diff options
author | Werner Lemberg <wl@gnu.org> | 2022-03-19 06:40:17 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-03 10:08:21 +0000 |
commit | 72fbb0bc7915dedd7742873ab9289767f1301291 (patch) | |
tree | a8001a03189b234fb8138d4da416987bb738cb8f | |
parent | cae6077cad770c5d1297a518a19d0b7157d927d9 (diff) | |
download | qtwebengine-chromium-72fbb0bc7915dedd7742873ab9289767f1301291.tar.gz |
[Backport] CVE-2022-27405 (1/2)
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5:
* src/base/ftobjs.c (ft_open_face_internal): Properly guard `face_index`.
We must ensure that the cast to `FT_Int` doesn't change the sign.
Fixes #1139.
Change-Id: Ic63e379d5c65bd56d5ca07b80a7015d9f5bc0051
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/freetype/src/src/base/ftobjs.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/chromium/third_party/freetype/src/src/base/ftobjs.c b/chromium/third_party/freetype/src/src/base/ftobjs.c index 5c1a4d034a4..e701e23a308 100644 --- a/chromium/third_party/freetype/src/src/base/ftobjs.c +++ b/chromium/third_party/freetype/src/src/base/ftobjs.c @@ -2451,6 +2451,15 @@ #endif + /* only use lower 31 bits together with sign bit */ + if ( face_index > 0 ) + face_index &= 0x7FFFFFFFL; + else + { + face_index &= 0x7FFFFFFFL; + face_index = -face_index; + } + #ifdef FT_DEBUG_LEVEL_TRACE FT_TRACE3(( "FT_Open_Face: " )); if ( face_index < 0 ) |