Commit b98dfda392542f770a10063af625ef295c7803db
2016-09-03T08:20:31
[base] Avoid negative bitmap stroke dimensions (#48985). * src/base/ftobjs.c (FT_Open_Face): Check whether negation was actually successful. For example, this can fail for value -32768 if the type is `signed short'. If there are problems, disable the stroke.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
diff --git a/ChangeLog b/ChangeLog
index 5e7cc03..7100e70 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
2016-09-03 Werner Lemberg <wl@gnu.org>
+ [base] Avoid negative bitmap stroke dimensions (#48985).
+
+ * src/base/ftobjs.c (FT_Open_Face): Check whether negation was
+ actually successful. For example, this can fail for value
+ -32768 if the type is `signed short'. If there are problems,
+ disable the stroke.
+
+2016-09-03 Werner Lemberg <wl@gnu.org>
+
[cff] Avoid null pointer passed to FT_MEM_COPY (#48984).
* src/cff/cffload.c (cff_index_get_name): Check `byte_len'.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 7a78357..0c9e409 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -2314,11 +2314,24 @@
if ( bsize->height < 0 )
- bsize->height = (FT_Short)-bsize->height;
+ bsize->height = -bsize->height;
if ( bsize->x_ppem < 0 )
- bsize->x_ppem = (FT_Short)-bsize->x_ppem;
+ bsize->x_ppem = -bsize->x_ppem;
if ( bsize->y_ppem < 0 )
bsize->y_ppem = -bsize->y_ppem;
+
+ /* check whether negation actually has worked */
+ if ( bsize->height < 0 || bsize->x_ppem < 0 || bsize->y_ppem < 0 )
+ {
+ FT_TRACE0(( "FT_Open_Face:"
+ " Invalid bitmap dimensions for stroke %d,"
+ " now disabled\n", i ));
+ bsize->width = 0;
+ bsize->height = 0;
+ bsize->size = 0;
+ bsize->x_ppem = 0;
+ bsize->y_ppem = 0;
+ }
}
}