[truetype] Prevent signed integer overflow

Signed-off-by: ZacohZhen <kouzhenrong@h-partners.com>
This commit is contained in:
ZacohZhen
2026-03-07 15:43:09 +08:00
parent 9d71b97fce
commit fa30071a5e
2 changed files with 24 additions and 1 deletions
@@ -0,0 +1,21 @@
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 951891d..86894c2 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5664,11 +5664,11 @@
/* single width cut-in test */
/* |org_dist - single_width_value| < single_width_cutin */
- if ( exc->GS.single_width_cutin > 0 &&
- org_dist < exc->GS.single_width_value +
- exc->GS.single_width_cutin &&
- org_dist > exc->GS.single_width_value -
- exc->GS.single_width_cutin )
+ if ( exc->GS.single_width_cutin > 0 &&
+ org_dist < ADD_LONG( exc->GS.single_width_value,
+ exc->GS.single_width_cutin ) &&
+ org_dist > SUB_LONG( exc->GS.single_width_value,
+ exc->GS.single_width_cutin ) )
{
if ( org_dist >= 0 )
org_dist = exc->GS.single_width_value;
+3 -1
View File
@@ -40,6 +40,7 @@ def move_file(src_path, dst_path):
"backport-freetype-2.10.1-debughook.patch",
"backport-freetype-2.12.1-enable-funcs.patch",
"CVE-2026-23865.patch",
"backport-truetype-signed-integer-overflow.patch",
"ftconfig.h"
]
for file in files:
@@ -76,7 +77,8 @@ def do_patch(target_dir):
"backport-freetype-2.10.0-internal-outline.patch",
"backport-freetype-2.10.1-debughook.patch",
"backport-freetype-2.12.1-enable-funcs.patch",
"CVE-2026-23865.patch"
"CVE-2026-23865.patch",
"backport-truetype-signed-integer-overflow.patch"
]
for patch in patch_file: