@@ -742,21 +742,19 @@ GlyphInfo *LoadFontData(const unsigned char *fileData, int dataSize, int fontSiz
742742 {
743743 stbtt_GetCodepointHMetrics (& fontInfo , cp , & glyphs [k ].advanceX , NULL );
744744 glyphs [k ].advanceX = (int )((float )glyphs [k ].advanceX * scaleFactor );
745-
746- // [Security Fix] Prevent integer overflow/negative allocation
747- // Issue #5436: Malicious font files may contain negative advanceX,
748- // causing calloc overflow or crash
749- if (glyphs [k ].advanceX < 0 ) glyphs [k ].advanceX = 0 ;
750-
745+
751746 Image imSpace = {
752- // Only allocate memory if width > 0, otherwise set to NULL
753- .data = (glyphs [k ].advanceX > 0 ) ? RL_CALLOC (glyphs [k ].advanceX * fontSize , 2 ) : NULL ,
747+ .data = NULL ,
754748 .width = glyphs [k ].advanceX ,
755749 .height = fontSize ,
756750 .mipmaps = 1 ,
757751 .format = PIXELFORMAT_UNCOMPRESSED_GRAYSCALE
758752 };
759753
754+ // Only allocate space image if required
755+ if (glyphs [k ].advanceX > 0 ) imSpace .data = RL_CALLOC (glyphs [k ].advanceX * fontSize , 1 );
756+ else glyphs [k ].advanceX = 0 ;
757+
760758 glyphs [k ].image = imSpace ;
761759 }
762760
@@ -859,8 +857,8 @@ Image GenImageFontAtlas(const GlyphInfo *glyphs, Rectangle **glyphRecs, int glyp
859857 }
860858#endif
861859
862- int atlasDataSize = atlas .width * atlas .height ; // Save total size for bounds checking
863- atlas .data = (unsigned char * )RL_CALLOC (1 , atlasDataSize ); // Create a bitmap to store characters (8 bpp)
860+ int atlasDataSize = atlas .width * atlas .height ; // Save total size for bounds checking
861+ atlas .data = (unsigned char * )RL_CALLOC (atlasDataSize , 1 ); // Create a bitmap to store characters (8 bpp)
864862 atlas .format = PIXELFORMAT_UNCOMPRESSED_GRAYSCALE ;
865863 atlas .mipmaps = 1 ;
866864
@@ -908,13 +906,11 @@ Image GenImageFontAtlas(const GlyphInfo *glyphs, Rectangle **glyphRecs, int glyp
908906 int destX = offsetX + x ;
909907 int destY = offsetY + y ;
910908
911- // Security fix: check both lower and upper bounds
912- // destX >= 0: prevent heap underflow (#5434)
913- // destX < atlas.width: prevent heap overflow (#5433)
914- if (destX >= 0 && destX < atlas .width && destY >= 0 && destY < atlas .height )
909+ // Security: check both lower and upper bounds
910+ if ((destX >= 0 ) && (destX < atlas .width ) && (destY >= 0 ) && (destY < atlas .height ))
915911 {
916- ((unsigned char * )atlas .data )[destY * atlas .width + destX ] =
917- ((unsigned char * )glyphs [i ].image .data )[y * glyphs [i ].image .width + x ];
912+ ((unsigned char * )atlas .data )[destY * atlas .width + destX ] =
913+ ((unsigned char * )glyphs [i ].image .data )[y * glyphs [i ].image .width + x ];
918914 }
919915 }
920916 }
@@ -985,10 +981,9 @@ Image GenImageFontAtlas(const GlyphInfo *glyphs, Rectangle **glyphRecs, int glyp
985981
986982#if defined(SUPPORT_FONT_ATLAS_WHITE_REC )
987983 // Add a 3x3 white rectangle at the bottom-right corner of the generated atlas,
988- // useful to use as the white texture to draw shapes with raylib.
989- // [Security Fix] Ensure the atlas is large enough to hold a 3x3 rectangle.
990- // This prevents heap underflow when width < 3 or height < 3 (Fixes #5434 variant)
991- if (atlas .width >= 3 && atlas .height >= 3 )
984+ // useful to use as the white texture to draw shapes with raylib
985+ // Security: ensure the atlas is large enough to hold a 3x3 rectangle
986+ if ((atlas .width >= 3 ) && (atlas .height >= 3 ))
992987 {
993988 for (int i = 0 , k = atlas .width * atlas .height - 1 ; i < 3 ; i ++ )
994989 {
0 commit comments