[cff] Avoid overflow/module arithmetic.

This modifies the addition of subroutine number to subroutine bias from unsigned to signed, but does not change any results. * src/cff/cf2ft.c (cf2_initGlobalRegionBuffer, cf2_initLocalRegionBuffer): Change variable names from (unsigned) `idx' to (signed) `subrNum', since it is not an index until after the bias is added. * src/cff/cf2ft.h: Updated. * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdCALLSUBR>: Updated similarly.
author: Werner Lemberg <wl@gnu.org> 2015-10-22 10:11:23 +0200
committer: Werner Lemberg <wl@gnu.org> 2015-10-22 10:11:23 +0200
commit: f1c93439b992fa66f17e92ee13314440f13008a2 (patch)
tree: fddb746ce09d05d5fa3f500115cc613a002572b8
parent: 59ae73fe1658f5cf001f76b983abbdb1f1ff6dc2 (diff)
download: freetype2-f1c93439b992fa66f17e92ee13314440f13008a2.tar.gz
4 files changed, 35 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index f01f1499b..c4a61a105 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2015-10-22  Dave Arnold  <darnold@adobe.com>
+	    Werner Lemberg  <wl@gnu.org>
+
+	[cff] Avoid overflow/module arithmetic.
+
+	This modifies the addition of subroutine number to subroutine bias
+	from unsigned to signed, but does not change any results.
+
+	* src/cff/cf2ft.c (cf2_initGlobalRegionBuffer,
+	cf2_initLocalRegionBuffer): Change variable names from (unsigned)
+	`idx' to (signed) `subrNum', since it is not an index until after
+	the bias is added.
+	* src/cff/cf2ft.h: Updated.
+
+	* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdCALLSUBR>:
+	Updated similarly.
+
 2015-10-22  Werner Lemberg  <wl@gnu.org>
 
 	[cid] Better check of `SubrCount' dictionary entry (#46272).
diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c
index d2544a234..55f3206ac 100644
--- a/src/cff/cf2ft.c
+++ b/src/cff/cf2ft.c
@@ -544,14 +544,17 @@
   /* return 0 on success                                   */
   FT_LOCAL_DEF( CF2_Int )
   cf2_initGlobalRegionBuffer( CFF_Decoder*  decoder,
-                              CF2_UInt      idx,
+                              CF2_Int       subrNum,
                               CF2_Buffer    buf )
   {
+    CF2_UInt  idx;
+
+
     FT_ASSERT( decoder );
 
     FT_ZERO( buf );
 
-    idx += (CF2_UInt)decoder->globals_bias;
+    idx = (CF2_UInt)( subrNum + decoder->globals_bias );
     if ( idx >= decoder->num_globals )
       return TRUE;     /* error */
 
@@ -628,14 +631,17 @@
 
   FT_LOCAL_DEF( CF2_Int )
   cf2_initLocalRegionBuffer( CFF_Decoder*  decoder,
-                             CF2_UInt      idx,
+                             CF2_Int       subrNum,
                              CF2_Buffer    buf )
   {
+    CF2_UInt  idx;
+
+
     FT_ASSERT( decoder );
 
     FT_ZERO( buf );
 
-    idx += (CF2_UInt)decoder->locals_bias;
+    idx = (CF2_UInt)( subrNum + decoder->locals_bias );
     if ( idx >= decoder->num_locals )
       return TRUE;     /* error */
 
diff --git a/src/cff/cf2ft.h b/src/cff/cf2ft.h
index 3073df382..98105111b 100644
--- a/src/cff/cf2ft.h
+++ b/src/cff/cf2ft.h
@@ -99,7 +99,7 @@ FT_BEGIN_HEADER
 
   FT_LOCAL( CF2_Int )
   cf2_initGlobalRegionBuffer( CFF_Decoder*  decoder,
-                              CF2_UInt      idx,
+                              CF2_Int       subrNum,
                               CF2_Buffer    buf );
   FT_LOCAL( FT_Error )
   cf2_getSeacComponent( CFF_Decoder*  decoder,
@@ -110,7 +110,7 @@ FT_BEGIN_HEADER
                          CF2_Buffer    buf );
   FT_LOCAL( CF2_Int )
   cf2_initLocalRegionBuffer( CFF_Decoder*  decoder,
-                             CF2_UInt      idx,
+                             CF2_Int       subrNum,
                              CF2_Buffer    buf );
 
   FT_LOCAL( CF2_Fixed )
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index b49b96f00..1910f1b87 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -746,7 +746,7 @@
       case cf2_cmdCALLGSUBR:
       case cf2_cmdCALLSUBR:
         {
-          CF2_UInt  subrIndex;
+          CF2_Int  subrNum;
 
 
           FT_TRACE4(( op1 == cf2_cmdCALLGSUBR ? " callgsubr"
@@ -766,17 +766,17 @@
                            (size_t)charstringIndex + 1 );
 
           /* set up the new CFF region and pointer */
-          subrIndex = (CF2_UInt)cf2_stack_popInt( opStack );
+          subrNum = cf2_stack_popInt( opStack );
 
           switch ( op1 )
           {
           case cf2_cmdCALLGSUBR:
             FT_TRACE4(( " (idx %d, entering level %d)\n",
-                        subrIndex + (CF2_UInt)decoder->globals_bias,
+                        subrNum + decoder->globals_bias,
                         charstringIndex + 1 ));
 
             if ( cf2_initGlobalRegionBuffer( decoder,
-                                             subrIndex,
+                                             subrNum,
                                              charstring ) )
             {
               lastError = FT_THROW( Invalid_Glyph_Format );
@@ -787,11 +787,11 @@
           default:
             /* cf2_cmdCALLSUBR */
             FT_TRACE4(( " (idx %d, entering level %d)\n",
-                        subrIndex + (CF2_UInt)decoder->locals_bias,
+                        subrNum + decoder->locals_bias,
                         charstringIndex + 1 ));
 
             if ( cf2_initLocalRegionBuffer( decoder,
-                                            subrIndex,
+                                            subrNum,
                                             charstring ) )
             {
               lastError = FT_THROW( Invalid_Glyph_Format );
author	Werner Lemberg <wl@gnu.org>	2015-10-22 10:11:23 +0200
committer	Werner Lemberg <wl@gnu.org>	2015-10-22 10:11:23 +0200
commit	f1c93439b992fa66f17e92ee13314440f13008a2 (patch)
tree	fddb746ce09d05d5fa3f500115cc613a002572b8
parent	59ae73fe1658f5cf001f76b983abbdb1f1ff6dc2 (diff)
download	freetype2-f1c93439b992fa66f17e92ee13314440f13008a2.tar.gz