I think I found a few pop-push miscounts in the bytecode interpreter. Please review the path below. Also, not included in the patch, GETVARIATION should have negative opcode length, as it pushes variable amount. GETDATA seems to pop without pushing anything back. RAW pushes without popping. ADJUST pops three without pushing. PUSHB and PUSHW seems to pop one too, which I do not quite get.
index 68a87cf..96ca598 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -682,23 +682,23 @@
/* IUP[0] */ PACK( 0, 0 ),
/* IUP[1] */ PACK( 0, 0 ),
- /* SHP[0] */ PACK( 0, 0 ),
- /* SHP[1] */ PACK( 0, 0 ),
+ /* SHP[0] */ PACK( 1, 0 ),
+ /* SHP[1] */ PACK( 1, 0 ),
/* SHC[0] */ PACK( 1, 0 ),
/* SHC[1] */ PACK( 1, 0 ),
/* SHZ[0] */ PACK( 1, 0 ),
/* SHZ[1] */ PACK( 1, 0 ),
- /* SHPIX */ PACK( 1, 0 ),
- /* IP */ PACK( 0, 0 ),
+ /* SHPIX */ PACK( 2, 0 ),
+ /* IP */ PACK( 1, 0 ),
/* MSIRP[0] */ PACK( 2, 0 ),
/* MSIRP[1] */ PACK( 2, 0 ),
- /* AlignRP */ PACK( 0, 0 ),
+ /* AlignRP */ PACK( 1, 0 ),
/* RTDG */ PACK( 0, 0 ),
/* MIAP[0] */ PACK( 2, 0 ),
/* MIAP[1] */ PACK( 2, 0 ),
- /* NPushB */ PACK( 0, 0 ),
- /* NPushW */ PACK( 0, 0 ),
+ /* NPushB */ PACK( 1, 0 ),
+ /* NPushW */ PACK( 1, 0 ),
/* WS */ PACK( 2, 0 ),
/* RS */ PACK( 1, 1 ),
/* WCvtP */ PACK( 2, 0 ),
@@ -765,7 +765,7 @@
/* SANGW */ PACK( 1, 0 ),
/* AA */ PACK( 1, 0 ),
- /* FlipPT */ PACK( 0, 0 ),
+ /* FlipPT */ PACK( 1, 0 ),
/* FlipRgON */ PACK( 2, 0 ),
/* FlipRgOFF */ PACK( 2, 0 ),
/* INS_$83 */ PACK( 0, 0 ),
--
Alexei A. Podtelezhnikov, PhD