From dcfc4d9c2184bd36dacf73c1a9f331e98aa8ed1d Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sun, 18 Oct 2015 16:47:06 +0200 Subject: [PATCH] [truetype] Better protection against malformed `fpgm' (#46223). * src/truetype/ttobjs.c (tt_size_init_bytecode): Don't execute a malformed `fpgm' table more than once. --- ChangeLog | 7 +++++++ src/truetype/ttobjs.c | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/ChangeLog b/ChangeLog index 09ba4b2b8..369bef47a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2015-10-18 Werner Lemberg + + [truetype] Better protection against malformed `fpgm' (#46223). + + * src/truetype/ttobjs.c (tt_size_init_bytecode): Don't execute a + malformed `fpgm' table more than once. + 2015-10-17 Werner Lemberg * src/cid/cidgload.c (cid_load_glyph): Fix memory leak. diff --git a/src/truetype/ttobjs.c b/src/truetype/ttobjs.c index 6060d6f5d..b0d9f2843 100644 --- a/src/truetype/ttobjs.c +++ b/src/truetype/ttobjs.c @@ -1078,7 +1078,15 @@ } /* Fine, now run the font program! */ + + /* In case of an error while executing `fpgm', we intentionally don't */ + /* clean up immediately – bugs in the `fpgm' are so fundamental that */ + /* all following hinting calls should fail. Additionally, `fpgm' is */ + /* to be executed just once; calling it again is completely useless */ + /* and might even lead to extremely slow behaviour if it is malformed */ + /* (containing an infinite loop, for example). */ error = tt_size_run_fpgm( size, pedantic ); + return error; Exit: if ( error )