fdo-mirrors/freetype
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/freetype/freetype.git synced 2026-05-08 02:18:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

[truetype]: Limit `SLOOP' bytecode argument to 16 bits.

Browse source 
This fixes

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7707

* src/truetype/ttinterp.c (Ins_SLOOP): Do it.
This commit is contained in:
Werner Lemberg 2018-04-15 21:55:04 +02:00
parent 827ca3bcf2
commit 235b1e2fe6
2 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
ChangeLog
View file

@ -1,3 +1,13 @@
2018-04-15 Werner Lemberg <wl@gnu.org>
[truetype]: Limit `SLOOP' bytecode argument to 16 bits.
This fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7707
* src/truetype/ttinterp.c (Ins_SLOOP): Do it.
2018-04-14 Werner Lemberg <wl@gnu.org>
[truetype] Integer overflow issues.

5
src/truetype/ttinterp.c
View file

@ -3289,7 +3289,10 @@
if ( args[0] < 0 )
exc->error = FT_THROW( Bad_Argument );
else
exc->GS.loop = args[0];
{
/* we heuristically limit the number of loops to 16 bits */
exc->GS.loop = args[0] > 0xFFFFL ? 0xFFFFL : args[0];
}
}