ref: c67b9a1c5b27afbb466a35222c84b1bccb81d238
parent: 3cb7b3f7cb35fe403195e5e5dd76c1a8fce2e59a
author: Armin Hasitzka <[email protected]>
date: Sat Nov 23 06:01:18 EST 2019
[truetype] Fix integer overflow (#57287). * src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-11-23 Armin Hasitzka <[email protected]>
+
+ [truetype] Fix integer overflow (#57287).
+
+ * src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
+
2019-11-23 Ben Wagner <[email protected]>
[sfnt] Avoid sanitizer warning (#57286).
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -2302,13 +2302,14 @@
if ( face->vertical_info &&
face->vertical.number_Of_VMetrics > 0 )
{- top = (FT_Short)FT_DivFix( loader->pp3.y - bbox.yMax,
+ top = (FT_Short)FT_DivFix( SUB_LONG( loader->pp3.y, bbox.yMax ),
y_scale );
if ( loader->pp3.y <= loader->pp4.y )
advance = 0;
else
- advance = (FT_UShort)FT_DivFix( loader->pp3.y - loader->pp4.y,
+ advance = (FT_UShort)FT_DivFix( SUB_LONG( loader->pp3.y,
+ loader->pp4.y ),
y_scale );
}
else