stride3d
/
freetype
зеркало из https://github.com/stride3d/freetype.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[truetype] Improve handling of invalid references. 

* src/truetype/interp.c: Set even more TT_Err_Invalid_Reference
error codes only if pedantic hinting is active.  At the same time,
try to provide sane values which hopefully allow useful
continuation.  Exception to this is CALL and LOOPCALL – due to
possible stack corruption it is necessary to bail out.
This commit is contained in:
Werner Lemberg 2011-01-31 18:51:07 +01:00
Родитель 96f0456483
Коммит d6a213f8ea
2 изменённых файлов: 60 добавлений и 43 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

10
ChangeLog
Просмотреть файл

@ -1,3 +1,13 @@
2011-01-31 Werner Lemberg <wl@gnu.org>
[truetype] Improve handling of invalid references.
* src/truetype/interp.c: Set even more TT_Err_Invalid_Reference
error codes only if pedantic hinting is active. At the same time,
try to provide sane values which hopefully allow useful
continuation. Exception to this is CALL and LOOPCALL – due to
possible stack corruption it is necessary to bail out.
2011-01-31 Werner Lemberg <wl@gnu.org>
[truetype] Improve handling of stack underflow.

93
src/truetype/ttinterp.c
Просмотреть файл

@ -985,8 +985,8 @@
/* INS_$83 */ PACK( 0, 0 ),
/* INS_$84 */ PACK( 0, 0 ),
/* ScanCTRL */ PACK( 1, 0 ),
/* SDVPTL[0] */ PACK( 2, 0 ),
/* SDVPTL[1] */ PACK( 2, 0 ),
/* SDPVTL[0] */ PACK( 2, 0 ),
/* SDPVTL[1] */ PACK( 2, 0 ),
/* GetINFO */ PACK( 1, 1 ),
/* IDEF */ PACK( 1, 0 ),
/* ROLL */ PACK( 3, 3 ),
@ -3166,17 +3166,21 @@
args[0] = CUR.top;
#define DO_CINDEX \
{ \
FT_Long L; \
\
\
L = args[0]; \
\
if ( L <= 0 || L > CUR.args ) \
CUR.error = TT_Err_Invalid_Reference; \
else \
args[0] = CUR.stack[CUR.args - L]; \
#define DO_CINDEX \
{ \
FT_Long L; \
\
\
L = args[0]; \
\
if ( L <= 0 || L > CUR.args ) \
{ \
if ( CUR.pedantic_hinting ) \
CUR.error = TT_Err_Invalid_Reference; \
args[0] = 0; \
} \
else \
args[0] = CUR.stack[CUR.args - L]; \
}
@ -4385,17 +4389,19 @@
if ( L <= 0 || L > CUR.args )
{
CUR.error = TT_Err_Invalid_Reference;
return;
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
}
else
{
K = CUR.stack[CUR.args - L];
K = CUR.stack[CUR.args - L];
FT_ARRAY_MOVE( &CUR.stack[CUR.args - L ],
&CUR.stack[CUR.args - L + 1],
( L - 1 ) );
FT_ARRAY_MOVE( &CUR.stack[CUR.args - L ],
&CUR.stack[CUR.args - L + 1],
( L - 1 ) );
CUR.stack[CUR.args - 1] = K;
CUR.stack[CUR.args - 1] = K;
}
}
@ -5038,12 +5044,8 @@
if ( BOUNDSL( L, CUR.zp2.n_points ) )
{
if ( CUR.pedantic_hinting )
{
CUR.error = TT_Err_Invalid_Reference;
return;
}
else
R = 0;
R = 0;
}
else
{
@ -5123,10 +5125,7 @@
BOUNDS( K, CUR.zp1.n_points ) )
{
if ( CUR.pedantic_hinting )
{
CUR.error = TT_Err_Invalid_Reference;
return;
}
D = 0;
}
else
@ -5465,11 +5464,8 @@
if ( CUR.top < CUR.GS.loop )
{
if ( CUR.pedantic_hinting )
{
CUR.error = TT_Err_Too_Few_Arguments;
return;
}
CUR.GS.loop = CUR.top;
goto Fail;
}
while ( CUR.GS.loop > 0 )
@ -5492,6 +5488,7 @@
CUR.GS.loop--;
}
Fail:
CUR.GS.loop = 1;
CUR.new_top = CUR.args;
}
@ -5679,8 +5676,9 @@
if ( CUR.top < CUR.GS.loop )
{
CUR.error = TT_Err_Invalid_Reference;
return;
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
goto Fail;
}
if ( COMPUTE_Point_Displacement( &dx, &dy, &zp, &refp ) )
@ -5706,6 +5704,7 @@
CUR.GS.loop--;
}
Fail:
CUR.GS.loop = 1;
CUR.new_top = CUR.args;
}
@ -5840,8 +5839,9 @@
if ( CUR.top < CUR.GS.loop + 1 )
{
CUR.error = TT_Err_Invalid_Reference;
return;
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
goto Fail;
}
#ifdef TT_CONFIG_OPTION_UNPATENTED_HINTING
@ -5885,6 +5885,7 @@
CUR.GS.loop--;
}
Fail:
CUR.GS.loop = 1;
CUR.new_top = CUR.args;
}
@ -6071,7 +6072,7 @@
{
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
return;
goto Fail;
}
/* XXX: Is there some undocumented feature while in the */
@ -6156,6 +6157,7 @@
CUR_Func_move( &CUR.zp1, point, distance - org_dist );
Fail:
CUR.GS.rp1 = CUR.GS.rp0;
CUR.GS.rp2 = point;
@ -6193,7 +6195,7 @@
{
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
return;
goto Fail;
}
if ( !cvtEntry )
@ -6292,6 +6294,7 @@
CUR_Func_move( &CUR.zp1, point, distance - cur_dist );
Fail:
CUR.GS.rp1 = CUR.GS.rp0;
if ( ( CUR.opcode & 16 ) != 0 )
@ -6322,7 +6325,7 @@
{
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
return;
goto Fail;
}
while ( CUR.GS.loop > 0 )
@ -6350,6 +6353,7 @@
CUR.GS.loop--;
}
Fail:
CUR.GS.loop = 1;
CUR.new_top = CUR.args;
}
@ -6491,8 +6495,9 @@
if ( CUR.top < CUR.GS.loop )
{
CUR.error = TT_Err_Invalid_Reference;
return;
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
goto Fail;
}
/*
@ -6506,7 +6511,7 @@
{
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
return;
goto Fail;
}
if ( twilight )
@ -6571,6 +6576,8 @@
CUR_Func_move( &CUR.zp2, (FT_UShort)point, new_dist - cur_dist );
}
Fail:
CUR.GS.loop = 1;
CUR.new_top = CUR.args;
}