summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsuzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>2009-07-03 18:01:35 +0900
committersuzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>2009-07-03 18:01:35 +0900
commitdc4357df7d38715eb47ab352017a4145888885f5 (patch)
tree6784cb75c088b86e40d1282852562786abb2abf8
parenta72a4bd3b75e231c854c1fdc1ae0e06aaeeb3e76 (diff)
downloadfreetype2-dc4357df7d38715eb47ab352017a4145888885f5.tar.gz
truetype: Check invalid function number in IDEF instruction.
Diffstat
-rw-r--r--ChangeLog7
-rw-r--r--src/truetype/ttinterp.c11
2 files changed, 16 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 29d954c7c..18917d21b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2009-07-03 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+ truetype: Check invalid function number in IDEF instruction.
+
+ * src/truetype/ttinterp.c (Ins_IDEF): Check
+ if the operand fits to 8-bit opcode limitation.
+
+2009-07-03 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
truetype: Check invalid function number in FDEF instruction.
* src/truetype/ttinterp.c (Ins_FDEF): Check
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 816d1dad4..13aa9a27c 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4561,13 +4561,20 @@
CUR.numIDefs++;
}
- def->opc = args[0];
+ /* opcode must be unsigned 8-bit integer */
+ if ( 0 > args[0] || args[0] > 0x00FF )
+ {
+ CUR.error = TT_Err_Too_Many_Instruction_Defs;
+ return;
+ }
+
+ def->opc = (FT_Byte)args[0];
def->start = CUR.IP+1;
def->range = CUR.curRange;
def->active = TRUE;
if ( (FT_ULong)args[0] > CUR.maxIns )
- CUR.maxIns = args[0];
+ CUR.maxIns = (FT_Byte)args[0];
/* Now skip the whole function definition. */
/* We don't allow nested IDEFs & FDEFs. */
View Lorry Controller Status