From 5f524d04b4f81a0e6d0d86add447f564047d6d09 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 6 Jan 2026 22:12:18 +0100
Subject: [PATCH] [truetype] Prevent signed integer overflow.

Reported as

  https://issues.oss-fuzz.com/issues/473582311

* src/truetype/ttinterp.c (Ins_MDRP): Use `ADD_LONG` and `SUB_LONG`.
---
 src/truetype/ttinterp.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 7b26c9a9d..7e8f748ee 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5457,11 +5457,11 @@
     /* single width cut-in test */
 
     /* |org_dist - single_width_value| < single_width_cutin */
-    if ( exc->GS.single_width_cutin > 0          &&
-         org_dist < exc->GS.single_width_value +
-                      exc->GS.single_width_cutin &&
-         org_dist > exc->GS.single_width_value -
-                      exc->GS.single_width_cutin )
+    if ( exc->GS.single_width_cutin > 0                    &&
+         org_dist < ADD_LONG( exc->GS.single_width_value,
+                              exc->GS.single_width_cutin ) &&
+         org_dist > SUB_LONG( exc->GS.single_width_value,
+                              exc->GS.single_width_cutin ) )
     {
       if ( org_dist >= 0 )
         org_dist = exc->GS.single_width_value;