File 0001-integer-overflows.patch of Package freetype2.37941
Index: freetype-2.6.3/src/truetype/ttinterp.c
===================================================================
--- freetype-2.6.3.orig/src/truetype/ttinterp.c
+++ freetype-2.6.3/src/truetype/ttinterp.c
@@ -5602,6 +5602,7 @@
#ifdef TT_CONFIG_OPTION_SUBPIXEL_HINTING
FT_F26Dot6 control_value_cutin = 0; /* pacify compiler */
+ FT_F26Dot6 delta;
if ( SUBPIXEL_HINTING )
@@ -5638,11 +5639,15 @@
distance = PROJECT( exc->zp1.cur + point, exc->zp0.cur + exc->GS.rp0 );
#ifdef TT_CONFIG_OPTION_SUBPIXEL_HINTING
+ delta = SUB_LONG( distance, args[1] );
+ if ( delta < 0 )
+ delta = NEG_LONG( delta );
+
/* subpixel hinting - make MSIRP respect CVT cut-in; */
if ( SUBPIXEL_HINTING &&
exc->ignore_x_mode &&
exc->GS.freeVector.x != 0 &&
- FT_ABS( distance - args[1] ) >= control_value_cutin )
+ delta >= control_value_cutin )
distance = args[1];
#endif /* TT_CONFIG_OPTION_SUBPIXEL_HINTING */
@@ -5796,7 +5801,14 @@
if ( ( exc->opcode & 1 ) != 0 ) /* rounding and control cut-in flag */
{
- if ( FT_ABS( distance - org_dist ) > control_value_cutin )
+ FT_F26Dot6 delta;
+
+
+ delta = SUB_LONG( distance, org_dist );
+ if ( delta < 0 )
+ delta = NEG_LONG( delta );
+
+ if ( delta > control_value_cutin )
distance = org_dist;
#ifdef TT_CONFIG_OPTION_SUBPIXEL_HINTING
@@ -6071,6 +6083,9 @@
if ( exc->GS.gep0 == exc->GS.gep1 )
{
+ FT_F26Dot6 delta;
+
+
/* XXX: According to Greg Hitchcock, the following wording is */
/* the right one: */
/* */
@@ -6083,8 +6098,12 @@
/* `ttinst2.doc', version 1.66, is thus incorrect since */
/* it implies `>=' instead of `>'. */
- if ( FT_ABS( cvt_dist - org_dist ) > control_value_cutin )
- cvt_dist = org_dist;
+ delta = SUB_LONG( cvt_dist, org_dist );
+ if ( delta < 0 )
+ delta = NEG_LONG( delta );
+
+ if ( delta > control_value_cutin )
+ cvt_dist = org_dist;
}
distance = exc->func_round(
@@ -6101,7 +6120,14 @@
exc->ignore_x_mode &&
exc->GS.gep0 == exc->GS.gep1 )
{
- if ( FT_ABS( cvt_dist - org_dist ) > control_value_cutin )
+ FT_F26Dot6 delta;
+
+
+ delta = SUB_LONG( cvt_dist, org_dist );
+ if ( delta < 0 )
+ delta = NEG_LONG( delta );
+
+ if ( delta > control_value_cutin )
cvt_dist = org_dist;
}
#endif /* TT_CONFIG_OPTION_SUBPIXEL_HINTING */
Index: freetype-2.6.3/include/freetype/internal/ftcalc.h
===================================================================
--- freetype-2.6.3.orig/include/freetype/internal/ftcalc.h
+++ freetype-2.6.3/include/freetype/internal/ftcalc.h
@@ -409,6 +409,33 @@ FT_BEGIN_HEADER
#define ROUND_F26DOT6( x ) ( x >= 0 ? ( ( (x) + 32 ) & -64 ) \
: ( -( ( 32 - (x) ) & -64 ) ) )
+ /*
+ * The following macros have two purposes.
+ *
+ * . Tag places where overflow is expected and harmless.
+ *
+ * . Avoid run-time sanitizer errors.
+ *
+ * Use with care!
+ */
+#define ADD_LONG( a, b ) \
+ (FT_Long)( (FT_ULong)(a) + (FT_ULong)(b) )
+#define SUB_LONG( a, b ) \
+ (FT_Long)( (FT_ULong)(a) - (FT_ULong)(b) )
+#define MUL_LONG( a, b ) \
+ (FT_Long)( (FT_ULong)(a) * (FT_ULong)(b) )
+#define NEG_LONG( a ) \
+ (FT_Long)( (FT_ULong)0 - (FT_ULong)(a) )
+
+#define ADD_INT32( a, b ) \
+ (FT_Int32)( (FT_UInt32)(a) + (FT_UInt32)(b) )
+#define SUB_INT32( a, b ) \
+ (FT_Int32)( (FT_UInt32)(a) - (FT_UInt32)(b) )
+#define MUL_INT32( a, b ) \
+ (FT_Int32)( (FT_UInt32)(a) * (FT_UInt32)(b) )
+#define NEG_INT32( a ) \
+ (FT_Int32)( (FT_UInt32)0 - (FT_UInt32)(a) )
+
FT_END_HEADER
