Avoid UB shifting a negative int

`--convert-to pdf cdr/fdo55522-1.cdr` with cdr/fdo55522-1.cdr as obtained by bin/get-bugzilla-attachments-by-mimetype (i.e., the attachment at <https://bugs.documentfoundation.org/show_bug.cgi?id=55522#c0>) under -fsanitize=undefined causes > vcl/source/fontsubset/sft.cxx:580:34: runtime error: left shift of negative value -16384 > #0 in vcl::GetCompoundTTOutline(vcl::TrueTypeFont*, unsigned int, vcl::ControlPoint**, vcl::TTGlyphMetrics*, std::__debug::vector<unsigned int, std::allocator<unsigned int> >&) at vcl/source/fontsubset/sft.cxx:580:34 (instdir/program/libvcllo.so +0x94a45cd) > #1 in vcl::GetTTGlyphOutline(vcl::TrueTypeFont*, unsigned int, vcl::ControlPoint**, vcl::TTGlyphMetrics*, std::__debug::vector<unsigned int, std::allocator<unsigned int> >*) at vcl/source/fontsubset/sft.cxx:688:15 (instdir/program/libvcllo.so +0x9479a18) > #2 in vcl::GetCompoundTTOutline(vcl::TrueTypeFont*, unsigned int, vcl::ControlPoint**, vcl::TTGlyphMetrics*, std::__debug::vector<unsigned int, std::allocator<unsigned int> >&) at vcl/source/fontsubset/sft.cxx:543:19 (instdir/program/libvcllo.so +0x94a3ec9) > #3 in vcl::GetTTGlyphOutline(vcl::TrueTypeFont*, unsigned int, vcl::ControlPoint**, vcl::TTGlyphMetrics*, std::__debug::vector<unsigned int, std::allocator<unsigned int> >*) at vcl/source/fontsubset/sft.cxx:688:15 (instdir/program/libvcllo.so +0x9479a18) > #4 in vcl::GetTTGlyphPoints(vcl::TrueTypeFont*, unsigned int, vcl::ControlPoint**) at vcl/source/fontsubset/sft.cxx:1707:12 (instdir/program/libvcllo.so +0x9478c66) > #5 in vcl::GetTTRawGlyphData(vcl::TrueTypeFont*, unsigned int) at vcl/source/fontsubset/sft.cxx:2480:9 (instdir/program/libvcllo.so +0x9487c85) > #6 in vcl::CreateTTFromTTGlyphs(vcl::TrueTypeFont*, char const*, unsigned short const*, unsigned char const*, int) at vcl/source/fontsubset/sft.cxx:1955:32 (instdir/program/libvcllo.so +0x94821ce) > #7 in psp::PrintFontManager::createFontSubset(FontSubsetInfo&, int, rtl::OUString const&, unsigned short const*, unsigned char const*, int*, int) at vcl/unx/generic/fontmanager/fontmanager.cxx:1094:41 (instdir/program/libvcllo.so +0x99dee87) > #8 in CairoTextRender::CreateFontSubset(rtl::OUString const&, PhysicalFontFace const*, unsigned short const*, unsigned char const*, int*, int, FontSubsetInfo&) at vcl/unx/generic/gdi/cairotextrender.cxx:494:26 (instdir/program/libvcllo.so +0x98af6bc) > #9 in SvpSalGraphics::CreateFontSubset(rtl::OUString const&, PhysicalFontFace const*, unsigned short const*, unsigned char const*, int*, int, FontSubsetInfo&) at vcl/headless/svptext.cxx:74:30 (instdir/program/libvcllo.so +0x98a10a3) > #10 in vcl::PDFWriterImpl::emitFonts() at vcl/source/gdi/pdfwriter_impl.cxx:2815:28 (instdir/program/libvcllo.so +0x7fdbd2d) > #11 in vcl::PDFWriterImpl::emitResources() at vcl/source/gdi/pdfwriter_impl.cxx:3045:5 (instdir/program/libvcllo.so +0x7fe3188) > #12 in vcl::PDFWriterImpl::emitCatalog() at vcl/source/gdi/pdfwriter_impl.cxx:4528:5 (instdir/program/libvcllo.so +0x8023c46) > #13 in vcl::PDFWriterImpl::emit() at vcl/source/gdi/pdfwriter_impl.cxx:5748:5 (instdir/program/libvcllo.so +0x8044e2d) > #14 in vcl::PDFWriter::Emit() at vcl/source/gdi/pdfwriter.cxx:52:29 (instdir/program/libvcllo.so +0x7f017bc) > #15 in PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdfexport.cxx:957:40 (instdir/program/../program/libpdffilterlo.so +0x2f1789) > #16 in PDFFilter::implExport(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdffilter.cxx:155:24 (instdir/program/../program/libpdffilterlo.so +0x33ac4f) > #17 in PDFFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdffilter.cxx:216:23 (instdir/program/../program/libpdffilterlo.so +0x33babf) > #18 in SfxObjectShell::ExportTo(SfxMedium&) at sfx2/source/doc/objstor.cxx:2422:25 (instdir/program/libsfxlo.so +0x4a4e283) > #19 in SfxObjectShell::SaveTo_Impl(SfxMedium&, SfxItemSet const*) at sfx2/source/doc/objstor.cxx:1513:19 (instdir/program/libsfxlo.so +0x4a3e302) > #20 in SfxObjectShell::PreDoSaveAs_Impl(rtl::OUString const&, rtl::OUString const&, SfxItemSet const&) at sfx2/source/doc/objstor.cxx:2828:39 (instdir/program/libsfxlo.so +0x4a6d72c) > #21 in SfxObjectShell::CommonSaveAs_Impl(INetURLObject const&, rtl::OUString const&, SfxItemSet&) at sfx2/source/doc/objstor.cxx:2685:9 (instdir/program/libsfxlo.so +0x4a671c3) > #22 in SfxObjectShell::APISaveAs_Impl(rtl::OUString const&, SfxItemSet&) at sfx2/source/doc/objserv.cxx:326:19 (instdir/program/libsfxlo.so +0x49de0b8) > #23 in SfxBaseModel::impl_store(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, bool) at sfx2/source/doc/sfxbasemodel.cxx:3026:42 (instdir/program/libsfxlo.so +0x4bc9c26) > #24 in SfxBaseModel::storeToURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sfx2/source/doc/sfxbasemodel.cxx:1697:13 (instdir/program/libsfxlo.so +0x4bd02fb) [...] and then later a similar > vcl/source/fontsubset/sft.cxx:590:34: runtime error: left shift of negative value -16384 [...] Change-Id: I12444a704870d7a03ead6be5c039934e826fda7d Reviewed-on: https://gerrit.libreoffice.org/73184 Reviewed-by: Khaled Hosny <khaledhosny@eglug.org> Tested-by: Jenkins
author: Stephan Bergmann <sbergman@redhat.com> 2019-05-29 19:02:19 +0200
committer: Stephan Bergmann <sbergman@redhat.com> 2019-05-31 15:07:49 +0200
commit: c0a2335d89532119a04aad32316cabe9f1b5d149 (patch)
tree: ea3917d393d7943f18cbd31787de74acd9b00b89 /vcl/source/fontsubset
parent: 16091ff88aaab9ba9103c4e369bf79b97f431f40 (diff)
1 files changed, 13 insertions, 7 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 613cf79f9734..2ad41691f1ef 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -487,6 +487,12 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf, sal_uInt32 glyphID, Contr
     return lastPoint + 1;
 }
 
