From c67b9a1c5b27afbb466a35222c84b1bccb81d238 Mon Sep 17 00:00:00 2001
From: Armin Hasitzka <prince.cherusker@gmail.com>
Date: Sat, 23 Nov 2019 11:01:18 +0100
Subject: [PATCH] [truetype] Fix integer overflow (#57287).

* src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
---
 ChangeLog              | 6 ++++++
 src/truetype/ttgload.c | 5 +++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6a2743c7b..4b0ba721b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-11-23  Armin Hasitzka  <prince.cherusker@gmail.com>
+
+	[truetype] Fix integer overflow (#57287).
+
+	* src/truetype/ttgload.c (compute_glyph_metrics): Use `SUB_LONG'.
+
 2019-11-23  Ben Wagner  <bungeman@google.com>
 
 	[sfnt] Avoid sanitizer warning (#57286).
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 093eed839..4dddb0d6c 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -2302,13 +2302,14 @@
       if ( face->vertical_info                   &&
            face->vertical.number_Of_VMetrics > 0 )
       {
-        top = (FT_Short)FT_DivFix( loader->pp3.y - bbox.yMax,
+        top = (FT_Short)FT_DivFix( SUB_LONG( loader->pp3.y, bbox.yMax ),
                                    y_scale );
 
         if ( loader->pp3.y <= loader->pp4.y )
           advance = 0;
         else
-          advance = (FT_UShort)FT_DivFix( loader->pp3.y - loader->pp4.y,
+          advance = (FT_UShort)FT_DivFix( SUB_LONG( loader->pp3.y,
+                                                    loader->pp4.y ),
                                           y_scale );
       }
       else