Commit 298e2ea5a6c2e3264f8abaa8b1d2371fb4c77f4d
2017-06-22T11:52:43
[cff, truetype] Integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328 * src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and SUB_INT32. * src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119
diff --git a/ChangeLog b/ChangeLog
index 3c95165..f40f4db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2017-06-22 Werner Lemberg <wl@gnu.org>
+
+ [cff, truetype] Integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328
+
+ * src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
+ SUB_INT32.
+
+ * src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
+
2017-06-21 Alexei Podtelezhnikov <apodtele@gmail.com>
[sfnt] Synthesize a Unicode charmap if one is missing.
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index f5b44b2..f9f5bbb 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -515,7 +515,7 @@
dsNew = cf2_fixedRound( bottomHintEdge->dsCoord );
}
- dsMove = dsNew - bottomHintEdge->dsCoord;
+ dsMove = SUB_INT32( dsNew, bottomHintEdge->dsCoord );
captured = TRUE;
break;
@@ -549,7 +549,7 @@
dsNew = cf2_fixedRound( topHintEdge->dsCoord );
}
- dsMove = dsNew - topHintEdge->dsCoord;
+ dsMove = SUB_INT32( dsNew, topHintEdge->dsCoord );
captured = TRUE;
break;
@@ -562,13 +562,14 @@
/* move both edges and flag them `locked' */
if ( cf2_hint_isValid( bottomHintEdge ) )
{
- bottomHintEdge->dsCoord += dsMove;
+ bottomHintEdge->dsCoord = ADD_INT32( bottomHintEdge->dsCoord,
+ dsMove );
cf2_hint_lock( bottomHintEdge );
}
if ( cf2_hint_isValid( topHintEdge ) )
{
- topHintEdge->dsCoord += dsMove;
+ topHintEdge->dsCoord = ADD_INT32( topHintEdge->dsCoord, dsMove );
cf2_hint_lock( topHintEdge );
}
}
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index c6605bb..a032923 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4927,12 +4927,12 @@
}
{
- FT_Vector* v1 = exc->zp1.org + p2;
- FT_Vector* v2 = exc->zp2.org + p1;
+ FT_Vector* v1 = exc->zp1.org + p2;
+ FT_Vector* v2 = exc->zp2.org + p1;
- A = v1->x - v2->x;
- B = v1->y - v2->y;
+ A = SUB_LONG( v1->x, v2->x );
+ B = SUB_LONG( v1->y, v2->y );
/* If v1 == v2, SDPvTL behaves the same as */
/* SVTCA[X], respectively. */
@@ -4948,9 +4948,9 @@
if ( ( opcode & 1 ) != 0 )
{
- C = B; /* counter clockwise rotation */
- B = A;
- A = -C;
+ C = B; /* counter clockwise rotation */
+ B = A;
+ A = NEG_LONG( C );
}
Normalize( A, B, &exc->GS.dualVector );
@@ -4960,8 +4960,8 @@
FT_Vector* v2 = exc->zp2.cur + p1;
- A = v1->x - v2->x;
- B = v1->y - v2->y;
+ A = SUB_LONG( v1->x, v2->x );
+ B = SUB_LONG( v1->y, v2->y );
if ( A == 0 && B == 0 )
{
@@ -4972,9 +4972,9 @@
if ( ( opcode & 1 ) != 0 )
{
- C = B; /* counter clockwise rotation */
- B = A;
- A = -C;
+ C = B; /* counter clockwise rotation */
+ B = A;
+ A = NEG_LONG( C );
}
Normalize( A, B, &exc->GS.projVector );