kc3-lang/freetype

Browse

Commit f1a981b5ce4f06c772bb2f62f3ce4c54a0c2c6d0

Werner Lemberg 2011-01-31T22:26:53

[truetype] Protect jump instructions against endless loops. * src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error if offset is zero. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

diff --git a/ChangeLog b/ChangeLog
index be4a47e..44e4af5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2011-01-31  Werner Lemberg  <wl@gnu.org>
 
+	[truetype] Protect jump instructions against endless loops.
+
+	* src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error
+	if offset is zero.
+
+2011-01-31  Werner Lemberg  <wl@gnu.org>
+
 	[truetype] Improve handling of invalid references.
 
 	* src/truetype/interp.c: Set even more TT_Err_Invalid_Reference
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 269d35a..d568926 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3184,30 +3184,36 @@
   }
 
 
-#define DO_JROT                          \
-    if ( args[1] != 0 )                  \
-    {                                    \
-      CUR.IP      += args[0];            \
-      if ( CUR.IP < 0 )                  \
-        CUR.error = TT_Err_Bad_Argument; \
-      CUR.step_ins = FALSE;              \
-    }
-
-
-#define DO_JMPR                        \
-    CUR.IP      += args[0];            \
-    if ( CUR.IP < 0 )                  \
-      CUR.error = TT_Err_Bad_Argument; \
+#define DO_JROT                            \
+    if ( args[1] != 0 )                    \
+    {                                      \
+      if ( args[0] == 0 && CUR.args == 0 ) \
+        CUR.error = TT_Err_Bad_Argument;   \
+      CUR.IP += args[0];                   \
+      if ( CUR.IP < 0 )                    \
+        CUR.error = TT_Err_Bad_Argument;   \
+      CUR.step_ins = FALSE;                \
+    }
+
+
+#define DO_JMPR                          \
+    if ( args[0] == 0 && CUR.args == 0 ) \
+      CUR.error = TT_Err_Bad_Argument;   \
+    CUR.IP += args[0];                   \
+    if ( CUR.IP < 0 )                    \
+      CUR.error = TT_Err_Bad_Argument;   \
     CUR.step_ins = FALSE;
 
 
-#define DO_JROF                          \
-    if ( args[1] == 0 )                  \
-    {                                    \
-      CUR.IP      += args[0];            \
-      if ( CUR.IP < 0 )                  \
-        CUR.error = TT_Err_Bad_Argument; \
-      CUR.step_ins = FALSE;              \
+#define DO_JROF                            \
+    if ( args[1] == 0 )                    \
+    {                                      \
+      if ( args[0] == 0 && CUR.args == 0 ) \
+        CUR.error = TT_Err_Bad_Argument;   \
+      CUR.IP += args[0];                   \
+      if ( CUR.IP < 0 )                    \
+        CUR.error = TT_Err_Bad_Argument;   \
+      CUR.step_ins = FALSE;                \
     }
kmx.io     mail     discord kmxgit v0.4.0