[subset] fix potential integer overflow in gname_t::cmp.

2022-05-13 18:05:05 +00:00 · 2022-05-13 18:05:05 +00:00 · 19a8db8545
parent 2d2f66e1a3
commit 19a8db8545
2 changed files with 3 additions and 2 deletions
--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@ -204,8 +204,9 @@ struct CFFIndex
  unsigned int offset_at (unsigned int index) const
  {
    assert (index <= count);
-    const HBUINT8 *p = offsets + offSize * index;
+
    unsigned int size = offSize;
+    const HBUINT8 *p = offsets + size * index;
    unsigned int offset = 0;
    for (; size; size--)
      offset = (offset << 8) + *p++;
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@ -1360,7 +1360,7 @@ struct cff1
      {
 	const gname_t *a = (const gname_t *)a_;
 	const gname_t *b = (const gname_t *)b_;
-	int minlen = hb_min (a->name.length, b->name.length);
+	unsigned minlen = hb_min (a->name.length, b->name.length);
 	int ret = strncmp (a->name.arrayZ, b->name.arrayZ, minlen);
 	if (ret) return ret;
 	return a->name.length - b->name.length;