Re: [ft-devel] details on iPhone exploit caused by FreeType?

[Werner LEMBERG]

Here's the answer from Matthias.

> 1) Fix2Int does shift before conversion.  How does it solve the
>    undefined behavior with negative numbers?

After the shift, the upper half is undefined.  The cast to Short cuts
off the upper half, and the following cast to Int does the sign
extension in a defined manner.

> 2) Why not (FT_Int)(FT_UInt)?

This wouldn't work.  What one could do is to do the sign extension
manually:

  Int result;
  result = (UInt)(f) >> 16;
  if (result & 8000)
          result |= 0xffff0000;

> 3) Is Fix2Int conversion shared with other parts of freetype?

No.  The 16.16 fixed-point format is postscript specific.  I only
checked within the psaux directory and didn't find uses besides the
ones covered by the patch.

best regards
Matthias