[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 3802ca8: [cff] Fix integer overflows.
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 3802ca8: [cff] Fix integer overflows. |
|
Date: |
Fri, 2 Jun 2017 02:44:38 -0400 (EDT) |
branch: master
commit 3802ca8b643dbc966d12ef11ed8e2e5893cabef2
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[cff] Fix integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
---
ChangeLog | 12 ++++++++++++
src/cff/cf2hints.c | 18 ++++++++++--------
src/cff/cf2intrp.c | 7 +++++--
3 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 04d70a3..15b77ab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2017-06-02 Werner Lemberg <address@hidden>
+
+ [cff] Fix integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
+
+ * src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
+ (cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
+
2017-06-01 Werner Lemberg <address@hidden>
[smooth] Some 32bit integer overflow run-time errors.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 5efb180..dbd3c88 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -638,14 +638,16 @@
{
/* Use hint map to position the center of stem, and nominal scale */
/* to position the two edges. This preserves the stem width. */
- CF2_Fixed midpoint = cf2_hintmap_map(
- hintmap->initialHintMap,
- ( secondHintEdge->csCoord +
- firstHintEdge->csCoord ) / 2 );
- CF2_Fixed halfWidth = FT_MulFix(
- ( secondHintEdge->csCoord -
- firstHintEdge->csCoord ) / 2,
- hintmap->scale );
+ CF2_Fixed midpoint =
+ cf2_hintmap_map(
+ hintmap->initialHintMap,
+ OVERFLOW_ADD_INT32( secondHintEdge->csCoord,
+ firstHintEdge->csCoord ) / 2 );
+ CF2_Fixed halfWidth =
+ FT_MulFix(
+ OVERFLOW_SUB_INT32( secondHintEdge->csCoord,
+ firstHintEdge->csCoord ) / 2,
+ hintmap->scale );
firstHintEdge->dsCoord = midpoint - halfWidth;
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 8f0785d..463b7e8 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -358,8 +358,11 @@
if ( doConditionalLastRead )
{
- FT_Bool lastIsX = (FT_Bool)( cf2_fixedAbs( vals[10] - *curX ) >
- cf2_fixedAbs( vals[11] - *curY ) );
+ FT_Bool lastIsX = (FT_Bool)(
+ cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[10],
+ *curX ) ) >
+ cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[11],
+ *curY ) ) );
CF2_Fixed lastVal = cf2_stack_getReal( opStack, idx );
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 3802ca8: [cff] Fix integer overflows.,
Werner LEMBERG <=