Commit 983b00ec8667baf6cd6b23c420d94c681ffd2ec4
2015-10-08T18:44:45
[sfnt] Fix some signed overflows (#46149). * src/sfnt/ttsbit.c (tt_face_load_strike_metrics) <TT_SBIT_TABLE_TYPE_SBIX>: Use `FT_MulDiv'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
diff --git a/ChangeLog b/ChangeLog
index 8fb955e..066136a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-10-08 Werner Lemberg <wl@gnu.org>
+ [sfnt] Fix some signed overflows (#46149).
+
+ * src/sfnt/ttsbit.c (tt_face_load_strike_metrics)
+ <TT_SBIT_TABLE_TYPE_SBIX>: Use `FT_MulDiv'.
+
+2015-10-08 Werner Lemberg <wl@gnu.org>
+
[type1] Protect against invalid number of subroutines (#46150).
* src/type1/t1load.c (parse_subrs): Check number of
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index 3b351ec..8235255 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -269,11 +269,11 @@
case TT_SBIT_TABLE_TYPE_SBIX:
{
FT_Stream stream = face->root.stream;
- FT_UInt offset, upem;
- FT_UShort ppem, resolution;
+ FT_UInt offset;
+ FT_UShort upem, ppem, resolution;
TT_HoriHeader *hori;
FT_ULong table_size;
- FT_Pos ppem_, upem_; /* to reduce casts */
+ FT_Pos ppem_; /* to reduce casts */
FT_Error error;
FT_Byte* p;
@@ -307,14 +307,16 @@
metrics->y_ppem = ppem;
ppem_ = (FT_Pos)ppem;
- upem_ = (FT_Pos)upem;
-
- metrics->ascender = ppem_ * hori->Ascender * 64 / upem_;
- metrics->descender = ppem_ * hori->Descender * 64 / upem_;
- metrics->height = ppem_ * ( hori->Ascender -
- hori->Descender +
- hori->Line_Gap ) * 64 / upem_;
- metrics->max_advance = ppem_ * hori->advance_Width_Max * 64 / upem_;
+
+ metrics->ascender =
+ FT_MulDiv( hori->Ascender, ppem_ * 64, upem );
+ metrics->descender =
+ FT_MulDiv( hori->Descender, ppem_ * 64, upem );
+ metrics->height =
+ FT_MulDiv( hori->Ascender - hori->Descender + hori->Line_Gap,
+ ppem_ * 64, upem );
+ metrics->max_advance =
+ FT_MulDiv( hori->advance_Width_Max, ppem_ * 64, upem );
return error;
}