[truetype] Improve error handling of `SHZ' bytecode instruction. r=stuart a=blocking-fennec
authorWerner Lemberg <wl@gnu.org>
Thu, 18 Nov 2010 16:36:22 -0500
changeset 57866 bef94549e955b80e8a1dd8fa99722af89f867678
parent 57865 4675bda39bf2e7ab297d9bfb86a7171cb51959c4
child 57867 003e0d6ec5a943d71dc8dd670a0654a504dcb5df
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersstuart, blocking-fennec
milestone2.0b8pre
[truetype] Improve error handling of `SHZ' bytecode instruction. r=stuart a=blocking-fennec From 0edf0986f3be570f5bf90ff245a85c1675f5c9a4 Mon Sep 17 00:00:00 2001 Date: Wed, 06 Oct 2010 09:52:27 +0000 Problem reported by Chris Evans <scarybeasts@gmail.com>. * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'. ---
modules/freetype2/ChangeLog
modules/freetype2/src/truetype/ttinterp.c
--- a/modules/freetype2/ChangeLog
+++ b/modules/freetype2/ChangeLog
@@ -1,8 +1,15 @@
+2010-10-06  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Improve error handling of `SHZ' bytecode instruction.
+	Problem reported by Chris Evans <scarybeasts@gmail.com>.
+
+	* src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
+
 2010-10-03  Werner Lemberg  <wl@gnu.org>
 
 	* Version 2.4.3 released.
 	=========================
 
 
 	Tag sources with `VER-2-4-3'.
 
--- a/modules/freetype2/src/truetype/ttinterp.c
+++ b/modules/freetype2/src/truetype/ttinterp.c
@@ -5790,17 +5790,26 @@
 
     /* XXX: UNDOCUMENTED! SHZ doesn't move the phantom points.  */
     /*      Twilight zone has no contours, so use `n_points'.   */
     /*      Normal zone's `n_points' includes phantoms, so must */
     /*      use end of last contour.                            */
     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+    {
       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+      {
+        if ( CUR.pedantic_hinting )
+          CUR.error = TT_Err_Invalid_Reference;
+        return;
+      }
+    }
     else
       last_point = 0;
 
     /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
     for ( i = 0; i <= last_point; i++ )
     {
       if ( zp.cur != CUR.zp2.cur || refp != i )
         MOVE_Zp2_Point( i, dx, dy, FALSE );