.args == 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
- CUR.IP += args[0]; \
- if ( CUR.IP < 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
+#define DO_JMPR \
+ if ( args[0] == 0 && CUR.args == 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 || \
+ ( CUR.callTop > 0 && \
+ CUR.IP > CUR.callStack[CUR.callTop - 1].Cur_End ) ) \
+ CUR.error = TT_Err_Bad_Argument; \
CUR.step_ins = FALSE;
-#define DO_JROF \
- if ( args[1] == 0 ) \
- { \
- if ( args[0] == 0 && CUR.args == 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
- CUR.IP += args[0]; \
- if ( CUR.IP < 0 ) \
- CUR.error = TT_Err_Bad_Argument; \
- CUR.step_ins = FALSE; \
+#define DO_JROF \
+ if ( args[1] == 0 ) \
+ { \
+ if ( args[0] == 0 && CUR.args == 0 ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.IP += args[0]; \
+ if ( CUR.IP < 0 || \
+ ( CUR.callTop > 0 && \
+ CUR.IP > CUR.callStack[CUR.callTop - 1].Cur_End ) ) \
+ CUR.error = TT_Err_Bad_Argument; \
+ CUR.step_ins = FALSE; \
}
@@ -4640,6 +4646,7 @@
return;
case 0x2D: /* ENDF */
+ rec->end = CUR.IP;
return;
}
}
@@ -4757,6 +4764,7 @@
pCrec->Caller_IP = CUR.IP + 1;
pCrec->Cur_Count = 1;
pCrec->Cur_Restart = def->start;
+ pCrec->Cur_End = def->end;
CUR.callTop++;
@@ -4835,6 +4843,7 @@
pCrec->Caller_IP = CUR.IP + 1;
pCrec->Cur_Count = (FT_Int)args[0];
pCrec->Cur_Restart = def->start;
+ pCrec->Cur_End = def->end;
CUR.callTop++;
@@ -7173,6 +7182,7 @@
call->Caller_IP = CUR.IP + 1;
call->Cur_Count = 1;
call->Cur_Restart = def->start;
+ call->Cur_End = def->end;
INS_Goto_CodeRange( def->range, def->start );
@@ -8181,6 +8191,7 @@
callrec->Caller_IP = CUR.IP + 1;
callrec->Cur_Count = 1;
callrec->Cur_Restart = def->start;
+ callrec->Cur_End = def->end;
if ( INS_Goto_CodeRange( def->range, def->start ) == FAILURE )
goto LErrorLabel_;
diff --git a/src/truetype/ttinterp.h b/src/truetype/ttinterp.h
index c480dfa..6d0fc03 100644
--- a/src/truetype/ttinterp.h
+++ b/src/truetype/ttinterp.h
@@ -102,6 +102,7 @@ FT_BEGIN_HEADER
FT_Long Caller_IP;
FT_Long Cur_Count;
FT_Long Cur_Restart;
+ FT_Long Cur_End;
} TT_CallRec, *TT_CallStack;
diff --git a/src/truetype/ttobjs.h b/src/truetype/ttobjs.h
index 087b3c2..47e4129 100644
--- a/src/truetype/ttobjs.h
+++ b/src/truetype/ttobjs.h
@@ -4,7 +4,7 @@
/* */
/* Objects manager (specification). */
/* */
-/* Copyright 1996-2009, 2011 by */
+/* Copyright 1996-2009, 2011-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -175,6 +175,7 @@ FT_BEGIN_HEADER
{
FT_Int range; /* in which code range is it located? */
FT_Long start; /* where does it start? */
+ FT_Long end; /* where does it end? */
FT_UInt opc; /* function #, or instruction code */
FT_Bool active; /* is it active? */