[truetype] Prevent signed integer overflow.

Reported as https://issues.oss-fuzz.com/issues/473582311 * src/truetype/ttinterp.c (Ins_MDRP): Use `ADD_LONG` and `SUB_LONG`.
2026-01-19 04:52:09 +00:00 · 2026-01-06 22:12:18 +01:00
parent 4553f1c396
commit 5f524d04b4
1 changed files with 5 additions and 5 deletions
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5457,11 +5457,11 @@
    /* single width cut-in test */

    /* |org_dist - single_width_value| < single_width_cutin */
-    if ( exc->GS.single_width_cutin > 0          &&
-         org_dist < exc->GS.single_width_value +
-                      exc->GS.single_width_cutin &&
-         org_dist > exc->GS.single_width_value -
-                      exc->GS.single_width_cutin )
+    if ( exc->GS.single_width_cutin > 0                    &&
+         org_dist < ADD_LONG( exc->GS.single_width_value,
+                              exc->GS.single_width_cutin ) &&
+         org_dist > SUB_LONG( exc->GS.single_width_value,
+                              exc->GS.single_width_cutin ) )
    {
      if ( org_dist >= 0 )
        org_dist = exc->GS.single_width_value;