From 4797b2ff22906ce4ff4e6dcee300a70f94dcc43a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
Date: Fri, 26 Aug 2022 12:08:34 +0300
Subject: [PATCH] [sfnt] Avoid undefined shifts in `COLR` v1 color line
 retrieval

* src/sfnt/ttcolr.c (tt_face_get_colorline_stops): Disambiguate shift
behavior by using multiplication using macros from ftcalc.h.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50573
---
 src/sfnt/ttcolr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 25051a49c..1277bbd53 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -1575,7 +1575,7 @@
     /* Iterator points at first `ColorStop` of `ColorLine`. */
     p = iterator->p;
 
-    color_stop->stop_offset = (FT_Fixed)FT_NEXT_SHORT( p ) << 2;
+    color_stop->stop_offset = F2DOT14_TO_FIXED( FT_NEXT_SHORT( p ) );
 
     color_stop->color.palette_index = FT_NEXT_USHORT( p );
 
@@ -1600,7 +1600,7 @@
                                              item_deltas ) )
           return 0;
 
-        color_stop->stop_offset += (FT_Fixed)item_deltas[0] << 2;
+        color_stop->stop_offset += F2DOT14_TO_FIXED( item_deltas[0] );
         color_stop->color.alpha += item_deltas[1];
       }
 #else