kc3-lang/freetype

Browse

Commit 5c402d97afcc98cbb8d8e049409533f747c4c514

Werner Lemberg 2017-06-13T06:56:48

[cff, truetype] Integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218 * src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32. * src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

diff --git a/ChangeLog b/ChangeLog
index ef88237..fe0f795 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2017-06-13  Werner Lemberg  <wl@gnu.org>
+
+	[cff, truetype] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
+
+	* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
+
+	* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
+
 2017-06-11  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Integer overflows.
diff --git a/src/cff/cf2fixed.h b/src/cff/cf2fixed.h
index d8e695b..a041184 100644
--- a/src/cff/cf2fixed.h
+++ b/src/cff/cf2fixed.h
@@ -66,7 +66,7 @@ FT_BEGIN_HEADER
 #define cf2_doubleToFixed( f )                                           \
           ( (CF2_Fixed)( (f) * 65536.0 + 0.5 ) )
 #define cf2_fixedAbs( x )                                                \
-          ( (x) < 0 ? -(x) : (x) )
+          ( (x) < 0 ? NEG_INT32( x ) : (x) )
 #define cf2_fixedFloor( x )                                              \
           ( (CF2_Fixed)( (FT_UInt32)(x) & 0xFFFF0000UL ) )
 #define cf2_fixedFraction( x )                                           \
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index e527dfd..4e1167a 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6627,9 +6627,11 @@
         FT_Vector  vec;
 
 
-        vec.x = FT_MulFix( exc->zp1.orus[exc->GS.rp2].x - orus_base->x,
+        vec.x = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].x,
+                                     orus_base->x ),
                            exc->metrics.x_scale );
-        vec.y = FT_MulFix( exc->zp1.orus[exc->GS.rp2].y - orus_base->y,
+        vec.y = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].y,
+                                     orus_base->y ),
                            exc->metrics.y_scale );
 
         old_range = FAST_DUALPROJ( &vec );
@@ -6664,9 +6666,11 @@
         FT_Vector  vec;
 
 
-        vec.x = FT_MulFix( exc->zp2.orus[point].x - orus_base->x,
+        vec.x = FT_MulFix( SUB_LONG( exc->zp2.orus[point].x,
+                                     orus_base->x ),
                            exc->metrics.x_scale );
-        vec.y = FT_MulFix( exc->zp2.orus[point].y - orus_base->y,
+        vec.y = FT_MulFix( SUB_LONG( exc->zp2.orus[point].y,
+                                     orus_base->y ),
                            exc->metrics.y_scale );
 
         org_dist = FAST_DUALPROJ( &vec );
@@ -6705,7 +6709,7 @@
       exc->func_move( exc,
                       &exc->zp2,
                       (FT_UShort)point,
-                      new_dist - cur_dist );
+                      SUB_LONG( new_dist, cur_dist ) );
     }
 
   Fail:
kmx.io     mail     discord kmxgit v0.4.0