diff --git a/ChangeLog b/ChangeLog index c13c48e89..fef7c1e6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2017-01-03 Werner Lemberg + + * src/cff/cffparse.c (cff_parse_num): Simplify. + 2017-01-03 Werner Lemberg Various fixes for clang's undefined behaviour sanitizer. @@ -6,8 +10,8 @@ (cff_blend_doBlend): Don't left-shift negative numbers. Handle 5-byte numbers byte by byte to avoid alignment issues. - * src/cff/cffparse.c (cff_parse): Handle 5-byte numbers byte by byte - to avoid alignment issues. + * src/cff/cffparse.c (cff_parse_num): Handle 5-byte numbers byte by + byte to avoid alignment issues. * src/cid/cidload (cid_read_subrs): Do nothing if we don't have any subrs. diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c index 3c701e0b8..e4ba8fd2b 100644 --- a/src/cff/cffparse.c +++ b/src/cff/cffparse.c @@ -448,13 +448,21 @@ /* 16.16 fixed point is used internally for CFF2 blend results. */ /* Since these are trusted values, a limit check is not needed. */ - /* After the 255, 4 bytes give the number. */ - /* Blend result is rounded to integer. */ + /* After the 255, 4 bytes give the number. */ + /* The blend value is converted to integer, with rounding; */ + /* due to the right-shift we don't need the lowest byte. */ +#if 0 return (FT_Short)( - ( ( ( (FT_ULong)*( d[0] + 1 ) << 24 ) | - ( (FT_ULong)*( d[0] + 2 ) << 16 ) | - ( (FT_ULong)*( d[0] + 3 ) << 8 ) | - (FT_ULong)*( d[0] + 4 ) ) + 0x8000U ) >> 16 ); + ( ( ( (FT_UInt32)*( d[0] + 1 ) << 24 ) | + ( (FT_UInt32)*( d[0] + 2 ) << 16 ) | + ( (FT_UInt32)*( d[0] + 3 ) << 8 ) | + (FT_UInt32)*( d[0] + 4 ) ) + 0x8000U ) >> 16 ); +#else + return (FT_Short)( + ( ( ( (FT_UInt32)*( d[0] + 1 ) << 16 ) | + ( (FT_UInt32)*( d[0] + 2 ) << 8 ) | + (FT_UInt32)*( d[0] + 3 ) ) + 0x80U ) >> 8 ); +#endif } else