Commit 8c763fb1be3c709bd69e13278569a25c4c30ea84
2017-06-20T07:49:52
[cff, truetype] Integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2300 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2313 * src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use ADD_INT32. * src/truetype/ttinterp.c (Ins_ABS): Avoid FT_ABS.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109
diff --git a/ChangeLog b/ChangeLog
index b5069b1..e50665b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2017-06-16 Werner Lemberg <wl@gnu.org>
+
+ [cff, truetype] Integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2300
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2313
+
+ * src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use ADD_INT32.
+
+ * src/truetype/ttinterp.c (Ins_ABS): Avoid FT_ABS.
+
2017-06-17 Alexei Podtelezhnikov <apodtele@gmail.com>
[base, smooth] LCD filtering cleanups.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 0951e1e..e0f2cc9 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -440,14 +440,16 @@
/* is there room to move up? */
/* there is if we are at top of array or the next edge is at or */
/* beyond proposed move up? */
- if ( j >= hintmap->count - 1 ||
+ if ( j >= hintmap->count - 1 ||
hintmap->edge[j + 1].dsCoord >=
- hintmap->edge[j].dsCoord + moveUp + upMinCounter )
+ ADD_INT32( hintmap->edge[j].dsCoord,
+ moveUp + upMinCounter ) )
{
/* there is room to move up; is there also room to move down? */
- if ( i == 0 ||
+ if ( i == 0 ||
hintmap->edge[i - 1].dsCoord <=
- hintmap->edge[i].dsCoord + moveDown - downMinCounter )
+ ADD_INT32( hintmap->edge[i].dsCoord,
+ moveDown - downMinCounter ) )
{
/* move smaller absolute amount */
move = ( -moveDown < moveUp ) ? moveDown : moveUp; /* optimum */
@@ -458,9 +460,10 @@
else
{
/* is there room to move down? */
- if ( i == 0 ||
+ if ( i == 0 ||
hintmap->edge[i - 1].dsCoord <=
- hintmap->edge[i].dsCoord + moveDown - downMinCounter )
+ ADD_INT32( hintmap->edge[i].dsCoord,
+ moveDown - downMinCounter ) )
{
move = moveDown;
/* true if non-optimum move */
@@ -494,9 +497,11 @@
}
/* move the edge(s) */
- hintmap->edge[i].dsCoord += move;
+ hintmap->edge[i].dsCoord = ADD_INT32( hintmap->edge[i].dsCoord,
+ move );
if ( isPair )
- hintmap->edge[j].dsCoord += move;
+ hintmap->edge[j].dsCoord = ADD_INT32( hintmap->edge[j].dsCoord,
+ move );
}
/* assert there are no overlaps in device space */
@@ -544,15 +549,18 @@
/* is there room to move up? */
if ( hintmap->edge[j + 1].dsCoord >=
- hintmap->edge[j].dsCoord + hintMove->moveUp + CF2_MIN_COUNTER )
+ ADD_INT32( hintmap->edge[j].dsCoord,
+ hintMove->moveUp + CF2_MIN_COUNTER ) )
{
/* there is more room now, move edge up */
- hintmap->edge[j].dsCoord += hintMove->moveUp;
+ hintmap->edge[j].dsCoord = ADD_INT32( hintmap->edge[j].dsCoord,
+ hintMove->moveUp );
if ( cf2_hint_isPair( &hintmap->edge[j] ) )
{
FT_ASSERT( j > 0 );
- hintmap->edge[j - 1].dsCoord += hintMove->moveUp;
+ hintmap->edge[j - 1].dsCoord =
+ ADD_INT32( hintmap->edge[j - 1].dsCoord, hintMove->moveUp );
}
}
}
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index bf198f7..c6605bb 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -2914,7 +2914,8 @@
static void
Ins_ABS( FT_Long* args )
{
- args[0] = FT_ABS( args[0] );
+ if ( args[0] < 0 )
+ args[0] = NEG_LONG( args[0] );
}