+static F16Dot16 fromF2Dot14(sal_Int16 n)
+{
+    // Avoid undefined shift of negative values prior to C++2a:
+    return sal_uInt32(n) << 2;
+}
+
 static int GetCompoundTTOutline(TrueTypeFont *ttf, sal_uInt32 glyphID, ControlPoint **pointArray, TTGlyphMetrics *metrics, std::vector< sal_uInt32 >& glyphlist)
 {
     sal_uInt16 flags, index;
@@ -577,18 +583,18 @@ static int GetCompoundTTOutline(TrueTypeFont *ttf, sal_uInt32 glyphID, ControlPo
         b = c = 0;
 
         if (flags & WE_HAVE_A_SCALE) {
-            a = GetInt16(ptr, 0) << 2;
+            a = fromF2Dot14(GetInt16(ptr, 0));
             d = a;
             ptr += 2;
         } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
-            a = GetInt16(ptr, 0) << 2;
-            d = GetInt16(ptr, 2) << 2;
+            a = fromF2Dot14(GetInt16(ptr, 0));
+            d = fromF2Dot14(GetInt16(ptr, 2));
             ptr += 4;
         } else if (flags & WE_HAVE_A_TWO_BY_TWO) {
-            a = GetInt16(ptr, 0) << 2;
-            b = GetInt16(ptr, 2) << 2;
-            c = GetInt16(ptr, 4) << 2;
-            d = GetInt16(ptr, 6) << 2;
+            a = fromF2Dot14(GetInt16(ptr, 0));
+            b = fromF2Dot14(GetInt16(ptr, 2));
+            c = fromF2Dot14(GetInt16(ptr, 4));
+            d = fromF2Dot14(GetInt16(ptr, 6));
             ptr += 8;
         }
author	Stephan Bergmann <sbergman@redhat.com>	2019-05-29 19:02:19 +0200
committer	Stephan Bergmann <sbergman@redhat.com>	2019-05-31 15:07:49 +0200
commit	c0a2335d89532119a04aad32316cabe9f1b5d149 (patch)
tree	ea3917d393d7943f18cbd31787de74acd9b00b89 /vcl/source/fontsubset
parent	16091ff88aaab9ba9103c4e369bf79b97f431f40 (diff)