kc3-lang/freetype

Browse

Commit 60d13bd432f56421ed63c5bf14a73e006e9bf7ad

Werner Lemberg 2015-12-21T17:27:17

[type1] Avoid shift of negative numbers (#46732). * src/type1/t1load.c (parse_subrs): Do it. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

diff --git a/ChangeLog b/ChangeLog
index fa32735..fee0e5a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-12-21  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Avoid shift of negative numbers (#46732).
+
+	* src/type1/t1load.c (parse_subrs): Do it.
+
 2015-12-20  Werner Lemberg  <wl@gnu.org>
 
 	[type1, psaux] Handle large values of num_subrs correctly (#46692).
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 3fb3cd2..4cb6ef0 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1433,7 +1433,8 @@
     }
 
     /* we certainly need more than 8 bytes per subroutine */
-    if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
+    if ( parser->root.limit > parser->root.cursor                      &&
+         num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
     {
       /*
        * There are two possibilities.  Either the font contains an invalid
kmx.io     mail     discord kmxgit v0.4.0