diff options
author | Werner Lemberg <wl@gnu.org> | 2017-06-01 07:09:44 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2017-06-01 07:09:44 +0200 |
commit | 8d435c463d22f6de35015b244d6f9bb433beb7e6 (patch) | |
tree | 747ffbae712d7d39701fefc6a367cb970efbb935 | |
parent | e66d7300fec2f9fc60e43a924af1972b07ee316b (diff) | |
download | freetype2-8d435c463d22f6de35015b244d6f9bb433beb7e6.tar.gz |
* src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again.
Problem reported by Marek Kašík <mkasik@redhat.com>.
The problematic font that exceeds the old limit is Padauk-Bold,
version 3.002, containing bytecode generated by a buggy version of
ttfautohint.
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/truetype/ttinterp.c | 3 |
2 files changed, 11 insertions, 2 deletions
@@ -1,3 +1,13 @@ +2017-06-01 Werner Lemberg <wl@gnu.org> + + * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again. + + Problem reported by Marek Kašík <mkasik@redhat.com>. + + The problematic font that exceeds the old limit is Padauk-Bold, + version 3.002, containing bytecode generated by a buggy version of + ttfautohint. + 2017-05-31 Werner Lemberg <wl@gnu.org> [cff] 32bit integer overflow run-time errors 2/2 (#46149). diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 0c48c2562..775d11047 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -7649,8 +7649,7 @@ FT_MAX( 50, exc->cvtSize / 10 ); else - exc->loopcall_counter_max = FT_MAX( 100, - 10 * exc->cvtSize ); + exc->loopcall_counter_max = 300 + 8 * exc->cvtSize; /* as a protection against an unreasonable number of CVT entries */ /* we assume at most 100 control values per glyph for the counter */ |