From b98dfda392542f770a10063af625ef295c7803db Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 3 Sep 2016 08:20:31 +0200 Subject: [PATCH] [base] Avoid negative bitmap stroke dimensions (#48985). * src/base/ftobjs.c (FT_Open_Face): Check whether negation was actually successful. For example, this can fail for value -32768 if the type is `signed short'. If there are problems, disable the stroke. --- ChangeLog | 9 +++++++++ src/base/ftobjs.c | 17 +++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5e7cc0332..7100e7005 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2016-09-03 Werner Lemberg + + [base] Avoid negative bitmap stroke dimensions (#48985). + + * src/base/ftobjs.c (FT_Open_Face): Check whether negation was + actually successful. For example, this can fail for value + -32768 if the type is `signed short'. If there are problems, + disable the stroke. + 2016-09-03 Werner Lemberg [cff] Avoid null pointer passed to FT_MEM_COPY (#48984). diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 7a78357e1..0c9e4090c 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -2314,11 +2314,24 @@ if ( bsize->height < 0 ) - bsize->height = (FT_Short)-bsize->height; + bsize->height = -bsize->height; if ( bsize->x_ppem < 0 ) - bsize->x_ppem = (FT_Short)-bsize->x_ppem; + bsize->x_ppem = -bsize->x_ppem; if ( bsize->y_ppem < 0 ) bsize->y_ppem = -bsize->y_ppem; + + /* check whether negation actually has worked */ + if ( bsize->height < 0 || bsize->x_ppem < 0 || bsize->y_ppem < 0 ) + { + FT_TRACE0(( "FT_Open_Face:" + " Invalid bitmap dimensions for stroke %d," + " now disabled\n", i )); + bsize->width = 0; + bsize->height = 0; + bsize->size = 0; + bsize->x_ppem = 0; + bsize->y_ppem = 0; + } } }