diff --git a/backport-autofit-signed-integer-overflow.patch b/backport-autofit-signed-integer-overflow.patch new file mode 100644 index 0000000..b6ccd38 --- /dev/null +++ b/backport-autofit-signed-integer-overflow.patch @@ -0,0 +1,17 @@ +diff --git a/src/autofit/afloader.c b/src/autofit/afloader.c +index af1d59a..79a6938 100644 +--- a/src/autofit/afloader.c ++++ b/src/autofit/afloader.c +@@ -532,8 +532,10 @@ + slot->metrics.horiBearingX = bbox.xMin; + slot->metrics.horiBearingY = bbox.yMax; + +- slot->metrics.vertBearingX = FT_PIX_FLOOR( bbox.xMin + vvector.x ); +- slot->metrics.vertBearingY = FT_PIX_FLOOR( bbox.yMax + vvector.y ); ++ slot->metrics.vertBearingX = FT_PIX_FLOOR( ADD_LONG( bbox.xMin, ++ vvector.x ) ); ++ slot->metrics.vertBearingY = FT_PIX_FLOOR( ADD_LONG( bbox.yMax, ++ vvector.y ) ); + + /* for mono-width fonts (like Andale, Courier, etc.) we need */ + /* to keep the original rounded advance width; ditto for */ diff --git a/install.py b/install.py index 6982373..928546f 100755 --- a/install.py +++ b/install.py @@ -41,6 +41,7 @@ def move_file(src_path, dst_path): "backport-freetype-2.12.1-enable-funcs.patch", "CVE-2026-23865.patch", "backport-truetype-signed-integer-overflow.patch", + "backport-autofit-signed-integer-overflow.patch", "ftconfig.h" ] for file in files: @@ -78,7 +79,8 @@ def do_patch(target_dir): "backport-freetype-2.10.1-debughook.patch", "backport-freetype-2.12.1-enable-funcs.patch", "CVE-2026-23865.patch", - "backport-truetype-signed-integer-overflow.patch" + "backport-truetype-signed-integer-overflow.patch", + "backport-autofit-signed-integer-overflow.patch" ] for patch in patch_file: