Commit 0c14a3adb08ca5aaac3188a63246361c50b069d4
2019-12-14T00:04:01
[truetype] Fix integer overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305 * src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
diff --git a/ChangeLog b/ChangeLog
index 0c3f4e4..720a38c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2019-12-14 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Fix integer overflow.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305
+
+ * src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
+
2019-12-13 Werner Lemberg <wl@gnu.org>
Another bunch of UBSan warnings on adding offsets to nullptr.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index cedc4a5..7d021eb 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6346,12 +6346,14 @@
/* twilight points (confirmed by Greg Hitchcock) */
if ( exc->GS.gep1 == 0 )
{
- exc->zp1.org[point].x = exc->zp0.org[exc->GS.rp0].x +
- TT_MulFix14( cvt_dist,
- exc->GS.freeVector.x );
- exc->zp1.org[point].y = exc->zp0.org[exc->GS.rp0].y +
- TT_MulFix14( cvt_dist,
- exc->GS.freeVector.y );
+ exc->zp1.org[point].x = ADD_LONG(
+ exc->zp0.org[exc->GS.rp0].x,
+ TT_MulFix14( cvt_dist,
+ exc->GS.freeVector.x ) );
+ exc->zp1.org[point].y = ADD_LONG(
+ exc->zp0.org[exc->GS.rp0].y,
+ TT_MulFix14( cvt_dist,
+ exc->GS.freeVector.y ) );
exc->zp1.cur[point] = exc->zp1.org[point];
}