Commit 83fc524dfc93bfabee681ea2484b93ad1f66ca15

Werner Lemberg 2018-10-02T16:36:49

[pshinter] Handle numeric overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10550 * src/pshinter/pshglob.c (psh_blues_snap_stem): Mask numeric overflow.

diff --git a/ChangeLog b/ChangeLog
index 0b8da23..8a308a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-10-02  Werner Lemberg  <wl@gnu.org>
+
+	[pshinter] Handle numeric overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10550
+
+	* src/pshinter/pshglob.c (psh_blues_snap_stem): Mask numeric
+	overflow.
+
 2018-09-27  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	Align FreeType with standard C memory management.
@@ -138,7 +149,7 @@
 	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10396
 
 	* src/pshinter/pshglob.c: Include FT_INTERNAL_CALC_H.
-	(psh_blues_snap_stems): Mask numeric overflow.
+	(psh_blues_snap_stem): Mask numeric overflow.
 
 2018-09-13  Werner Lemberg  <wl@gnu.org>
 
diff --git a/src/pshinter/pshglob.c b/src/pshinter/pshglob.c
index 5f5ae2d..8706e2b 100644
--- a/src/pshinter/pshglob.c
+++ b/src/pshinter/pshglob.c
@@ -591,7 +591,7 @@
 
     for ( ; count > 0; count--, zone-- )
     {
-      delta = zone->org_top - stem_bot;
+      delta = SUB_LONG( zone->org_top, stem_bot );
       if ( delta < -blues->blue_fuzz )
         break;