From fa30071a5e9874f5a936c3f625b67537f22b90e8 Mon Sep 17 00:00:00 2001 From: ZacohZhen Date: Sat, 7 Mar 2026 15:43:09 +0800 Subject: [PATCH] [truetype] Prevent signed integer overflow Signed-off-by: ZacohZhen --- ...ort-truetype-signed-integer-overflow.patch | 21 +++++++++++++++++++ install.py | 4 +++- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 backport-truetype-signed-integer-overflow.patch diff --git a/backport-truetype-signed-integer-overflow.patch b/backport-truetype-signed-integer-overflow.patch new file mode 100644 index 0000000..7078e5e --- /dev/null +++ b/backport-truetype-signed-integer-overflow.patch @@ -0,0 +1,21 @@ +diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c +index 951891d..86894c2 100644 +--- a/src/truetype/ttinterp.c ++++ b/src/truetype/ttinterp.c +@@ -5664,11 +5664,11 @@ + /* single width cut-in test */ + + /* |org_dist - single_width_value| < single_width_cutin */ +- if ( exc->GS.single_width_cutin > 0 && +- org_dist < exc->GS.single_width_value + +- exc->GS.single_width_cutin && +- org_dist > exc->GS.single_width_value - +- exc->GS.single_width_cutin ) ++ if ( exc->GS.single_width_cutin > 0 && ++ org_dist < ADD_LONG( exc->GS.single_width_value, ++ exc->GS.single_width_cutin ) && ++ org_dist > SUB_LONG( exc->GS.single_width_value, ++ exc->GS.single_width_cutin ) ) + { + if ( org_dist >= 0 ) + org_dist = exc->GS.single_width_value; diff --git a/install.py b/install.py index 33656ec..6982373 100755 --- a/install.py +++ b/install.py @@ -40,6 +40,7 @@ def move_file(src_path, dst_path): "backport-freetype-2.10.1-debughook.patch", "backport-freetype-2.12.1-enable-funcs.patch", "CVE-2026-23865.patch", + "backport-truetype-signed-integer-overflow.patch", "ftconfig.h" ] for file in files: @@ -76,7 +77,8 @@ def do_patch(target_dir): "backport-freetype-2.10.0-internal-outline.patch", "backport-freetype-2.10.1-debughook.patch", "backport-freetype-2.12.1-enable-funcs.patch", - "CVE-2026-23865.patch" + "CVE-2026-23865.patch", + "backport-truetype-signed-integer-overflow.patch" ] for patch in patch_file: