kc3-lang/freetype

Browse

Commit 6b660f12151c7f333f8be6d84df916db210d3742

Werner Lemberg 2018-10-02T16:48:59

[psaux] Fix numeric overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll> [CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

diff --git a/ChangeLog b/ChangeLog
index 8a308a6..123cc51 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2018-10-02  Werner Lemberg  <wl@gnu.org>
 
+	[psaux] Fix numeric overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll>
+	[CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT.
+
+2018-10-02  Werner Lemberg  <wl@gnu.org>
+
 	[pshinter] Handle numeric overflow.
 
 	Reported as
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 0576ca6..b90a828 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -1839,7 +1839,7 @@
               /* before C99 it is implementation-defined whether    */
               /* the result of `%' is negative if the first operand */
               /* is negative                                        */
-              idx = -( ( -idx ) % count );
+              idx = -( NEG_INT( idx ) % count );
               while ( idx < 0 )
               {
                 FT_Fixed  tmp = args[0];
kmx.io     mail     discord kmxgit v0.4.0