[truetype] Better protection against malformed `fpgm' (#46223).

* src/truetype/ttobjs.c (tt_size_init_bytecode): Don't execute a malformed `fpgm' table more than once.
2015-10-18 16:47:06 +02:00 · 2015-10-18 16:47:06 +02:00 · dcfc4d9c21
commit dcfc4d9c21
parent 7643b5839b
2 changed files with 15 additions and 0 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2015-10-18  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Better protection against malformed `fpgm' (#46223).
+
+	* src/truetype/ttobjs.c (tt_size_init_bytecode): Don't execute a
+	malformed `fpgm' table more than once.
+
 2015-10-17  Werner Lemberg  <wl@gnu.org>

 	* src/cid/cidgload.c (cid_load_glyph): Fix memory leak.
--- a/src/truetype/ttobjs.c
+++ b/src/truetype/ttobjs.c
@ -1078,7 +1078,15 @@
    }

    /* Fine, now run the font program! */
+
+    /* In case of an error while executing `fpgm', we intentionally don't */
+    /* clean up immediately – bugs in the `fpgm' are so fundamental that  */
+    /* all following hinting calls should fail.  Additionally, `fpgm' is  */
+    /* to be executed just once; calling it again is completely useless   */
+    /* and might even lead to extremely slow behaviour if it is malformed */
+    /* (containing an infinite loop, for example).                        */
    error = tt_size_run_fpgm( size, pedantic );
+    return error;

  Exit:
    if ( error )