[truetype] Fix integer overflow (#57287). * src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
diff --git a/ChangeLog b/ChangeLog
index 6a2743c..4b0ba72 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-11-23 Armin Hasitzka <prince.cherusker@gmail.com>
+
+ [truetype] Fix integer overflow (#57287).
+
+ * src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
+
2019-11-23 Ben Wagner <bungeman@google.com>
[sfnt] Avoid sanitizer warning (#57286).
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 093eed8..4dddb0d 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -2302,13 +2302,14 @@
if ( face->vertical_info &&
face->vertical.number_Of_VMetrics > 0 )
{
- top = (FT_Short)FT_DivFix( loader->pp3.y - bbox.yMax,
+ top = (FT_Short)FT_DivFix( SUB_LONG( loader->pp3.y, bbox.yMax ),
y_scale );
if ( loader->pp3.y <= loader->pp4.y )
advance = 0;
else
- advance = (FT_UShort)FT_DivFix( loader->pp3.y - loader->pp4.y,
+ advance = (FT_UShort)FT_DivFix( SUB_LONG( loader->pp3.y,
+ loader->pp4.y ),
y_scale );
}
else