From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 14 Nov 2022 19:18:19 +0100
Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
 overflow.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462

Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
CVE: CVE-2023-2004
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 src/truetype/ttgxvar.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 7f2db0c..8968111 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -42,6 +42,7 @@
 #include <ft2build.h>
 #include <freetype/internal/ftdebug.h>
 #include FT_CONFIG_CONFIG_H
+#include <freetype/internal/ftcalc.h>
 #include <freetype/internal/ftstream.h>
 #include <freetype/internal/sfnt.h>
 #include <freetype/tttags.h>
@@ -1147,7 +1148,7 @@
                 delta == 1 ? "" : "s",
                 vertical ? "VVAR" : "HVAR" ));
 
-    *avalue += delta;
+    *avalue = ADD_INT( *avalue, delta );
 
   Exit:
     return error;
-- 
2.25.1