diff options
| author | Werner Lemberg <wl@gnu.org> | 2011-01-31 18:51:07 +0100 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2011-01-31 18:51:07 +0100 |
| commit | d6a213f8eaf256642cd46196e69898fbe6a95672 (patch) | |
| tree | d4c14f9c4434f27b527f4950ff5850e03065d87e | |
| parent | 96f0456483143353800d5ece36b0edc4b853ad32 (diff) | |
[truetype] Improve handling of invalid references.
* src/truetype/interp.c: Set even more TT_Err_Invalid_Reference
error codes only if pedantic hinting is active. At the same time,
try to provide sane values which hopefully allow useful
continuation. Exception to this is CALL and LOOPCALL – due to
possible stack corruption it is necessary to bail out.
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | src/truetype/ttinterp.c | 93 |
2 files changed, 60 insertions, 43 deletions
@@ -1,5 +1,15 @@ 2011-01-31 Werner Lemberg <wl@gnu.org> + [truetype] Improve handling of invalid references. + + * src/truetype/interp.c: Set even more TT_Err_Invalid_Reference + error codes only if pedantic hinting is active. At the same time, + try to provide sane values which hopefully allow useful + continuation. Exception to this is CALL and LOOPCALL – due to + possible stack corruption it is necessary to bail out. + +2011-01-31 Werner Lemberg <wl@gnu.org> + [truetype] Improve handling of stack underflow. * src/truetype/ttinterp.c (TT_RunIns, Ins_FLIPPT, Ins_DELTAP, diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index f124c02d..269d35a6 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -985,8 +985,8 @@ /* INS_$83 */ PACK( 0, 0 ), /* INS_$84 */ PACK( 0, 0 ), /* ScanCTRL */ PACK( 1, 0 ), - /* SDVPTL[0] */ PACK( 2, 0 ), - /* SDVPTL[1] */ PACK( 2, 0 ), + /* SDPVTL[0] */ PACK( 2, 0 ), + /* SDPVTL[1] */ PACK( 2, 0 ), /* GetINFO */ PACK( 1, 1 ), /* IDEF */ PACK( 1, 0 ), /* ROLL */ PACK( 3, 3 ), @@ -3166,17 +3166,21 @@ args[0] = CUR.top; -#define DO_CINDEX \ - { \ - FT_Long L; \ - \ - \ - L = args[0]; \ - \ - if ( L <= 0 || L > CUR.args ) \ - CUR.error = TT_Err_Invalid_Reference; \ - else \ - args[0] = CUR.stack[CUR.args - L]; \ +#define DO_CINDEX \ + { \ + FT_Long L; \ + \ + \ + L = args[0]; \ + \ + if ( L <= 0 || L > CUR.args ) \ + { \ + if ( CUR.pedantic_hinting ) \ + CUR.error = TT_Err_Invalid_Reference; \ + args[0] = 0; \ + } \ + else \ + args[0] = CUR.stack[CUR.args - L]; \ } @@ -4385,17 +4389,19 @@ if ( L <= 0 || L > CUR.args ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; } + else + { + K = CUR.stack[CUR.args - L]; - K = CUR.stack[CUR.args - L]; - - FT_ARRAY_MOVE( &CUR.stack[CUR.args - L ], - &CUR.stack[CUR.args - L + 1], - ( L - 1 ) ); + FT_ARRAY_MOVE( &CUR.stack[CUR.args - L ], + &CUR.stack[CUR.args - L + 1], + ( L - 1 ) ); - CUR.stack[CUR.args - 1] = K; + CUR.stack[CUR.args - 1] = K; + } } @@ -5038,12 +5044,8 @@ if ( BOUNDSL( L, CUR.zp2.n_points ) ) { if ( CUR.pedantic_hinting ) - { CUR.error = TT_Err_Invalid_Reference; - return; - } - else - R = 0; + R = 0; } else { @@ -5123,10 +5125,7 @@ BOUNDS( K, CUR.zp1.n_points ) ) { if ( CUR.pedantic_hinting ) - { CUR.error = TT_Err_Invalid_Reference; - return; - } D = 0; } else @@ -5465,11 +5464,8 @@ if ( CUR.top < CUR.GS.loop ) { if ( CUR.pedantic_hinting ) - { CUR.error = TT_Err_Too_Few_Arguments; - return; - } - CUR.GS.loop = CUR.top; + goto Fail; } while ( CUR.GS.loop > 0 ) @@ -5492,6 +5488,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -5679,8 +5676,9 @@ if ( CUR.top < CUR.GS.loop ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + goto Fail; } if ( COMPUTE_Point_Displacement( &dx, &dy, &zp, &refp ) ) @@ -5706,6 +5704,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -5840,8 +5839,9 @@ if ( CUR.top < CUR.GS.loop + 1 ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + goto Fail; } #ifdef TT_CONFIG_OPTION_UNPATENTED_HINTING @@ -5885,6 +5885,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -6071,7 +6072,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } /* XXX: Is there some undocumented feature while in the */ @@ -6156,6 +6157,7 @@ CUR_Func_move( &CUR.zp1, point, distance - org_dist ); + Fail: CUR.GS.rp1 = CUR.GS.rp0; CUR.GS.rp2 = point; @@ -6193,7 +6195,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } if ( !cvtEntry ) @@ -6292,6 +6294,7 @@ CUR_Func_move( &CUR.zp1, point, distance - cur_dist ); + Fail: CUR.GS.rp1 = CUR.GS.rp0; if ( ( CUR.opcode & 16 ) != 0 ) @@ -6322,7 +6325,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } while ( CUR.GS.loop > 0 ) @@ -6350,6 +6353,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -6491,8 +6495,9 @@ if ( CUR.top < CUR.GS.loop ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + goto Fail; } /* @@ -6506,7 +6511,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } if ( twilight ) @@ -6571,6 +6576,8 @@ CUR_Func_move( &CUR.zp2, (FT_UShort)point, new_dist - cur_dist ); } + + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } |