From 6ceeb87f5dd1cb61aa9618bc6296ca917980b0e7 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Thu, 5 Jul 2018 22:31:10 +0200 Subject: [PATCH] Fix more 32bit issues (#54208) * src/cff/cffload.c (cff_blend_build_vector): Convert assertion into run-time error. * src/truetype/ttgxvar.c (ft_var_to_normalized): Protect against numeric overflow. --- ChangeLog | 10 ++++++++++ src/cff/cffload.c | 9 ++++++++- src/truetype/ttgxvar.c | 8 ++++---- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f927fcd7..0bcdb95d8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2018-07-05 Werner Lemberg + + Fix more 32bit issues (#54208) + + * src/cff/cffload.c (cff_blend_build_vector): Convert assertion into + run-time error. + + * src/truetype/ttgxvar.c (ft_var_to_normalized): Protect against + numeric overflow. + 2018-07-04 Werner Lemberg Fix 32bit build warnings (#54239). diff --git a/src/cff/cffload.c b/src/cff/cffload.c index 9942d57a1..015b2c80f 100644 --- a/src/cff/cffload.c +++ b/src/cff/cffload.c @@ -1398,7 +1398,14 @@ FT_UInt master; - FT_ASSERT( lenNDV == 0 || NDV ); + /* protect against malformed fonts */ + if ( !( lenNDV == 0 || NDV ) ) + { + FT_TRACE4(( " cff_blend_build_vector:" + " Malformed Normalize Design Vector data\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Exit; + } blend->builtBV = FALSE; diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index 621572990..0937301b0 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -1780,11 +1780,11 @@ } if ( coord < a->def ) - normalized[i] = -FT_DivFix( coord - a->def, - a->minimum - a->def ); + normalized[i] = -FT_DivFix( SUB_LONG( coord, a->def ), + SUB_LONG( a->minimum, a->def ) ); else if ( coord > a->def ) - normalized[i] = FT_DivFix( coord - a->def, - a->maximum - a->def ); + normalized[i] = FT_DivFix( SUB_LONG( coord, a->def ), + SUB_LONG( a->maximum, a->def ) ); else normalized[i] = 0; }