From d6a213f8eaf256642cd46196e69898fbe6a95672 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 31 Jan 2011 18:51:07 +0100 Subject: [PATCH] [truetype] Improve handling of invalid references. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/truetype/interp.c: Set even more TT_Err_Invalid_Reference error codes only if pedantic hinting is active. At the same time, try to provide sane values which hopefully allow useful continuation. Exception to this is CALL and LOOPCALL – due to possible stack corruption it is necessary to bail out. --- ChangeLog | 10 +++++ src/truetype/ttinterp.c | 93 ++++++++++++++++++++++------------------- 2 files changed, 60 insertions(+), 43 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8154abb48..be4a47ef7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2011-01-31 Werner Lemberg + + [truetype] Improve handling of invalid references. + + * src/truetype/interp.c: Set even more TT_Err_Invalid_Reference + error codes only if pedantic hinting is active. At the same time, + try to provide sane values which hopefully allow useful + continuation. Exception to this is CALL and LOOPCALL – due to + possible stack corruption it is necessary to bail out. + 2011-01-31 Werner Lemberg [truetype] Improve handling of stack underflow. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index f124c02d1..269d35a6f 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -985,8 +985,8 @@ /* INS_$83 */ PACK( 0, 0 ), /* INS_$84 */ PACK( 0, 0 ), /* ScanCTRL */ PACK( 1, 0 ), - /* SDVPTL[0] */ PACK( 2, 0 ), - /* SDVPTL[1] */ PACK( 2, 0 ), + /* SDPVTL[0] */ PACK( 2, 0 ), + /* SDPVTL[1] */ PACK( 2, 0 ), /* GetINFO */ PACK( 1, 1 ), /* IDEF */ PACK( 1, 0 ), /* ROLL */ PACK( 3, 3 ), @@ -3166,17 +3166,21 @@ args[0] = CUR.top; -#define DO_CINDEX \ - { \ - FT_Long L; \ - \ - \ - L = args[0]; \ - \ - if ( L <= 0 || L > CUR.args ) \ - CUR.error = TT_Err_Invalid_Reference; \ - else \ - args[0] = CUR.stack[CUR.args - L]; \ +#define DO_CINDEX \ + { \ + FT_Long L; \ + \ + \ + L = args[0]; \ + \ + if ( L <= 0 || L > CUR.args ) \ + { \ + if ( CUR.pedantic_hinting ) \ + CUR.error = TT_Err_Invalid_Reference; \ + args[0] = 0; \ + } \ + else \ + args[0] = CUR.stack[CUR.args - L]; \ } @@ -4385,17 +4389,19 @@ if ( L <= 0 || L > CUR.args ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; } + else + { + K = CUR.stack[CUR.args - L]; - K = CUR.stack[CUR.args - L]; + FT_ARRAY_MOVE( &CUR.stack[CUR.args - L ], + &CUR.stack[CUR.args - L + 1], + ( L - 1 ) ); - FT_ARRAY_MOVE( &CUR.stack[CUR.args - L ], - &CUR.stack[CUR.args - L + 1], - ( L - 1 ) ); - - CUR.stack[CUR.args - 1] = K; + CUR.stack[CUR.args - 1] = K; + } } @@ -5038,12 +5044,8 @@ if ( BOUNDSL( L, CUR.zp2.n_points ) ) { if ( CUR.pedantic_hinting ) - { CUR.error = TT_Err_Invalid_Reference; - return; - } - else - R = 0; + R = 0; } else { @@ -5123,10 +5125,7 @@ BOUNDS( K, CUR.zp1.n_points ) ) { if ( CUR.pedantic_hinting ) - { CUR.error = TT_Err_Invalid_Reference; - return; - } D = 0; } else @@ -5465,11 +5464,8 @@ if ( CUR.top < CUR.GS.loop ) { if ( CUR.pedantic_hinting ) - { CUR.error = TT_Err_Too_Few_Arguments; - return; - } - CUR.GS.loop = CUR.top; + goto Fail; } while ( CUR.GS.loop > 0 ) @@ -5492,6 +5488,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -5679,8 +5676,9 @@ if ( CUR.top < CUR.GS.loop ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + goto Fail; } if ( COMPUTE_Point_Displacement( &dx, &dy, &zp, &refp ) ) @@ -5706,6 +5704,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -5840,8 +5839,9 @@ if ( CUR.top < CUR.GS.loop + 1 ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + goto Fail; } #ifdef TT_CONFIG_OPTION_UNPATENTED_HINTING @@ -5885,6 +5885,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -6071,7 +6072,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } /* XXX: Is there some undocumented feature while in the */ @@ -6156,6 +6157,7 @@ CUR_Func_move( &CUR.zp1, point, distance - org_dist ); + Fail: CUR.GS.rp1 = CUR.GS.rp0; CUR.GS.rp2 = point; @@ -6193,7 +6195,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } if ( !cvtEntry ) @@ -6292,6 +6294,7 @@ CUR_Func_move( &CUR.zp1, point, distance - cur_dist ); + Fail: CUR.GS.rp1 = CUR.GS.rp0; if ( ( CUR.opcode & 16 ) != 0 ) @@ -6322,7 +6325,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } while ( CUR.GS.loop > 0 ) @@ -6350,6 +6353,7 @@ CUR.GS.loop--; } + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; } @@ -6491,8 +6495,9 @@ if ( CUR.top < CUR.GS.loop ) { - CUR.error = TT_Err_Invalid_Reference; - return; + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + goto Fail; } /* @@ -6506,7 +6511,7 @@ { if ( CUR.pedantic_hinting ) CUR.error = TT_Err_Invalid_Reference; - return; + goto Fail; } if ( twilight ) @@ -6571,6 +6576,8 @@ CUR_Func_move( &CUR.zp2, (FT_UShort)point, new_dist - cur_dist ); } + + Fail: CUR.GS.loop = 1; CUR.new_top = CUR.args; }