shithub: freetype+ttf2subf

Download patch

ref: 29e044a4af2f63bbebadf0d23d14be6ec4af86ec
parent: 12cf031644ddd2531fa315e948aad24499adb251
author: suzuki toshiya <sssa@flavor1.ipc.hiroshima-u.ac.jp>
date: Mon Aug 30 21:23:30 EDT 2010 

[truetype] Prevent bytecode reuse after the interpretation error.

* src/truetype/ttinterp.c (free_buffer_in_size): New function to
free the buffer allocated during the interpretation of this glyph.
(TT_RunIns): Unset FT_Face->size->{cvt_ready,bytecode_ready} if
an error occurs in the bytecode interpretation.  The interpretation
of invalid bytecode may break the function definitions and referring
them in later interpretation is danger.  By unsetting these flags,
`fpgm' and `prep' tables are executed again in next interpretation.

Fix Savannah bug #30798, reported by Robert Swiecki.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2010-08-30  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	[truetype] Prevent bytecode reuse after the interpretation error.
+
+	* src/truetype/ttinterp.c (free_buffer_in_size): New function to
+	free the buffer allocated during the interpretation of this glyph.
+	(TT_RunIns): Unset FT_Face->size->{cvt_ready,bytecode_ready} if
+	an error occurs in the bytecode interpretation.  The interpretation
+	of invalid bytecode may break the function definitions and referring
+	them in later interpretation is danger.  By unsetting these flags,
+	`fpgm' and `prep' tables are executed again in next interpretation.
+
+	Fix Savannah bug #30798, reported by Robert Swiecki.
+
 2010-08-29  Werner Lemberg  <wl@gnu.org>
 
 	[ftraster] Pacify compiler.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -7362,6 +7362,41 @@
 #endif /* !TT_CONFIG_OPTION_INTERPRETER_SWITCH */
 
 
+  static void
+  free_buffer_in_size( TT_ExecContext  exc )
+  {
+    FT_Memory        memory = exc->memory;
+    TT_Size          size = exc->size;
+    TT_GlyphZoneRec  twilight;
+
+
+    if ( !size )
+      return;
+
+    if ( size->function_defs )
+      FT_FREE( size->function_defs );
+    if ( size->instruction_defs )
+      FT_FREE( size->instruction_defs );
+    if ( size->cvt )
+      FT_FREE( size->cvt );
+    if ( size->storage )
+      FT_FREE( size->storage );
+
+    twilight = size->twilight;
+
+    if ( twilight.org )
+      FT_FREE( twilight.org );
+    if ( twilight.cur )
+      FT_FREE( twilight.cur );
+    if ( twilight.orus )
+      FT_FREE( twilight.orus );
+    if ( twilight.tags )
+      FT_FREE( twilight.tags );
+    if ( twilight.contours )
+      FT_FREE( twilight.contours );
+  }
+
+
   /*************************************************************************/
   /*                                                                       */
   /* RUN                                                                   */
@@ -8127,6 +8162,16 @@
 #ifdef TT_CONFIG_OPTION_STATIC_RASTER
     *exc = cur;
 #endif
+
+    /* if any errors, function tables may be broken.  */
+    /* it should not be used for next interpretation. */
+    if ( CUR.error )
+    {
+      FT_TRACE7(( "  The interpreter got an error = %d\n", CUR.error ));
+      free_buffer_in_size( exc );
+      exc->size->cvt_ready = FALSE;  
+      exc->size->bytecode_ready = FALSE;  
+    }
 
     return CUR.error;
   }
--