From 8b4dcd935e90e5a66b6406145eaa0dce4106b02a Mon Sep 17 00:00:00 2001
From: Alexei Podtelezhnikov <apodtele@gmail.com>
Date: Tue, 20 May 2025 17:27:43 -0400
Subject: [PATCH] [truetype] Update bytecode error handling.

* src/truetype/ttinterp.c (Ins_SHP,SHPIX,ALIGNRP): Return appropriate
error in case of stack underflow.
(Ins_IP): Ditto and remove redundant check.
---
 src/truetype/ttinterp.c | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 7e62f16b0..c5a3b040d 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5190,7 +5190,7 @@
     if ( exc->new_top < loop )
     {
       if ( exc->pedantic_hinting )
-        exc->error = FT_THROW( Invalid_Reference );
+        exc->error = FT_THROW( Too_Few_Arguments );
       goto Fail;
     }
 
@@ -5345,7 +5345,7 @@
     if ( exc->new_top < loop )
     {
       if ( exc->pedantic_hinting )
-        exc->error = FT_THROW( Invalid_Reference );
+        exc->error = FT_THROW( Too_Few_Arguments );
       goto Fail;
     }
 
@@ -5849,16 +5849,22 @@
     FT_F26Dot6  distance;
 
 
-    if ( exc->new_top < loop                      ||
-         BOUNDS( exc->GS.rp0, exc->zp0.n_points ) )
+    if ( exc->new_top < loop )
+    {
+      if ( exc->pedantic_hinting )
+        exc->error = FT_THROW( Too_Few_Arguments );
+      goto Fail;
+    }
+
+    exc->new_top -= loop;
+
+    if ( BOUNDS( exc->GS.rp0, exc->zp0.n_points ) )
     {
       if ( exc->pedantic_hinting )
         exc->error = FT_THROW( Invalid_Reference );
       goto Fail;
     }
 
-    exc->new_top -= loop;
-
     while ( loop-- )
     {
       point = (FT_UShort)*(--args);
@@ -6036,12 +6042,19 @@
     if ( exc->new_top < loop )
     {
       if ( exc->pedantic_hinting )
-        exc->error = FT_THROW( Invalid_Reference );
+        exc->error = FT_THROW( Too_Few_Arguments );
       goto Fail;
     }
 
     exc->new_top -= loop;
 
+    if ( BOUNDS( exc->GS.rp1, exc->zp0.n_points ) )
+    {
+      if ( exc->pedantic_hinting )
+        exc->error = FT_THROW( Invalid_Reference );
+      goto Fail;
+    }
+
     /*
      * We need to deal in a special way with the twilight zone.
      * Otherwise, by definition, the value of exc->twilight.orus[n] is (0,0),
@@ -6051,13 +6064,6 @@
                  exc->GS.gep1 == 0 ||
                  exc->GS.gep2 == 0 );
 
-    if ( BOUNDS( exc->GS.rp1, exc->zp0.n_points ) )
-    {
-      if ( exc->pedantic_hinting )
-        exc->error = FT_THROW( Invalid_Reference );
-      goto Fail;
-    }
-
     if ( twilight )
       orus_base = &exc->zp0.org[exc->GS.rp1];
     else
@@ -6069,8 +6075,7 @@
     /*      fonts out there (e.g. [aeu]grave in monotype.ttf)   */
     /*      calling IP[] with bad values of rp[12].             */
     /*      Do something sane when this odd thing happens.      */
-    if ( BOUNDS( exc->GS.rp1, exc->zp0.n_points ) ||
-         BOUNDS( exc->GS.rp2, exc->zp1.n_points ) )
+    if ( BOUNDS( exc->GS.rp2, exc->zp1.n_points ) )
     {
       old_range = 0;
       cur_range = 0;