[Backport] CVE-2022-27404

Cherry-pick of patch originally submitted on
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db:
Avoid invalid face index.

Fixes #1138.

* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
Check `face_index` before decrementing.

Change-Id: I1744d27542fc2dd17dada37fa0ade09a0b818b65
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

2 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/freetype/src/src/sfnt/sfobjs.c b/chromium/third_party/freetype/src/src/sfnt/sfobjs.c
index cf730717eb0..553d5e85232 100644
--- a/chromium/third_party/freetype/src/src/sfnt/sfobjs.c
+++ b/chromium/third_party/freetype/src/src/sfnt/sfobjs.c
@@ -553,7 +553,7 @@
     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
 
     /* value -(N+1) requests information on index N */
-    if ( face_instance_index < 0 )
+    if ( face_instance_index < 0 && face_index > 0 )
       face_index--;
 
     if ( face_index >= face->ttc_header.count )
diff --git a/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c b/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c
index df04072382e..75c0ffb0d77 100644
--- a/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c
+++ b/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c
@@ -2102,7 +2102,7 @@
     /* Validate requested face index. */
     *num_faces = woff2.num_fonts;
     /* value -(N+1) requests information on index N */
-    if ( *face_instance_index < 0 )
+    if ( *face_instance_index < 0 && face_index > 0 )
       face_index--;
 
     if ( face_index >= woff2.num_fonts )