[truetype] Limit delta shift range.

The legal range for delta shift is zero through six. Negative values are illegal according to https://developer.apple.com/fonts/TrueType-Reference-Manual/RM04/Chap4.html#delta%20shift * src/truetype/ttobjs.h (delta_shift, delta_base): Make unsigned. * src/truetype/ttinterp.h (DO_SDS): Throw an error if delta_shift out of range. (Ins_DELTAP, Ins_DELTAC): Optimize for legal delta_shift.
author: Alexei Podtelezhnikov <apodtele@gmail.com> 2014-10-14 23:03:56 -0400
committer: Alexei Podtelezhnikov <apodtele@gmail.com> 2014-10-14 23:03:56 -0400
commit: 7e83f06804c3c4d9c740c857b913595939490e80 (patch)
tree: af1266926e902a7fbfb916e70c9e6bd9bb04ed94 /src
parent: 3889cb2faa1f5520d6b26d3eb56b4f83525e4e68 (diff)
download: freetype2-7e83f06804c3c4d9c740c857b913595939490e80.tar.gz
2 files changed, 11 insertions, 8 deletions
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 7d0248bda..324cbc104 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3081,12 +3081,15 @@
     CUR.GS.auto_flip = FALSE;
 
 
-#define DO_SDB                             \
-    CUR.GS.delta_base = (FT_Short)args[0];
+#define DO_SDB                              \
+    CUR.GS.delta_base = (FT_UShort)args[0];
 
 
-#define DO_SDS                              \
-    CUR.GS.delta_shift = (FT_Short)args[0];
+#define DO_SDS                                 \
+    if ( (FT_ULong)args[0] > 6UL )             \
+      CUR.error = FT_THROW( Bad_Argument );    \
+    else                                       \
+      CUR.GS.delta_shift = (FT_UShort)args[0];
 
 
 #define DO_MD  /* nothing */
@@ -7577,7 +7580,7 @@
           B = ( (FT_ULong)B & 0xF ) - 8;
           if ( B >= 0 )
             B++;
-          B = B * 64 / ( 1L << CUR.GS.delta_shift );
+          B *= 1L << ( 6 - CUR.GS.delta_shift );
 
 #ifdef TT_CONFIG_OPTION_SUBPIXEL_HINTING
 
@@ -7747,7 +7750,7 @@
           B = ( (FT_ULong)B & 0xF ) - 8;
           if ( B >= 0 )
             B++;
-          B = B * 64 / ( 1L << CUR.GS.delta_shift );
+          B *= 1L << ( 6 - CUR.GS.delta_shift );
 
           CUR_Func_move_cvt( A, B );
         }
diff --git a/src/truetype/ttobjs.h b/src/truetype/ttobjs.h
index 47d50d9e4..859164f86 100644
--- a/src/truetype/ttobjs.h
+++ b/src/truetype/ttobjs.h
@@ -95,8 +95,8 @@ FT_BEGIN_HEADER
     FT_F26Dot6     control_value_cutin;
     FT_F26Dot6     single_width_cutin;
     FT_F26Dot6     single_width_value;
-    FT_Short       delta_base;
-    FT_Short       delta_shift;
+    FT_UShort      delta_base;
+    FT_UShort      delta_shift;
 
     FT_Byte        instruct_control;
     /* According to Greg Hitchcock from Microsoft, the `scan_control'     */
author	Alexei Podtelezhnikov <apodtele@gmail.com>	2014-10-14 23:03:56 -0400
committer	Alexei Podtelezhnikov <apodtele@gmail.com>	2014-10-14 23:03:56 -0400
commit	7e83f06804c3c4d9c740c857b913595939490e80 (patch)
tree	af1266926e902a7fbfb916e70c9e6bd9bb04ed94 /src
parent	3889cb2faa1f5520d6b26d3eb56b4f83525e4e68 (diff)
download	freetype2-7e83f06804c3c4d9c740c857b913595939490e80.tar.gz