Commit d1c23082b65824824457fc02435e5c8cfd23817f
2009-08-01T00:32:17
truetype: Check invalid function number in FDEF instruction.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
diff --git a/ChangeLog b/ChangeLog
index b91d029..9696b52 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2009-07-31 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+ truetype: Check invalid function number in FDEF instruction.
+
+ * src/truetype/ttinterp.c (Ins_FDEF): Check
+ if the operand fits 16-bit function number.
+
+2009-07-31 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
truetype: Truncate the deltas of composite glyph at 16-bit values.
* src/truetype/ttgload.c (load_truetype_glyph):
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index e6a0700..816d1da 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4290,13 +4290,21 @@
CUR.numFDefs++;
}
+ /* Although FDEF takes unsigned 32-bit integer, */
+ /* func # must be within unsigned 16-bit integer */
+ if ( n > 0xFFFFU )
+ {
+ CUR.error = TT_Err_Too_Many_Function_Defs;
+ return;
+ }
+
rec->range = CUR.curRange;
- rec->opc = n;
+ rec->opc = (FT_UInt16)n;
rec->start = CUR.IP + 1;
rec->active = TRUE;
if ( n > CUR.maxFunc )
- CUR.maxFunc = n;
+ CUR.maxFunc = (FT_UInt16)n;
/* Now skip the whole function definition. */
/* We don't allow nested IDEFS & FDEFs. */