diff options
| author | Werner Lemberg <wl@gnu.org> | 2011-01-31 22:26:53 +0100 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2011-01-31 22:26:53 +0100 |
| commit | f1a981b5ce4f06c772bb2f62f3ce4c54a0c2c6d0 (patch) | |
| tree | fd69be671dc22d9d8784a5383bb519eba2fd0764 /src | |
| parent | d6a213f8eaf256642cd46196e69898fbe6a95672 (diff) | |
[truetype] Protect jump instructions against endless loops.
* src/truetype/interp.c (DO_JROT, DO_JMPR, DO_JROF): Exit with error
if offset is zero.
Diffstat (limited to 'src')
| -rw-r--r-- | src/truetype/ttinterp.c | 48 |
1 files changed, 27 insertions, 21 deletions
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 269d35a6..d568926b 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -3184,30 +3184,36 @@ } -#define DO_JROT \ - if ( args[1] != 0 ) \ - { \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ - CUR.step_ins = FALSE; \ - } - - -#define DO_JMPR \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ +#define DO_JROT \ + if ( args[1] != 0 ) \ + { \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ + } + + +#define DO_JMPR \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ CUR.step_ins = FALSE; -#define DO_JROF \ - if ( args[1] == 0 ) \ - { \ - CUR.IP += args[0]; \ - if ( CUR.IP < 0 ) \ - CUR.error = TT_Err_Bad_Argument; \ - CUR.step_ins = FALSE; \ +#define DO_JROF \ + if ( args[1] == 0 ) \ + { \ + if ( args[0] == 0 && CUR.args == 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.IP += args[0]; \ + if ( CUR.IP < 0 ) \ + CUR.error = TT_Err_Bad_Argument; \ + CUR.step_ins = FALSE; \ } |