kc3-lang/freetype

Browse

Commit 839cb404cf73f4410d58ebb3a99d16e08f4bdee7

Werner Lemberg 2018-07-16T05:45:45

* src/truetype/ttgxvar.c (tt_set_mm_blend): Fix off-by-one error. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9412 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

diff --git a/ChangeLog b/ChangeLog
index 87f3d17..9ce6368 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-07-16  Werner Lemberg  <wl@gnu.org>
+
+	* src/truetype/ttgxvar.c (tt_set_mm_blend): Fix off-by-one error.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9412
+
 2018-07-12  Werner Lemberg  <wl@gnu.org>
 
 	* src/base/ftoutln.c (FT_Outline_Get_Orientation): Init `cbox'.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 0937301..d143fce 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2533,11 +2533,14 @@
 
       if ( FT_IS_NAMED_INSTANCE( FT_FACE( face ) ) )
       {
-        FT_UInt  idx = (FT_UInt)face->root.face_index >> 16;
+        FT_UInt  instance_index = (FT_UInt)face->root.face_index >> 16;
 
 
         c = blend->normalizedcoords + i;
-        n = blend->normalized_stylecoords + idx * mmvar->num_axis + i;
+        n = blend->normalized_stylecoords            +
+            ( instance_index - 1 ) * mmvar->num_axis +
+            i;
+
         for ( j = i; j < mmvar->num_axis; j++, n++, c++ )
           if ( *c != *n )
             have_diff = 1;
kmx.io     mail     discord kmxgit v0.4.0