From 938ebda8d981a3db994329abd716b67c85570395867b00f91d9ed653bf9e90d1 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Fri, 9 Mar 2018 08:05:19 +0000
Subject: [PATCH] Accepting request 584499 from home:kbabioch:branches:M17N

- Add bnc1079600.patch: Fix several integer overflow issues in
  truetype/ttinterp.c (bsc#1079600)

OBS-URL: https://build.opensuse.org/request/show/584499
OBS-URL: https://build.opensuse.org/package/show/M17N/freetype2?expand=0&rev=142
---
 bnc1079600.patch  | 94 +++++++++++++++++++++++++++++++++++++++++++++++
 freetype2.changes |  6 +++
 freetype2.spec    |  2 +
 3 files changed, 102 insertions(+)
 create mode 100644 bnc1079600.patch

diff --git a/bnc1079600.patch b/bnc1079600.patch
new file mode 100644
index 0000000..ed04442
--- /dev/null
+++ b/bnc1079600.patch
@@ -0,0 +1,94 @@
+References: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4a03f17449ae45f0dacf4de4694ccd6e5e1b24d1
+Upstream: merged
+From: Karol Babioch <kbabioch@suse.de>
+Date: Thu Mar  8 17:52:43 CET 2018
+
+Avoid integer overflow issues
+
+diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
+index 551f14a2e..5c8ff4f3d 100644
+--- a/src/truetype/ttinterp.c
++++ b/src/truetype/ttinterp.c
+@@ -5782,6 +5782,7 @@
+     FT_F26Dot6  distance;
+ #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY
+     FT_F26Dot6  control_value_cutin = 0;
++    FT_F26Dot6  delta;
+ 
+ 
+     if ( SUBPIXEL_HINTING_INFINALITY )
+@@ -5817,11 +5818,15 @@
+     distance = PROJECT( exc->zp1.cur + point, exc->zp0.cur + exc->GS.rp0 );
+ 
+ #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY
++    delta = SUB_LONG( distance, args[1] );
++    if ( delta < 0 )
++      delta = NEG_LONG( delta );
++
+     /* subpixel hinting - make MSIRP respect CVT cut-in; */
+-    if ( SUBPIXEL_HINTING_INFINALITY                                    &&
+-         exc->ignore_x_mode                                             &&
+-         exc->GS.freeVector.x != 0                                      &&
+-         FT_ABS( SUB_LONG( distance, args[1] ) ) >= control_value_cutin )
++    if ( SUBPIXEL_HINTING_INFINALITY  &&
++         exc->ignore_x_mode           &&
++         exc->GS.freeVector.x != 0    &&
++         delta >= control_value_cutin )
+       distance = args[1];
+ #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
+ 
+@@ -5978,7 +5983,14 @@
+ 
+     if ( ( exc->opcode & 1 ) != 0 )   /* rounding and control cut-in flag */
+     {
+-      if ( FT_ABS( distance - org_dist ) > control_value_cutin )
++      FT_F26Dot6  delta;
++
++
++      delta = SUB_LONG( distance, org_dist );
++      if ( delta < 0 )
++        delta = NEG_LONG( delta );
++
++      if ( delta > control_value_cutin )
+         distance = org_dist;
+ 
+ #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY
+@@ -6259,6 +6271,9 @@
+ 
+       if ( exc->GS.gep0 == exc->GS.gep1 )
+       {
++        FT_F26Dot6  delta;
++
++
+         /* XXX: According to Greg Hitchcock, the following wording is */
+         /*      the right one:                                        */
+         /*                                                            */
+@@ -6271,7 +6286,11 @@
+         /*      `ttinst2.doc', version 1.66, is thus incorrect since  */
+         /*      it implies `>=' instead of `>'.                       */
+ 
+-        if ( FT_ABS( cvt_dist - org_dist ) > control_value_cutin )
++        delta = SUB_LONG( cvt_dist, org_dist );
++        if ( delta < 0 )
++          delta = NEG_LONG( delta );
++
++        if ( delta > control_value_cutin )
+           cvt_dist = org_dist;
+       }
+ 
+@@ -6289,7 +6308,14 @@
+            exc->ignore_x_mode           &&
+            exc->GS.gep0 == exc->GS.gep1 )
+       {
+-        if ( FT_ABS( cvt_dist - org_dist ) > control_value_cutin )
++        FT_F26Dot6  delta;
++
++
++        delta = SUB_LONG( cvt_dist, org_dist );
++        if ( delta < 0 )
++          delta = NEG_LONG( delta );
++
++        if ( delta > control_value_cutin )
+           cvt_dist = org_dist;
+       }
+ #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
diff --git a/freetype2.changes b/freetype2.changes
index cec0cc0..09d95bc 100644
--- a/freetype2.changes
+++ b/freetype2.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar  8 16:47:21 UTC 2018 - kbabioch@suse.com
+
+- Add bnc1079600.patch: Fix several integer overflow issues in
+  truetype/ttinterp.c (bsc#1079600) 
+
 -------------------------------------------------------------------
 Tue Mar  6 10:47:29 UTC 2018 - ilya@ilya.pp.ua
 
diff --git a/freetype2.spec b/freetype2.spec
index c7b494d..ae590ff 100644
--- a/freetype2.spec
+++ b/freetype2.spec
@@ -36,6 +36,7 @@ Patch2:         psaux-flex.patch
 Patch3:         0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch
 Patch4:         0001-truetype-Better-protection-against-invalid-VF-data.patch
 Patch5:         enable-long-family-names-by-default.patch
+Patch6:         bnc1079600.patch
 BuildRequires:  gawk
 BuildRequires:  libbz2-devel
 BuildRequires:  libpng-devel
@@ -104,6 +105,7 @@ It also contains a small tutorial for using that library.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 %build
 export CFLAGS="%{optflags} -std=gnu99 -D_GNU_SOURCE $(getconf LFS_CFLAGS)"