kc3-lang/freetype

Browse

Commit c67b9a1c5b27afbb466a35222c84b1bccb81d238

Armin Hasitzka 2019-11-23T11:01:18

[truetype] Fix integer overflow (#57287). * src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

diff --git a/ChangeLog b/ChangeLog
index 6a2743c..4b0ba72 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-11-23  Armin Hasitzka  <prince.cherusker@gmail.com>
+
+	[truetype] Fix integer overflow (#57287).
+
+	* src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
+
 2019-11-23  Ben Wagner  <bungeman@google.com>
 
 	[sfnt] Avoid sanitizer warning (#57286).
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 093eed8..4dddb0d 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -2302,13 +2302,14 @@
       if ( face->vertical_info                   &&
            face->vertical.number_Of_VMetrics > 0 )
       {
-        top = (FT_Short)FT_DivFix( loader->pp3.y - bbox.yMax,
+        top = (FT_Short)FT_DivFix( SUB_LONG( loader->pp3.y, bbox.yMax ),
                                    y_scale );
 
         if ( loader->pp3.y <= loader->pp4.y )
           advance = 0;
         else
-          advance = (FT_UShort)FT_DivFix( loader->pp3.y - loader->pp4.y,
+          advance = (FT_UShort)FT_DivFix( SUB_LONG( loader->pp3.y,
+                                                    loader->pp4.y ),
                                           y_scale );
       }
       else
kmx.io     mail     discord kmxgit v0.4.0