From 551bd3a90e352fa3a66ee7644c07440939c03d81 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 3 Dec 2019 11:52:48 +0100
Subject: [PATCH] More nullptr offset UBSan warnings (#57331, #57347).

* src/autofit/afcjk.c (af_cjk_hints_compute_segments),
src/psaux/psft.c (cf2_getSeacComponent), src/truetype/ttinterp.c
(Ins_UNKNOWN): Use `FT_OFFSET'.
---
 ChangeLog               | 8 ++++++++
 src/autofit/afcjk.c     | 2 +-
 src/psaux/psft.c        | 2 +-
 src/truetype/ttinterp.c | 2 +-
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 454b8aefe..1660afa9b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2019-12-03  Werner Lemberg  <wl@gnu.org>
+
+	More nullptr offset UBSan warnings (#57331, #57347).
+
+	* src/autofit/afcjk.c (af_cjk_hints_compute_segments),
+	src/psaux/psft.c (cf2_getSeacComponent), src/truetype/ttinterp.c
+	(Ins_UNKNOWN): Use `FT_OFFSET'.
+
 2019-11-29  Dominik Röttsches  <drott@chromium.org>
 
 	Avoid more nullptr offset UBSan warnings (#57316).
diff --git a/src/autofit/afcjk.c b/src/autofit/afcjk.c
index a61689bee..3bae4ec97 100644
--- a/src/autofit/afcjk.c
+++ b/src/autofit/afcjk.c
@@ -806,7 +806,7 @@
   {
     AF_AxisHints  axis          = &hints->axis[dim];
     AF_Segment    segments      = axis->segments;
-    AF_Segment    segment_limit = segments + axis->num_segments;
+    AF_Segment    segment_limit = FT_OFFSET( segments, axis->num_segments );
     FT_Error      error;
     AF_Segment    seg;
 
diff --git a/src/psaux/psft.c b/src/psaux/psft.c
index a823ac800..7c7ef2cbe 100644
--- a/src/psaux/psft.c
+++ b/src/psaux/psft.c
@@ -700,7 +700,7 @@
     FT_ASSERT( charstring + len >= charstring );
 
     buf->start = charstring;
-    buf->end   = charstring + len;
+    buf->end   = FT_OFFSET( charstring, len );
     buf->ptr   = buf->start;
 
     return FT_Err_Ok;
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 70434e172..1357890f6 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -7715,7 +7715,7 @@
   Ins_UNKNOWN( TT_ExecContext  exc )
   {
     TT_DefRecord*  def   = exc->IDefs;
-    TT_DefRecord*  limit = def + exc->numIDefs;
+    TT_DefRecord*  limit = FT_OFFSET( def, exc->numIDefs );
 
 
     for ( ; def < limit; def++ )