Commit 0716c6ab7a1c43ba88192498d23e84178e216820
2017-06-02T19:24:03
[cff] Even more integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046 * src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use OVERFLOW_ADD_INT32.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
diff --git a/ChangeLog b/ChangeLog
index 1b7335d..77446ec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2017-06-02 Werner Lemberg <wl@gnu.org>
+ [cff] Even more integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
+
+ * src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
+ OVERFLOW_ADD_INT32.
+
+2017-06-02 Werner Lemberg <wl@gnu.org>
+
[cff] More integer overflows.
Reported as
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 463b7e8..3564758 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -304,10 +304,12 @@
CF2_StemHintRec stemhint;
- stemhint.min =
- position += cf2_stack_getReal( opStack, i );
- stemhint.max =
- position += cf2_stack_getReal( opStack, i + 1 );
+ stemhint.min =
+ position = OVERFLOW_ADD_INT32( position,
+ cf2_stack_getReal( opStack, i ) );
+ stemhint.max =
+ position = OVERFLOW_ADD_INT32( position,
+ cf2_stack_getReal( opStack, i + 1 ) );
stemhint.used = FALSE;
stemhint.maxDS =
@@ -1617,8 +1619,8 @@
if ( font->decoder->width_only )
goto exit;
- curY += cf2_stack_popFixed( opStack );
- curX += cf2_stack_popFixed( opStack );
+ curY = OVERFLOW_ADD_INT32( curY, cf2_stack_popFixed( opStack ) );
+ curX = OVERFLOW_ADD_INT32( curX, cf2_stack_popFixed( opStack ) );
cf2_glyphpath_moveTo( &glyphPath, curX, curY );