Commit 0aca17cf53f099f9ea34b3797949076073b60b5d
2017-08-22T08:25:14
[truetype] Integer overflow. Changes triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107 * src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use NEG_LONG.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
diff --git a/ChangeLog b/ChangeLog
index 236842e..1031952 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2017-08-22 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Integer overflow.
+
+ Changes triggered by
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107
+
+ * src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use
+ NEG_LONG.
+
2017-08-17 Alexei Podtelezhnikov <apodtele@gmail.com>
[sfnt] Avoid synthetic unicode for symbol fonts with PUA.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index bc20155..ddcc839 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6119,8 +6119,8 @@
}
else
{
- if ( distance > -minimum_distance )
- distance = -minimum_distance;
+ if ( distance > NEG_LONG( minimum_distance ) )
+ distance = NEG_LONG( minimum_distance );
}
}
@@ -6303,8 +6303,8 @@
}
else
{
- if ( distance > -minimum_distance )
- distance = -minimum_distance;
+ if ( distance > NEG_LONG( minimum_distance ) )
+ distance = NEG_LONG( minimum_distance );
}
}
@@ -6355,7 +6355,10 @@
}
if ( reverse_move )
- exc->func_move( exc, &exc->zp1, point, -( distance - cur_dist ) );
+ exc->func_move( exc,
+ &exc->zp1,
+ point,
+ SUB_LONG( cur_dist, distance ) );
}
#endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
@@ -6557,7 +6560,7 @@
distance = PROJECT( exc->zp0.cur + p2, exc->zp1.cur + p1 ) / 2;
exc->func_move( exc, &exc->zp1, p1, distance );
- exc->func_move( exc, &exc->zp0, p2, -distance );
+ exc->func_move( exc, &exc->zp0, p2, NEG_LONG( distance ) );
}