[cff] Integer overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089 * src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
diff --git a/ChangeLog b/ChangeLog
index 7f68614..6442e87 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-06-05 Werner Lemberg <wl@gnu.org>
+
+ [cff] Integer overflow.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089
+
+ * src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
+
2017-06-04 Werner Lemberg <wl@gnu.org>
[cff, truetype] Integer overflows.
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 3beaeb1..2ee4387 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -1352,9 +1352,12 @@
sum = cff_parse_num( parser, &parser->stack[i + base] ) * 65536;
for ( j = 1; j < blend->lenBV; j++ )
- sum += FT_MulFix( *weight++,
- cff_parse_num( parser,
- &parser->stack[delta++] ) * 65536 );
+ sum = OVERFLOW_ADD_INT32(
+ sum,
+ FT_MulFix(
+ *weight++,
+ cff_parse_num( parser,
+ &parser->stack[delta++] ) * 65536 ) );
/* point parser stack to new value on blend_stack */
parser->stack[i + base] = subFont->blend_top;