kmx git

Commit 1ea343228d8987afae5f58908581c1e59e26e9ad

2017-06-03T06:52:13

[cff, truetype] Integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057 * src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32. * src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG. (Ins_SUB): Use OVERFLOW_SUB_LONG. (Ins_NEG): Use NEG_LONG.

diff --git a/ChangeLog b/ChangeLog
index 5976f0e..83a239a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,20 @@
 2017-06-03  Werner Lemberg  <wl@gnu.org>
 
+	[cff, truetype] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
+
+	* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
+
+	* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
+	(Ins_SUB): Use OVERFLOW_SUB_LONG.
+	(Ins_NEG): Use NEG_LONG.
+
+2017-06-03  Werner Lemberg  <wl@gnu.org>
+
 	ftcalc.h: Avoid left-shift of negative numbers.
 
 	Reported as
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index dbd3c88..89af2ff 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -343,7 +343,8 @@
          * Use edge[i], the highest entry where csCoord >= entry[i].csCoord
          */
         return OVERFLOW_ADD_INT32(
-                 FT_MulFix( csCoord - hintmap->edge[i].csCoord,
+                 FT_MulFix( OVERFLOW_SUB_INT32( csCoord,
+                                                hintmap->edge[i].csCoord ),
                             hintmap->edge[i].scale ),
                  hintmap->edge[i].dsCoord );
       }
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 775d110..cbb7540 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -2826,7 +2826,7 @@
   static void
   Ins_ADD( FT_Long*  args )
   {
-    args[0] += args[1];
+    args[0] = OVERFLOW_ADD_LONG( args[0], args[1] );
   }
 
 
@@ -2839,7 +2839,7 @@
   static void
   Ins_SUB( FT_Long*  args )
   {
-    args[0] -= args[1];
+    args[0] = OVERFLOW_SUB_LONG( args[0], args[1] );
   }
 
 
@@ -2895,7 +2895,7 @@
   static void
   Ins_NEG( FT_Long*  args )
   {
-    args[0] = -args[0];
+    args[0] = NEG_LONG( args[0] );
   }
 
 
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index f5c661f..f569d6b 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -329,8 +329,8 @@
     for ( i = 0; i < mmaster.num_axis; i++ )
     {
       mmvar->axis[i].name    = mmaster.axis[i].name;
-      mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum);
-      mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum);
+      mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum );
+      mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum );
       mmvar->axis[i].def     = ( mmvar->axis[i].minimum +
                                    mmvar->axis[i].maximum ) / 2;
                             /* Does not apply.  But this value is in range */

kc3-lang/freetype

Commit 1ea343228d8987afae5f58908581c1e59e26e9ad