shithub: freetype+ttf2subf

Download patch

ref: 079a22da037835daf5be2bd9eccf7bc1eaa2e783
parent: 978eefee5401abee6bf702c6bcde9afb47893145
author: Werner Lemberg <[email protected]>
date: Tue Apr 19 05:28:21 EDT 2022

* src/truetype/ttgload.c (TT_Process_Simple_Glyph): Integer overflow.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46792

git/fs: mount .git/fs: mount/attach disallowed
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1104,8 +1104,8 @@
 
           for ( ; vec < limit; vec++, u++ )
           {
-            vec->x = ( FT_MulFix( u->x, x_scale ) + 32 ) >> 6;
-            vec->y = ( FT_MulFix( u->y, y_scale ) + 32 ) >> 6;
+            vec->x = ADD_LONG( FT_MulFix( u->x, x_scale ), 32 ) >> 6;
+            vec->y = ADD_LONG( FT_MulFix( u->y, y_scale ), 32 ) >> 6;
           }
         }
         else