[autofit] Prevent signed integer overflow

Signed-off-by: ZacohZhen <kouzhenrong@h-partners.com>
This commit is contained in:
ZacohZhen
2026-03-09 09:49:05 +08:00
parent 40125df0e4
commit 4c93bf702f
2 changed files with 20 additions and 1 deletions
@@ -0,0 +1,17 @@
diff --git a/src/autofit/afloader.c b/src/autofit/afloader.c
index af1d59a..79a6938 100644
--- a/src/autofit/afloader.c
+++ b/src/autofit/afloader.c
@@ -532,8 +532,10 @@
slot->metrics.horiBearingX = bbox.xMin;
slot->metrics.horiBearingY = bbox.yMax;
- slot->metrics.vertBearingX = FT_PIX_FLOOR( bbox.xMin + vvector.x );
- slot->metrics.vertBearingY = FT_PIX_FLOOR( bbox.yMax + vvector.y );
+ slot->metrics.vertBearingX = FT_PIX_FLOOR( ADD_LONG( bbox.xMin,
+ vvector.x ) );
+ slot->metrics.vertBearingY = FT_PIX_FLOOR( ADD_LONG( bbox.yMax,
+ vvector.y ) );
/* for mono-width fonts (like Andale, Courier, etc.) we need */
/* to keep the original rounded advance width; ditto for */
+3 -1
View File
@@ -41,6 +41,7 @@ def move_file(src_path, dst_path):
"backport-freetype-2.12.1-enable-funcs.patch",
"CVE-2026-23865.patch",
"backport-truetype-signed-integer-overflow.patch",
"backport-autofit-signed-integer-overflow.patch",
"ftconfig.h"
]
for file in files:
@@ -78,7 +79,8 @@ def do_patch(target_dir):
"backport-freetype-2.10.1-debughook.patch",
"backport-freetype-2.12.1-enable-funcs.patch",
"CVE-2026-23865.patch",
"backport-truetype-signed-integer-overflow.patch"
"backport-truetype-signed-integer-overflow.patch",
"backport-autofit-signed-integer-overflow.patch"
]
for patch in patch_file: