diff --git a/ChangeLog b/ChangeLog index 3d8fc5ced..f3ea117f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2018-05-30 Armin Hasitzka + + Fix pointer underflow. + + The declaration of `edge2' can be reached with `edge1 == NULL' and + `axis->edges == 0' which results in undefined behaviour. + + * src/autofit/afloader.c (af_loader_load_glyph): Initialise `edge2' + after checking `axis->num_edges > 1'. `edge1 != NULL' can be assumed. + 2018-05-30 Werner Lemberg Various minor color fixes. diff --git a/src/autofit/afloader.c b/src/autofit/afloader.c index 0a0ec5b2a..5cef7c1f9 100644 --- a/src/autofit/afloader.c +++ b/src/autofit/afloader.c @@ -434,13 +434,14 @@ FT_Pos pp1x_uh, pp2x_uh; AF_AxisHints axis = &hints->axis[AF_DIMENSION_HORZ]; - AF_Edge edge1 = axis->edges; /* leftmost edge */ - AF_Edge edge2 = edge1 + - axis->num_edges - 1; /* rightmost edge */ + AF_Edge edge1 = axis->edges; /* leftmost edge */ + AF_Edge edge2; /* rightmost edge */ if ( axis->num_edges > 1 && AF_HINTS_DO_ADVANCE( hints ) ) { + edge2 = edge1 + axis->num_edges - 1; + old_rsb = loader->pp2.x - edge2->opos; /* loader->pp1.x is always zero at this point of time */ old_lsb = edge1->opos /* - loader->pp1.x */;