[freetype2] master f1c9343 1/2: [cff] Avoid overflow/module arithmetic.

[Werner LEMBERG]

branch: master
commit f1c93439b992fa66f17e92ee13314440f13008a2
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [cff] Avoid overflow/module arithmetic.
    
    This modifies the addition of subroutine number to subroutine bias
    from unsigned to signed, but does not change any results.
    
    * src/cff/cf2ft.c (cf2_initGlobalRegionBuffer,
    cf2_initLocalRegionBuffer): Change variable names from (unsigned)
    `idx' to (signed) `subrNum', since it is not an index until after
    the bias is added.
    * src/cff/cf2ft.h: Updated.
    
    * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdCALLSUBR>:
    Updated similarly.
---
 ChangeLog          |   17 +++++++++++++++++
 src/cff/cf2ft.c    |   14 ++++++++++----
 src/cff/cf2ft.h    |    4 ++--
 src/cff/cf2intrp.c |   12 ++++++------
 4 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f01f149..c4a61a1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2015-10-22  Dave Arnold  <address@hidden>
+           Werner Lemberg  <address@hidden>
+
+       [cff] Avoid overflow/module arithmetic.
+
+       This modifies the addition of subroutine number to subroutine bias
+       from unsigned to signed, but does not change any results.
+
+       * src/cff/cf2ft.c (cf2_initGlobalRegionBuffer,
+       cf2_initLocalRegionBuffer): Change variable names from (unsigned)
+       `idx' to (signed) `subrNum', since it is not an index until after
+       the bias is added.
+       * src/cff/cf2ft.h: Updated.
+
+       * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdCALLSUBR>:
+       Updated similarly.
+
 2015-10-22  Werner Lemberg  <address@hidden>
 
        [cid] Better check of `SubrCount' dictionary entry (#46272).
diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c
index d2544a2..55f3206 100644
--- a/src/cff/cf2ft.c
+++ b/src/cff/cf2ft.c
@@ -544,14 +544,17 @@
   /* return 0 on success                                   */
   FT_LOCAL_DEF( CF2_Int )
   cf2_initGlobalRegionBuffer( CFF_Decoder*  decoder,
-                              CF2_UInt      idx,
+                              CF2_Int       subrNum,
                               CF2_Buffer    buf )
   {
+    CF2_UInt  idx;
+
+
     FT_ASSERT( decoder );
 
     FT_ZERO( buf );
 
-    idx += (CF2_UInt)decoder->globals_bias;
+    idx = (CF2_UInt)( subrNum + decoder->globals_bias );
     if ( idx >= decoder->num_globals )
       return TRUE;     /* error */
 
@@ -628,14 +631,17 @@
 
   FT_LOCAL_DEF( CF2_Int )
   cf2_initLocalRegionBuffer( CFF_Decoder*  decoder,
-                             CF2_UInt      idx,
+                             CF2_Int       subrNum,
                              CF2_Buffer    buf )
   {
+    CF2_UInt  idx;
+
+
     FT_ASSERT( decoder );
 
     FT_ZERO( buf );
 
-    idx += (CF2_UInt)decoder->locals_bias;
+    idx = (CF2_UInt)( subrNum + decoder->locals_bias );
     if ( idx >= decoder->num_locals )
       return TRUE;     /* error */
 
diff --git a/src/cff/cf2ft.h b/src/cff/cf2ft.h
index 3073df3..9810511 100644
--- a/src/cff/cf2ft.h
+++ b/src/cff/cf2ft.h
@@ -99,7 +99,7 @@ FT_BEGIN_HEADER
 
   FT_LOCAL( CF2_Int )
   cf2_initGlobalRegionBuffer( CFF_Decoder*  decoder,
-                              CF2_UInt      idx,
+                              CF2_Int       subrNum,
                               CF2_Buffer    buf );
   FT_LOCAL( FT_Error )
   cf2_getSeacComponent( CFF_Decoder*  decoder,
@@ -110,7 +110,7 @@ FT_BEGIN_HEADER
                          CF2_Buffer    buf );
   FT_LOCAL( CF2_Int )
   cf2_initLocalRegionBuffer( CFF_Decoder*  decoder,
-                             CF2_UInt      idx,
+                             CF2_Int       subrNum,
                              CF2_Buffer    buf );
 
   FT_LOCAL( CF2_Fixed )
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index b49b96f..1910f1b 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -746,7 +746,7 @@
       case cf2_cmdCALLGSUBR:
       case cf2_cmdCALLSUBR:
         {
-          CF2_UInt  subrIndex;
+          CF2_Int  subrNum;
 
 
           FT_TRACE4(( op1 == cf2_cmdCALLGSUBR ? " callgsubr"
@@ -766,17 +766,17 @@
                            (size_t)charstringIndex + 1 );
 
           /* set up the new CFF region and pointer */
-          subrIndex = (CF2_UInt)cf2_stack_popInt( opStack );
+          subrNum = cf2_stack_popInt( opStack );
 
           switch ( op1 )
           {
           case cf2_cmdCALLGSUBR:
             FT_TRACE4(( " (idx %d, entering level %d)\n",
-                        subrIndex + (CF2_UInt)decoder->globals_bias,
+                        subrNum + decoder->globals_bias,
                         charstringIndex + 1 ));
 
             if ( cf2_initGlobalRegionBuffer( decoder,
-                                             subrIndex,
+                                             subrNum,
                                              charstring ) )
             {
               lastError = FT_THROW( Invalid_Glyph_Format );
@@ -787,11 +787,11 @@
           default:
             /* cf2_cmdCALLSUBR */
             FT_TRACE4(( " (idx %d, entering level %d)\n",
-                        subrIndex + (CF2_UInt)decoder->locals_bias,
+                        subrNum + decoder->locals_bias,
                         charstringIndex + 1 ));
 
             if ( cf2_initLocalRegionBuffer( decoder,
-                                            subrIndex,
+                                            subrNum,
                                             charstring ) )
             {
               lastError = FT_THROW( Invalid_Glyph_Format );