[freetype2] master 6ceeb87: Fix more 32bit issues (#54208)

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 6ceeb87: Fix more 32bit issues (#54208)

From:	Werner LEMBERG
Subject:	[freetype2] master 6ceeb87: Fix more 32bit issues (#54208)
Date:	Thu, 5 Jul 2018 16:31:25 -0400 (EDT)

branch: master
commit 6ceeb87f5dd1cb61aa9618bc6296ca917980b0e7
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    Fix more 32bit issues (#54208)
    
    * src/cff/cffload.c (cff_blend_build_vector): Convert assertion into
    run-time error.
    
    * src/truetype/ttgxvar.c (ft_var_to_normalized): Protect against
    numeric overflow.
---
 ChangeLog              | 10 ++++++++++
 src/cff/cffload.c      |  9 ++++++++-
 src/truetype/ttgxvar.c |  8 ++++----
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9f927fc..0bcdb95 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2018-07-05  Werner Lemberg  <address@hidden>
+
+       Fix more 32bit issues (#54208)
+
+       * src/cff/cffload.c (cff_blend_build_vector): Convert assertion into
+       run-time error.
+
+       * src/truetype/ttgxvar.c (ft_var_to_normalized): Protect against
+       numeric overflow.
+
 2018-07-04  Werner Lemberg  <address@hidden>
 
        Fix 32bit build warnings (#54239).
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 9942d57..015b2c8 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -1398,7 +1398,14 @@
     FT_UInt       master;
 
 
-    FT_ASSERT( lenNDV == 0 || NDV );
+    /* protect against malformed fonts */
+    if ( !( lenNDV == 0 || NDV ) )
+    {
+      FT_TRACE4(( " cff_blend_build_vector:"
+                  " Malformed Normalize Design Vector data\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
 
     blend->builtBV = FALSE;
 
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 6215729..0937301 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1780,11 +1780,11 @@
       }
 
       if ( coord < a->def )
-        normalized[i] = -FT_DivFix( coord - a->def,
-                                    a->minimum - a->def );
+        normalized[i] = -FT_DivFix( SUB_LONG( coord, a->def ),
+                                    SUB_LONG( a->minimum, a->def ) );
       else if ( coord > a->def )
-        normalized[i] = FT_DivFix( coord - a->def,
-                                   a->maximum - a->def );
+        normalized[i] = FT_DivFix( SUB_LONG( coord, a->def ),
+                                   SUB_LONG( a->maximum, a->def ) );
       else
         normalized[i] = 0;
     }

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master 6ceeb87: Fix more 32bit issues (#54208), Werner LEMBERG <=

Prev by Date: [freetype2] parthw-cleaned bc1c134 08/21: [gf] Removed indentation errors.
Next by Date: [freetype2] master 0767d53: Adjust table size comparisons (#54242).
Previous by thread: [freetype2] parthw-cleaned bc1c134 08/21: [gf] Removed indentation errors.
Next by thread: [freetype2] master 0767d53: Adjust table size comparisons (#54242).
Index(es):
- Date
- Thread