shithub: freetype+ttf2subf

Download patch

ref: c67b9a1c5b27afbb466a35222c84b1bccb81d238
parent: 3cb7b3f7cb35fe403195e5e5dd76c1a8fce2e59a
author: Armin Hasitzka <prince.cherusker@gmail.com>
date: Sat Nov 23 06:01:18 EST 2019

[truetype] Fix integer overflow (#57287).

* src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.

git/fs: mount .git/fs: mount/attach disallowed
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-11-23  Armin Hasitzka  <prince.cherusker@gmail.com>
+
+	[truetype] Fix integer overflow (#57287).
+
+	* src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
+
 2019-11-23  Ben Wagner  <bungeman@google.com>
 
 	[sfnt] Avoid sanitizer warning (#57286).
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -2302,13 +2302,14 @@
       if ( face->vertical_info                   &&
            face->vertical.number_Of_VMetrics > 0 )
       {
-        top = (FT_Short)FT_DivFix( loader->pp3.y - bbox.yMax,
+        top = (FT_Short)FT_DivFix( SUB_LONG( loader->pp3.y, bbox.yMax ),
                                    y_scale );
 
         if ( loader->pp3.y <= loader->pp4.y )
           advance = 0;
         else
-          advance = (FT_UShort)FT_DivFix( loader->pp3.y - loader->pp4.y,
+          advance = (FT_UShort)FT_DivFix( SUB_LONG( loader->pp3.y,
+                                                    loader->pp4.y ),
                                           y_scale );
       }
       else