diff options
| author | Werner Lemberg <wl@gnu.org> | 2018-07-05 22:31:10 +0200 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2018-07-05 22:31:10 +0200 |
| commit | 6ceeb87f5dd1cb61aa9618bc6296ca917980b0e7 (patch) | |
| tree | acb88bf34ff8fdeb3bec7b7038626cdb81a58dee | |
| parent | 29f05fd02d2ba51965f994456d41ed1e9c9f769a (diff) | |
| download | freetype2-6ceeb87f5dd1cb61aa9618bc6296ca917980b0e7.tar.gz | |
Fix more 32bit issues (#54208)
* src/cff/cffload.c (cff_blend_build_vector): Convert assertion into
run-time error.
* src/truetype/ttgxvar.c (ft_var_to_normalized): Protect against
numeric overflow.
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | src/cff/cffload.c | 9 | ||||
| -rw-r--r-- | src/truetype/ttgxvar.c | 8 |
3 files changed, 22 insertions, 5 deletions
@@ -1,3 +1,13 @@ +2018-07-05 Werner Lemberg <wl@gnu.org> + + Fix more 32bit issues (#54208) + + * src/cff/cffload.c (cff_blend_build_vector): Convert assertion into + run-time error. + + * src/truetype/ttgxvar.c (ft_var_to_normalized): Protect against + numeric overflow. + 2018-07-04 Werner Lemberg <wl@gnu.org> Fix 32bit build warnings (#54239). diff --git a/src/cff/cffload.c b/src/cff/cffload.c index 9942d57a1..015b2c80f 100644 --- a/src/cff/cffload.c +++ b/src/cff/cffload.c @@ -1398,7 +1398,14 @@ FT_UInt master; - FT_ASSERT( lenNDV == 0 || NDV ); + /* protect against malformed fonts */ + if ( !( lenNDV == 0 || NDV ) ) + { + FT_TRACE4(( " cff_blend_build_vector:" + " Malformed Normalize Design Vector data\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Exit; + } blend->builtBV = FALSE; diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index 621572990..0937301b0 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -1780,11 +1780,11 @@ } if ( coord < a->def ) - normalized[i] = -FT_DivFix( coord - a->def, - a->minimum - a->def ); + normalized[i] = -FT_DivFix( SUB_LONG( coord, a->def ), + SUB_LONG( a->minimum, a->def ) ); else if ( coord > a->def ) - normalized[i] = FT_DivFix( coord - a->def, - a->maximum - a->def ); + normalized[i] = FT_DivFix( SUB_LONG( coord, a->def ), + SUB_LONG( a->maximum, a->def ) ); else normalized[i] = 0; } |